BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Hannah-Beth Jackson, Chair 2015-2016 Regular Session AB 2636 (Linder) Version: April 12, 2016 Hearing Date: June 28, 2016 Fiscal: Yes Urgency: No NR SUBJECT Certified copies of marriage, birth, and death certificates: electronic application DESCRIPTION This bill would, if the request for a certified copy of a birth, death, or marriage record is made electronically, authorize the official to accept electronic acknowledgment verifying the identity of the applicant using a multilayered remote identity proofing process, as specified. BACKGROUND The Office of Vital Records is charged with the responsibility of maintaining a uniform system for registration and a permanent central registry with a comprehensive and continuous index for all birth, death, fetal death, marriage, and dissolution certificates registered for vital events which occur in California. Certified copies of these records are available from the State Registrar, the 58 county recorders, and 61 local health jurisdictions. In November 2001, it was reported that the state had sold the birth records of more than 24 million Californians which were then posted on the Internet. The Senate Insurance Committee held an informational hearing in response, "Personal Privacy at Risk," which demonstrated the ease with which identity thieves could obtain personal information about others. The informational hearing also revealed that the State Registrar routinely sold electronic compilations of public record information to anyone who could pay for the records with no AB 2636 (Linder) Page 2 of ? restrictions on their use. The records sold covered births from 1905 to 1995, and included the county of birth, the person's full name, date of birth, and the person's mother's maiden name. A mother's maiden name and date of birth are common personal identifiers used by financial institutions to determine if a person may have access to an individual account. In order to prevent fraud and identity theft, the Legislature has since enacted a number of protective measures with regard to vital records, including AB 247 (Speier, Ch. 914, Stats. 2002) and AB 1614 (Speier, Ch. 712, Stats. 2002) which established controls for the release of, and access to, birth and death records. AB 130 (Jeffries, Ch. 412, Stats. 2009) extended the existing limitations on release and access of birth and death records to marriage records in order to prevent the unauthorized use of personal information. Recently, AB 464 (Daly, Ch. 78, Stats. 2013) updated the law regarding vital records to allow digitized images to be used, in addition to written or faxed documents, as part of a request for a certified copy of a vital record. Existing law requires that these requests be accompanied by a notarized statement, sworn under penalty of perjury, that the requester is an authorized person. Instead of requiring a notarized statement, which may also be scanned and mailed electronically, this bill, which is substantially similar to AB 2275 (Ridley-Thomas, 2014), would allow a registrar or county recorder to accept electronic acknowledgment that the requester of a record is an authorized person. CHANGES TO EXISTING LAW Existing law allows the State Registrar, local registrar, or county recorder to furnish a certified copy of birth, death, or marriage to applicants upon request if: the request is written, faxed, or a digitized image and accompanied by a notarized statement that is written, faxed, or a digitized image, sworn under penalty of perjury, that the requester is an authorized person, as defined; or the request is made in person, and the official takes a statement, sworn under penalty of perjury, that the requester is signing his or her own legal name and is an "authorized person." (Health & Saf. Code Sec. 103526.) Existing law defines "authorized person," for purposes of obtaining certified copies of birth, death, or marriage records, as any of the following: AB 2636 (Linder) Page 3 of ? the person who is the subject of the record or the parent or legal guardian of that person; a party who is entitled to receive the record as a result of a court order; law enforcement or governmental agency personnel conducting official business; a child, grandchild, sibling, spouse, domestic partner, or grandparent of the person who is the subject of the record; an attorney or other person empowered to act on behalf of the person who is the subject of the record; or an agent or employee of a funeral establishment who orders death certificates when acting on behalf of specified individuals. (Health & Saf. Code Sec. 103526 (c).) Existing law provides that, in all other cases in which the requester does not meet the requirements of an authorized person, a certified copy may be provided to the requester, but the document shall be an informational certified copy and shall be redacted to remove any signatures that appear on the document. Existing law requires the certified copy to contain the statement "INFORMATIONAL, NOT A VALID DOCUMENT TO ESTABLISH IDENTITY." (Health & Saf. Code Sec. 103526 (b).) This bill would authorize the State Registrar, or a local registrar or county recorder to accept electronic acknowledgement, if the applicant's identity is verified using a multilayered remote identity proofing process that complies with the following requirements: meets or exceeds the National Institute of Standards and Technology (NIST) electronic authentication guideline for multilayered remote identity proofing; and verifies a valid government-issued identification number, and a financial or utility account number. This bill would require that the verification must occur through record checks with the state or local agency or a credit reporting agency or similar database and shall confirm that the name, date of birth, address, or other personal information in the record checks are consistent with the information provided by the applicant. COMMENT 1.Stated need for the bill AB 2636 (Linder) Page 4 of ? According to the author: Unfortunately, individuals seeking vital records in California suffer longer wait times and pay significantly