BILL ANALYSIS �Ó
AB 2636
Page 1
Date of Hearing: April 19, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2636
(Linder and Dababneh) - As Amended April 12, 2016
SUBJECT: Certified copies of marriage, birth, and death
certificates: electronic application
SUMMARY: Allows a public records official, if an electronic
request for a certified copy of a birth, death, or marriage
record is made, to accept an electronic acknowledgment verifying
the identity of the requester using a remote identity proofing
process to ensure the requester is an authorized person.
Specifically, this bill:
1)Authorizes the State Registrar, or a local registrar or county
recorder, if a request for a certified copy of a birth, death,
or marriage record is made electronically, to accept
electronic acknowledgement, sworn under penalty of perjury,
that the requester of a marriage, birth, or death certificate
is an authorized person.
2)Requires the electronic request for vital records to utilize a
method for the official to establish the identity of the
requester using a multilayered remote identity proofing
process, as specified.
�
AB 2636
Page 2
3)Requires that the method to process electronic requests and to
establish the requester's identity meet all the following
requirements:
a) Meets or exceeds the National Institute of Standards and
Technology (NIST) electronic authentication guideline for
multilayered remote identity proofing;
b) Verifies the following information provided by the
applicant:
i) A valid government-issued identification number; and
ii) A financial or utility account number.
The verification must occur through record checks with the
state or local agency or a credit reporting agency or
similar database and must confirm that the name, date of
birth, address, or other personal information in such
record checks are consistent with the information provided
by the applicant.
c) Meets or exceeds the information security requirements
of the Uniform Electronic Transactions Act and the Federal
Information Security Management Act and all other
applicable state and federal laws and regulations to
protect the personal information of the applicant and guard
against identity theft.
�
AB 2636
Page 3
d) Retains, for each electronic verification as required by
the NIST electronic authentication guideline, a record of
the applicant who identity has been verified and the steps
taken to verify the identity.
4)Provides that if a requester's identity cannot be established
electronically, then the requester must accompany his or her
request with a notarized statement of identity.
5)Makes other non-substantive, clarifying changes to current
law.
EXISTING LAW:
1)Charges the Office of Vital Records, within the California
Department of Public Health, with the responsibility of
maintaining a uniform system for registration and a permanent
central registry with a comprehensive and continuous index for
all birth, death, fetal death, marriage, and dissolution
certificates registered for vital events which occur in
California. (Health & Safety Code (HSC) Section 102180 et
seq.)
2)Allows the State Registrar, local registrar, or county
recorder to furnish a certified copy of birth, death, or
marriage to applicants upon request if:
a) The request is written, faxed, or a digitized image and
�
AB 2636
Page 4
accompanied by a notarized statement that is written,
faxed, or a digitized image, sworn under penalty of
perjury, that the requester is an authorized person, as
defined; or
b) The request is made in person, and the official takes a
statement, sworn under penalty of perjury, that the
requester is signing his or her own legal name and is an
"authorized person." (HSC 103526)
3)Defines "authorized person," for purposes of obtaining
certified copies of birth, death, or marriage records, as any
of the following:
a) The person who is the subject of the record or the
parent or legal guardian of that person;
b) A party who is entitled to receive the record as a
result of a court order;
c) Law enforcement or governmental agency personnel
conducting official business;
d) A child, grandchild, sibling, spouse, domestic partner,
or grandparent of the person who is the subject of the
record;
�
AB 2636
Page 5
e) An attorney or other person empowered to act on behalf
of the person who is the subject of the record; or
f) An agent or employee of a funeral establishment who
orders death certificates when acting on behalf of
specified individuals. (HSC 103526(c))
4)Provides that, in all other cases in which the requester does
not meet the requirements of an authorized person, a certified
copy may be provided to the requester but the document shall
be an informational certified copy and shall be redacted to
remove any signatures that appear on the document. (HSC
103526(b))
5)Requires the certified copy to contain the statement
"INFORMATIONAL, NOT A VALID DOCUMENT TO ESTABLISH IDENTITY."
(HSC 103526(b))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to streamline the
process for requesting official copies of birth, death and
marriage certificates (vital records) by permitting county
recorders and the California Office of Vital Records to accept
online applications for the records and requiring an
electronic identity authentication process similar to what is
used in 41 other states for vital records requests. This
measure is sponsored by the California State Association of
Counties and the Urban Counties of California.
�
AB 2636
Page 6
2)Author's statement . According to the author's office,
"Individuals seeking vital records in California suffer longer
wait times and pay significantly higher fees than individuals
seeking records in almost every other state due to outdated
statutes that govern vital records requesting policies in
California. Recognizing the advanced security capabilities of
remote verification technologies, vital records agencies-with
the exception of those in California and Minnesota-have moved
away from reliance solely on notarized statements of identity.
