Today's Law As Amended


Bill PDF |Add To My Favorites | print page

AB-12 Personal information: social security numbers: the Employment Development Department. (2021-2022)



As Amends the Law Today


SECTION 1.
 The Legislature finds and declares all of the following:
(a) In 2019, the California State Auditor issued a report stating that in any given year California’s Employment Development Department mails out over 17 million letters to claimants, and that a vast majority of those letters contain personal information, including full social security numbers. Further, the State Auditor reported that hundreds to thousands of these letters have been mailed to the wrong individual or the wrong address.
(b) Despite ongoing criticism from the public and the Legislature since 2015, the Employment Development Department continues to include full social security numbers on documents that it mails, falsely claiming federal law requires the Employment Development Department to use a claimant’s full social security number. This assertion was refuted by the State Auditor, whose report stated that there are no state or federal laws requiring the mailing of full social security numbers to claimants seeking benefits from California’s Employment Development Department.
(c) The Employment Development Department is currently undergoing a system modernization project, known as the Benefit Systems Modernization, but the information technology systems that the Employment Development Department uses to automatically generate correspondence needs immediate adjustment to protect California residents from identity theft and to prevent other forms of fraud.
(d) Prior to the implementation of the Benefit Systems Modernization, the State Auditor recommended that the Employment Development Department implement interim privacy measures to replace full social security numbers with a modified unique identifier on documents by March 2020. However, according to the 2019 report, the Employment Development Department is not scheduled to complete the implementation system until August 21, 2021. Completion has been further delayed by the COVID-19 pandemic.
(e) As a result, the Employment Development Department is unnecessarily putting claimants at risk for identity theft by continuing the practice of including individuals’ full social security numbers when it sends outgoing mail.
(f) Requiring state agencies to cease sending full social security numbers on outgoing mail as soon as feasible will ensure that agencies, including the Employment Development Department, make important technological adjustments to their systems immediately, rather than waiting until January of 2023, to protect the private information of California residents.

SEC. 2.

 Section 11019.7 of the Government Code is amended to read:

11019.7.
 (a) A state agency shall not send any outgoing United States mail to an individual that contains personal information about that individual, including, but not limited to, the individual’s social security number, telephone number, driver’s license number, or credit card account number, unless that personal information is contained within sealed correspondence and cannot be viewed from the outside of that sealed correspondence.
(b) (1) Notwithstanding any other law, commencing on or before  as soon as is feasible, but no later than  January 1, 2023, a state agency shall not send stop sending  any outgoing United States mail to an individual that contains the individual’s social security number unless the number is truncated to its last four digits, except in the following circumstances:
(A) Federal law requires inclusion of the social security number.
(B) The documents are mailed to a current or prospective state employee.
(C) An individual erroneously mailed a document containing a social security number to a state agency, and the state agency is returning the original document by certified or registered United States mail.
(D) The Controller is returning documents to an individual previously submitted by the individual pursuant to Chapter 7 (commencing with Section 1500) of Title 10 of Part 3 of the Code of Civil Procedure.
(E) The document is sent in response to a valid request for access to personal information, pursuant to Section 1798.34 of the Civil Code.
(2) (A) On or before September 1, 2021, each state agency that mails an individual’s full or truncated part of a social security number to that individual, other than as permitted by paragraph (1), shall report to the Legislature regarding when and why it does so.
(B) A state agency that  that, in its own estimation,  is unable to comply with the requirements of paragraph (1) of this subdivision shall submit an annual corrective action plan to the Legislature by December 15 of each year  until it is in compliance with that paragraph. The annual corrective action plan shall include, at a minimum, all of the following: 
(i) The steps the agency has taken to stop including full social security numbers on outgoing United States mail.
(ii) The number of documents sent as outgoing United States mail from which the agency has successfully removed full social security numbers and the approximate mailing volume corresponding with those documents.
(iii) The remaining steps that the agency plans to take to remove or replace full social security numbers it includes on documents sent as outgoing United States mail.
(iv) The number of documents and approximate mailing volume associated with those documents that the agency has yet to address.
(v) The expected date by which the agency will stop sending documents that contain full social security numbers as outgoing United States mail to individuals.
(C) A report required by subparagraph (A) of this paragraph or corrective action plan required by subparagraph (B) of this paragraph and communications made in connection with these documents that bear on what mailings do and do not contain an individual’s social security number, are confidential and shall not be disclosed to the public pursuant to any state law, including, but not limited to, the California Public Records Act (Division 10 (Chapter 3.5  (commencing with Section 7920.000) of Title 1). 6250) of Division 7 of Title 1 of the Government Code). 
(3) (A) The requirement for submitting a report imposed under subparagraph (A) of paragraph (2) (3)  is inoperative on January 1, 2024, pursuant to Section 10231.5. 10231.5 of the Government Code. 
(B) A report to be submitted pursuant to subparagraph (A) or (B) of paragraph (2) (3)  shall be submitted in compliance with Section 9795. 9795 of the Government Code. 
(c) Upon appropriation by the Legislature, if the Employment Development Department fails to comply with paragraph (1) of subdivision (b) by January 1, 2023, the department shall provide access to and pay for identity theft monitoring for any individual who receives outgoing United States mail from the department that contains the individual’s social security number in violation of paragraph (1) of subdivision (b).
(d) (c)  “Outgoing United States mail” for the purposes of this section includes correspondence sent via a common carrier, including, but not limited to, a package express service and a courier service.
(e) (d)  Notwithstanding subdivision (a) of Section 11000, “state agency” includes the California State University.
SEC. 3.
 This act is an urgency statute necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution and shall go into immediate effect. The facts constituting the necessity are:
In order to ensure that unemployment insurance claimants’ full social security numbers are no longer easily accessible through the mail to individuals who seek to obtain benefits fraudulently, thereby reducing the state and federal costs resulting from unemployment insurance fraud, as soon as possible, it is necessary that this act take effect immediately.