higher fees than individuals seeking records in almost every other state due to outdated statutes that govern vital records requesting policies in California. [?]Vital records (typically birth, death, marriage and divorce records) are critical documents which are required for many of life's most significant events. This is particularly true for birth and death records. For example, birth certificates are necessary for school enrollment, participation in youth sports, obtaining a driver's license, obtaining a passport, and applying for Social Security or Medicaid benefits. Death certificates are documents often needed by loved ones in order to obtain life insurance benefits, and close out financial accounts and investments, etc. Each of these documents is frequently needed expeditiously and more often than not, the individual needing them does not live in the city, county, or even state where the birth or death occurred. [?] AB 2636 brings California into conformity with all other states in the country, except for Minnesota, that do not require a separate notarized statement of identity when making a remote request for vital records. The bill follows the findings of the Little Hoover Commission's 2015 Report seeking a more customer-centric delivery of California government services by allowing for secure online processing of vital records requests benefitting both county staff and California citizens at large. The California State Association of Counties, sponsor, writes: California and Minnesota are the only two states in the nation which currently require a notarized statement in conjunction with the online request. The option of being able to fully submit an electronic request will significantly reduce processing time for customers. This process will also reduce the overall cost for obtaining copies of vital records. For example, the current fee for a certified copy of a birth certificate in Los Angeles County ranges from $23 to $28. The average notary fee for an affidavit is as much as $20. The total fee for someone requesting this record under the current system of a partial online request could be as much as $50. Contra Costa County processed 5,628 electronic orders last AB 2636 (Linder) Page 5 of ? year - the staff time involved in document matching would have saved the county 1,426 staff hours or approximately 35 weeks of work. 2.Potential for identity theft This bill would eliminate the requirement that a person submit a notarized statement of identification when he or she electronically requests vital records. The author argues that this is necessary because "in 2012, Los Angeles County's Registrar received more than 64,000 online requests for vital records. This accounted for 22% of all requests for vital records that year. The average wait time for a customer who submits a vital records request under the current system, that is partially an electronic submission, is 6 to 8 weeks. [?]This is not to mention the additional price of the notary fee on consumers which adds an additional average of $10 to $15 to the existing cost of a copy of a vital record. In Los Angeles, the cost of a vital record is $28, meaning that consumers are paying over a third of the cost for a fee that no other state charges except for Minnesota and is not necessary as identities can be confirmed online as evidenced by California's voter registration system." The requirement that a person requesting a certified copy of a vital record must include a notarized statement of identity was created as a security precaution to protect against fraud and identity theft. In opposition to this bill, the Privacy Rights Clearinghouse (PRC) argues that such protections continue to be necessary. PRC writes: The substitution of an electronic acknowledgement for a notarized affidavit will facilitate the ability of identity thieves and other fraudsters to obtain vital records that can then be used to engage in criminal acts against Californians. Certified copies of birth certificates can be used to fraudulently obtain many other important documents such as passports, driver's licenses, and identification cards. Certified copies of death certificates can be used to fraudulently obtain decedents' death benefits, including life insurance proceeds and investment accounts. Vital records contain a wealth of personal information, which if inappropriately released to the wrong person can result in a significant violation of privacy. Privacy is protected by AB 2636 (Linder) Page 6 of ? California's Constitution, and should not be set aside merely to facilitate the issuance of vital records. Arguably, an electronic identity verification process offers little assurance that identity thieves will not receive documents that can, by their nature, be used to establish identity. The sponsor and the author argue that the high cost associated with obtaining a vital record justifies a more affordable, elctronic process, but the costs associated with identity theft are arguably much higher. It should be noted that individuals can always request vital records without the use of a notary, but those documents are for informational purposes only and not to establish identity. If a person wishes to use the document for identification purposes, the request must be notarized or the individual must submit the request in person. This bill seeks to instead allow individuals to request vital records that can be used for identification purposes without the use of a notary. Given the inherent difficulties in verifying the identity of an individual over the Internet, and the countless opportunities for identity theft that vital records in the wrong hands create, strong protections must be in place to ensure that vital records are safely maintained. 