Accepted as a standard method of practice by the majority of
vital records agencies nationwide, AB 2636 allows local
jurisdictions to offer an alternative method of verification
for vital records requests using remote identity proofing
processes, so long as they adhere to a stringent set of
federal cybersecurity guidelines. This much-needed measure
will bring California's antiquated vital record request system
into the 21st Century, thereby not only easing the financial
burden on local jurisdictions, but also increasing the
security of their processing systems."
3)What are vital records? Vital records are birth certificates,
death certificates and marriage certificates, and they are
kept on file in the county in which the person was born,
married or died. The California Office of Vital Records has a
statewide database of vital records. People need certified
copies of their birth certificate when they apply for their
first driver's license or passport, and it is not uncommon for
birth certificates to be lost in the years between birth and
adulthood.
Copies of marriage certificates are needed in cases of divorce
and in cases where one spouse is from another country and the
�
AB 2636
Page 7
marriage is the basis for legal residency in the United
States. Here again, when the certificate is lost a new
official copy must be obtained. When a person dies, several
copies of the official death certificate are typically needed
in order to complete legal transactions to transfer assets to
the decedents' heirs.
Vital records are almost never needed for financial
transactions, such as opening a bank account or getting a
mortgage. However, privacy advocates argue that birth
certificates are "breeder" documents, because identity thieves
can use them to get other identity documents, such as a
driver's license or passport, in their victim's name.
4)California's "tangible interest" law for vital records.
California, like 41 other states, has a "tangible interest"
law, which requires that only unofficial, non-certified copies
of vital records may be released unless the person swears
under penalty of perjury that they are a family member or
another person with a "tangible interest" in obtaining an
official, certified copy of the birth, death or marriage
certificate.
In California, some counties have an online application to
request a vital record, but all counties must require
applicants to follow up with a paper form signed in ink and
notarized, in which the applicant swears under penalty of
perjury that he or she has a right to a certified copy of the
record. This notarized form can be faxed or mailed to the
county recorder.
�
AB 2636
Page 8
However, the processing time in California for obtaining an
official vital record is typically very slow. According to
one of the bill's sponsors, Urban Counties of California,
counties process thousands of vital records requests, which
can be very time consuming for county staff and costly for
county government.
This bill would allow counties to use an electronic process to
receive a vital records application. The new process would
require identity verification against a government database or
a person's credit record, and would still require applicants
to swear under penalty of perjury they have a right to a
certified copy of the record.
The electronic process under this bill would be somewhat
similar to the process California now uses to allow people to
register to vote online. The Secretary of State's online
voter registration website requires applicants to affirm under
penalty of perjury that they are a citizen of the United
States by clicking a button on the online voter registration
application. The SOS then checks the applicant's driver's
license number against the Department of Motor Vehicles
database to verify the person's identity. If the person's
identity cannot be confirmed then the applicant must mail in a
signed paper voter registration application.
�
AB 2636
Page 9
5)The NIST standard . NIST is responsible for developing
information security standards for federal information
systems. NIST's electronic authentication guidelines provide
standards for remote authentication of users interacting with
government IT systems over open networks. It also defines the
technical requirements for each level of assurance for remote
identity proofing. Under this bill, the electronic
verification accepted by a California official would have to
be in compliance with each update of the NIST guidelines to
ensure that the most up to date security standards for
electronic authentication.
Under the current NIST guideline, e-authentication credentials
may be considered the electronic analog of paper credentials.
That is, the remote verification process must meet the same
level of confidence in verifying an individual's identity as
an affidavit of identity provided by a notary. In both cases
of a paper credential such as an affidavit of identity, or the
electronic credential provided by identity proofing
technology, a valid credential authoritatively binds an
identity to the necessary information for verifying that a
person is entitled to claim the identity. For the federal
government's operations, an electronic verification that
complies with the NIST is not a less secure verification, but
rather a different mode of assuring the identity.
The multilayered knowledge-based identity authentication
method NIST requires for remote identity proofing is as
follows. The NIST guidelines require that an applicant supply
his or her full legal name, an address of record, date or
birth and any other information requested by the agency before
any additional identity proofing methods are employed. The
�
AB 2636
Page 10
sensitive data collected during the registration and identity
proofing stage must be protected by the agency at all times
including in transmission and storage to ensure their security
and confidentiality of data. Next the agency must verify the
personal data provided by checking the data against a
government database or the applicant's credit report, or
perhaps a specialty consumer credit report such as one
containing consumer utility service accounts. Once the agency
has determined that the identity exists and is not a
fabricated identity, the agency then asks the applicant a
series of questions, which are designed to test whether the
applicant is in fact the person they claimed to be on the
application. This is called "knowledge-based authentication"
or KBA, and involves multiple-choice questions that ask the
user about his or her past residences and credit history. The
questions range from "On which of the following streets have
you lived?" to "What is your total scheduled monthly mortgage
payment?" This bill requires all of these layers of
authentication required by NIST in addition to other
protections.
The author also notes that the NIST standard is not only used
by the agencies that process vital records requests in 41
other but also by thousands of other state, local, and federal
government agencies as well as financial institutions and
health care organizations, which hold sensitive medical and
financial information. For example, CalSTRS currently
authenticates identity using KBA to allow access to online
retirement account information and the California State
Controller's Office uses KBA to authenticate identity for
applications to recover unclaimed property.
�
AB 2636
Page 11
Bruce Schneier, Chief Technology Officer of Resilient Systems
and a fellow at Harvard's Berkman Center, has stated that
visual verifications of identification documents (such as when
a notary public looks at a driver's license) are no more than
"security theatre" as they make the public feel secure, but
actually don't provide a true security benefit. In June 2012,
Schneier stated that "the only real solution is to move the
security model from the document to the database. With online
verification, the document matters much less, because it is
nothing more than a pointer into a database."
6)Modernization in other states . Forty-one other states have
already moved away from paper-based vital records requests.
Another six states have open records laws that allow anyone to
get an official copy of a vital record, so no identity
verification is required. Taken together, only California and
Minnesota still have a paper-based application process that
requires a notarized signature to obtain an official copy of a
birth, death or marriage certificate.
For example, in Massachusetts, which like California has a
tangible interest law, the online application begins with the
applicant entering name, date of birth, address, social
security number, and other information. Each applicant must
submit a credit card for payment and the name on the credit
card must match the name of the applicant. The applicant must
then select "I acknowledge" to affirm that they understand
that the law restricts access to family members and certain
others and that violation of the law is a crime. Next, the
agency verifies the applicant's information and
government-issued identification against its database to
verify the identity of the individual. Then the applicant is
guided through a series of questions, based on information
from other sources such as the applicant's credit report. If
�
AB 2636
Page 12
the applicant passes the quiz, the credit card payment is
processed and the application is electronically submitted to
the agency for processing. If the applicant fails at any
point in the multilayered authentication process, then the
applicant must instead submit a signed, notarized paper
application. Massachusetts follows the NIST guidelines which
are required in this bill.
7)The IRS hack and KBA . In May 2015, the IRS announced a major
data breach in which hackers successfully applied for and
received tax refunds for hundreds of thousands of taxpayers.
According to recent reports, nearly 700,000 people were
affected. Hackers used the IRS's "Get Transcript" website to
steal data from previously filed tax returns and then used
that information to file the new, falsified returns.
Privacy advocates have pointed out that the IRS hackers found
a way to bypass the two-step process on the IRS's "Get
Transcript" website. In the first step, a user has to provide
a Social Security number, date of birth, tax filing status,
and street address, according to the IRS. The second step is
a KBA quiz that hackers found a way to defeat by guessing the
correct answers on thousands of taxpayers. This gave the
hackers access to prior returns and enough information to file
falsified new returns generating refunds. According to news
reports, $50 million in tax refunds were issued and sent by
the IRS to a single bank account in Pennsylvania. From there
funds were wired to Nigeria and other places.
Unlike the IRS hack in which millions were paid into a single
bank account, this bill as amended would require additional
security features beyond what NIST requires, including a
requirement that the name on the applicant's credit card must
match the name of the applicant, so that a hacker cannot
�
AB 2636
Page 13
submit thousands of requests using a single credit card.
8)Recent amendments strengthen the bill . The author and
stakeholders worked with the Committee to add a number of
additional privacy and security protections to the bill,
including the following:
a) A county that chooses to move to electronic requests for
vital records must establish a system that meets or exceeds
the NIST electronic authentication guideline for
multilayered remote identity proofing, as detailed above.
b) The electronic request system must verify both a valid
government-issued identification number and a financial or
utility account number. The verification must be conducted
by running a match against a state or local agency database
or a credit reporting agency or similar database. The
verification must confirm that the name, date of birth,
address, and other personal information is consistent with
the information on the application.
c) The electronic request must or exceeds the information
security requirements of the Uniform Electronic
Transactions Act and the Federal Information Security
Management Act, which require data security risk
assessment, risk management and auditing measures to guard
against data breach and identity theft.
d) The county must retain records from each electronic
verification, as required by the NIST, including the steps
taken to verify the applicant's identity.