3.Security measures AB 2275 (Ridley-Thomas, 2014), which was substantially similar to this bill, failed passage in the Senate Judiciary Committee in 2014. The Committee analysis noted that the bill lacked adequate security measures and that the increased risk of identity theft outweighed the benefits of the bill. AB 2275 required that an electronic request for a vital record to provide a method for the official to establish the identity of the requester electronically. The method established to process electronic requests and establish the requester's identitywas required to comply with the provisions of the California Uniform Electronic Transactions Act (Act). (Civ. Code Secs. 1633.1-1633.17.) The purpose of the Act is to standardize state laws regarding retention of paper records (namely checks) and electronic signatures, in an effort to facilitate the validity of electronic contracts and transactions. The Committee analysis noted that the Act does little in the way of providing security against fraud. It allows for electronic notarization of signatures and provides that the requirement of AB 2636 (Linder) Page 7 of ? an electronic signature under penalty of perjury is satisfied if the "electronic record includes, in addition to the electronic signature, all of the information as to which the declaration pertains together with a declaration under penalty of perjury by the person who submits the electronic signature that the information is true and correct." (Civ. Code Sec. 1633.11(a) - (b).) Further, the Act does not require any standard of security, but merely defines a security procedure as "a procedure employed for the purpose of verifying that an electronic signature, record, or performance is that of a specific person or for detecting changes or errors in the information in an electronic record. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment procedures." (Civ. Code Sec. 1633.2(n).) Accordingly, this bill includes additional security provisions than those included in AB 2275. In addition to compliance with the Act, this bill requires a "multilayered remote identity proofing process" that "meets or exceeds the National Institute of Standards and Technology (NIST) electronic authentication guideline." This includes that a valid government-issued identification number and a financial or utility account number are verified. The American Civil Liberties Union, in opposition, argues that privacy protections should not be set aside merely to facilitate the issuance of vital records: If this legislation is to be enacted it should include a two-year sunset in order to assess the impacts of loosening the requirements for obtaining vital records online. Additionally, the bill should include a reporting mechanism for people who have been victims of identity theft and prohibit fulfilling vital records requests of persons who have placed fraud alerts or credit reports on their account when the request is submitted using multilayered remote identity proofing. If a public entity wishes to release records without a notarized affidavit of identity, the entity furnishing the records must be liable for any identity theft that occurs after a person uses this process to request a vital record. In light of the above concerns and the Committee's reluctance to pass similar legislation in the past, if this Committee were to approve this bill it should consider doing so only if the bill AB 2636 (Linder) Page 8 of ? include a two year sunset so that the Legislature may review the impacts of allowing individuals to request vital records online. The author may wish to additionally consider including a mechanism for acknowledging fraud alerts that have been placed by persons who have experienced identity theft. Suggested amendment: Sunset the provisions of the bill on January 1, 2019. Support : California Association of Clerks and Election Officials; California Association of County Veteran Service Officers; Computing Technology Industry Association (CompTIA); County Health Executives Association of California (CHEAC) Little Hoover Commission; Los Angeles County Board of Supervisors; Riverside County Board of Supervisors; Rural County Representatives of California (RCRC); San Bernardino County; Tarrant County Clerk's Office; TechNet; Opposition : ACLU of California; Privacy Rights Clearinghouse HISTORY Source : California State Association of Counties; Urban Counties of California Related Pending Legislation : None Known Prior Legislation : AB 2275 (Ridley-Thomas) See Comment 3. AB 464 (Daly, Chapter 78, Statutes of 2013) allowed digitized images, as defined, to be included as part of a request for a certified copy of a birth, death, or marriage record. AB 130 (Jeffries, Chapter 412, Statutes of 2009) extended the existing limitations on the release and access of birth and death records to marriage records in order to prevent the unauthorized use of personal information. SB 1398 (Margett and Hollingsworth, 2008) was substantially similar to SB 471. This bill died in the Senate Health Committee. AB 2636 (Linder) Page 9 of ? SB 471 (Margett, 2007) would have required any individual, authorized by law to obtain a certified copy of a birth or death certificate, to show proof of identification when the request is made in person, except when the individual has been a victim of identity theft. This bill died in the Senate Health Committee. SB 904 (Battin, 2007) would have required the county recorder, when furnishing an informational copy of a military service record, to alter that record by masking the service member's personal information, as specified, without incurring any liability. This bill was vetoed by Governor Schwarzenegger. AB 1179 (Parra, Chapter 6, Statutes of 2004) prohibited county recorders from providing certified copies of military discharge papers except to specified persons and allowed county recorders to accept faxed, notarized documents when specified information is present and photographically reproducible. AB 247 (Speier, Chapter 914, Statutes of 2002) authorized the State Registrar, local registrar or county recorder to provide a certified copy of a birth or death record to an authorized person who submits a statement sworn under penalty of perjury that the requester is signing his or her own legal name and is an authorized person. Prior Vote : Assembly Floor (Ayes 80, Noes 0) Assembly Appropriations Committee (Ayes 20, Noes 0) Assembly Privacy and Consumer Protection Committee (Ayes 11, Noes 0) Assembly Health Committee (Ayes 19, Noes 0) **************