�
AB 2636
Page 14
The added protections are designed to help reduce the
likelihood of fraud and identity theft in the online
application process.
9)County option . This bill does not eliminate the paper process
in place to apply for an official vital record in California.
In fact, the bill provides counties the option of moving to an
electronic application system in addition to using the
existing paper-based system. Anyone failing the electronic
authentication would be required to apply on paper and provide
a notarized signature.
10)Arguments in support . The Urban Counties of California (UCC)
states in support of this bill that "counties process
thousands of these types of requests which can be very time
consuming for both county staff and consumers. This bill
would provide a more user-friendly way to get access to these
records through established systems that verify the user's
identity which could provide significant cost savings to
counties' and provide better customer service for these vital
records." UCC states further that the bill "is permissive and
is not a mandate which would allow each county to decide
whether to make this change. In addition, this bill provides
critical consumer protections for privacy by requiring systems
that are consistent with federal guidelines which are the most
stringent in the country."
In its letter of support for the bill, the Little Hoover
Commission states, "In its 2015 report, A Customer-Centric
Upgrade for California Government, the Commission urged state
leaders to upgrade and improve state government by sharply
focusing on customer needs. The Commission found that, for
various reasons, the state does not always make it easy or
�
AB 2636
Page 15
convenient for Californians to get the government services
they are entitled to and deserve. The Commission's report
identified opportunities for improved customer experience
across state government, including its vital records program.
Certified copies of vital records, such as birth, death and
marriage certificates, are critical for Californians who want
to enroll their children in school or a youth sports program,
apply for a driver's license or a passport, update their
Social Security card to reflect their new married name, or
even help settle the affairs of a deceased loved one. While
the need for copies of these records is often urgent, the
Commission found that the process to obtain them can be overly
complicated, time consuming and paper-intensive. To make it
easier for Californians to apply for and receive copies of
these records, the Commission suggested the state move the
application and payment processes online and evaluate whether
a notary check is necessary."
11)Arguments in opposition . Privacy Rights Clearinghouse
opposes this bill on the grounds that "the substitution of an
electronic acknowledgement for a notarized affidavit will
facilitate the ability of identity thieves and other
fraudsters to obtain vital records that can then be used to
engage in criminal acts against Californians. Certified copies
of birth certificates can be used to fraudulently obtain many
other important documents such as passports, driver's
licenses, and identification cards."
12)Prior Legislation . AB 1238 (Linder) of 2015, was similar to
this bill and was held on the Assembly Appropriations
Committee suspense file.
AB 2275 (Ridley-Thomas) of 2014 was identical to this bill and
failed passage in the Senate Judiciary Committee.
�
AB 2636
Page 16
AB 464 (Daly), Chapter 78, Statutes of 2013, allowed digitized
images, as defined, to be included as part of a request for a
certified copy of a birth, death, or marriage record.
AB 130 (Jeffries), Chapter 412, Statutes of 2009, extended the
existing limitations on the release and access of birth and
death records to marriage records in order to prevent the
unauthorized use of personal information.
SB 471 (Margett) of 2007 would have required any individual,
authorized by law to obtain a certified copy of a birth or
death certificate, to show proof of identification when the
request is made in person, except when the individual has been
a victim of identity theft. SB 471 died in the Senate Health
Committee.
AB 247 (Speier), Chapter 914, Statutes of 2002, authorized the
State Registrar, local registrar, or county recorder to
provide a certified copy of a birth or death record to an
authorized person who submits a statement sworn under penalty
of perjury that the requester is signing his or her own legal
name and is an authorized person.
�
AB 2636
Page 17
13)Double-referral : This bill was double-referred to the
Assembly Health Committee where it passed 19-0 on March 29,
2016.
REGISTERED SUPPORT / OPPOSITION:
Support
California State Association of Counties (CSAC) (co-sponsor)
Urban Counties of California (UCC) (co-sponsor)
California Association of Clerks and Election Officials
California Association of County Veteran Service Officers
Computing Technology Industry Association (CompTIA)
County Health Executives Association of California (CHEAC)
Little Hoover Commission
Los Angeles County
�
AB 2636
Page 18
TechNet
Riverside County
Tarrant County Clerk's Office
San Bernardino County
Rural County Representatives of California (RCRC)
Opposition
ACLU of California
Privacy Rights Clearinghouse
Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916)
319-2200
�
AB 2636
Page 19