BILL ANALYSIS �
AB 1168
Page 1
Date of Hearing: April 10, 2007
ASSEMBLY COMMITTEE ON JUDICIARY
Dave Jones, Chair
AB 1168 (Jones) - As Amended: March 29, 2007
As Proposed To Be Amended
SUBJECT : Social Security Numbers
KEY ISSUE : in order to combat the rising tide of identity
theft, Should specified public agencies be required to truncate
social security numbers in any records that might be displayed
to the public?
SYNOPSIS
This bill seeks to abate identity theft by restricting access to
one of the most critical tools of identity theft: social
security numbers. Although identity thieves obtain the social
security numbers of other persons in a variety of ways, studies
suggest that quite often these numbers are harvested from
official records and legal documents accessible to the public.
This bill would require various public entities to truncate
(i.e. redact the first five digits) any social security numbers
accessible to public viewing. In particular, this bill would
create truncation requirements in three particularly vulnerable
areas: (1) colleges and universities that, for operational
reasons, must retain substantial amounts of personal information
on students and staff; (2) local agencies that are required to
make many records publicly accessible under the California
Public Records Act; (3) and the state Franchise Tax Board, which
creates lien abstracts and other legal documents that become
public records. The author and supporters contend that this
measure will protect consumers and citizens by cutting off
access to the identity thief's most valuable piece of personal
information. The California Land Title Association (CLTA)
currently has concerns about the bill but has informed the
Committee that it will continue working with the author to
address its concerns.
SUMMARY : Requires various public entities to truncate Social
Security numbers when the numbers are electronically displayed
or displayed in public records. Specifically, this bill :
1)Requires all colleges and universities located in California
�
AB 1168
Page 2
to implement policies and procedures regarding the retention
of social security numbers in electronic records that are
accessible through the Internet. Specifies that these
policies and procedures shall provide for the redaction of
social security numbers except where necessary and specifies
timetables for discarding records that contain social security
numbers and other pieces of personal information. Authorizes
the Attorney General, or any injured person, to bring a civil
action to enforce this provision.
2)Requires a local agency to redact the first five digits of any
social security number before disclosing a record that is
required to be open to the public, unless the local agency is
required by federal law to display the full number. Makes
conforming changes to the Commercial Code relative to the
filing of financial statements under the Uniform Commercial
Code and the forms required for such filings.
3)Requires, unless prohibited by federal law, the Franchise Tax
Board to redact the first five digits of any social security
number on lien abstracts or any other public records created
by the board.
EXISTING LAW:
1)Imposes various restrictions on the use of social security
numbers and specifically prohibits a person or entity from
doing any of the following:
a) Publicly posting or displaying an individual's social
security number;
b) Printing an individual's social security number on any
card that he or she must use to access products or
services;
c) Requiring an individual to transmit his or her social
security number over the Internet, unless the connection is
secure or the social security number is encrypted;
d) Requiring an individual to use his or her social
security number to access an Internet website unless a
password is also required to access the site;
e) Printing an individual's social security number on any
materials mailed to him or her unless required by state or
federal law. (California Civil Code Section 1798.85(a).)
2)Requires a driver's license applicant to include his or her
social security number (or other appropriate number if not a
�
AB 1168
Page 3
citizen) on the application. Provides, however, that the
social security number shall not be included on a magnetic
tape or strip used to store data on the license. (California
Vehicle Code Section 12801.)
3)Prohibits employers, as of January 1, 2008, from displaying
more than the last four digits of an employee's social
security number when providing employees with an itemized
statement of earnings. (California Labor Code Section
226(a).)
4)Permits a party to a dissolution, annulment, or legal
separation of marriage to redact a social security number from
any pleading, attachment, document, or other written material
filed with the court. Provides, however, that a social
security number may not be redacted from forms or documents
relating to child or spousal support. (Family Code Section
2024.5.)
5)Permits the district attorney and courts of each county, in
consultation with local law enforcement agencies, to establish
mutually agreeable procedures to protect confidential personal
information relating to a witness or victim contained in a
police report, arrest report, or investigative report.
Defines "confidential information" to include, among other
things, a social security number. (Penal Code Section 964.)
6)Imposes, under California's Information Practices Act, certain
limitations on the use, collection, and disclosure of personal
information, including social security numbers. Provides
further that a state agency shall not disclose personal
information in a manner that would link the information to the
individual to whom it pertains without the prior consent of
the individual or pursuant to a court order or some other
provision of law. (Civil Code Section 1798 et seq.)
7)Provides, under the California Public Records Act, that public
records shall be open to public inspection, unless exempted by
law. (Government Code Section 6250 et seq.)
8)Requires, under federal law, a consumer reporting agency to
truncate a consumer's social security number when the consumer
requests a copy of his or her credit report. (Fair Credit
Reporting Act Section 609(1)(1)(A), 15 USC 1681g.)
�
AB 1168
Page 4
FISCAL EFFECT : As currently in print this bill is keyed
fiscal.
COMMENTS : Identity theft occurs whenever someone uses the
personal identifying information of another person for an
unlawful purpose, including to obtain or attempt to obtain
credit, goods, services, or medical information in the name of
the other person without that person's consent. (Penal Code
Section 530.5(a).) According to the Federal Trade Commission
(FTC), identity theft has consistently topped the list of
consumer fraud complaints for at least the last six years. The
255,000 complaints of identity theft filed with the FTC in 2005
constituted 37% of all complaints, far surpassing any other
single complaint. The most common form of identity theft is
opening a line of credit in the victim's name. For the identity
thief, the social security number is the single-most useful
tool. (FTC, "FTC Releases Top 10 Consumer Fraud Complaint
Categories," at http://www.ftc.gov/opa/2006/01/topten.htm ;
Consumer Sentinel & Identity Theft Clearinghouse" at
http://www.consumer.gov/sentinel/pubs/Top10Fraud2005.pdf );
General Accounting Office, "Social Security Numbers: Federal and
State Laws Restrict Use of SSNs, September 15, 2005, at
http://www.gao.gov/new.items/d051016t.pdf .)
According to the author, the risk of identity theft is even
greater in California, which accounted for 45,000 of the 255,000
reported cases in 2005. Because the social security number is
such a crucial piece of information in facilitating identity
theft, this bill would prohibit various public entities from
disclosing more than the last four digits of a social security
number unless they are otherwise required to do so by federal
law. In particular, the author targets three areas that have
proven most subject to abuse: (1) local public records,
especially court records, (2) colleges and universities, and (3)
the California Franchise Tax Board.
Local Public Records : While businesses and state agencies are
required to adopt policies and procedures to safeguard any
personally identifiable information that they may keep or
maintain, local government agencies are largely exempt from
these requirements. (Civil Code Section 1798 et seq.)
Moreover, under the California Public Records Act (Government
Code Section 6250 et seq.), local government agencies are often
required to make certain records open and accessible to the
public. Usually these records may be reviewed physically on
�
AB 1168
Page 5
site, but increasingly local entities are making these records
available on-line. Many of these records, such as abstracts of
judgment, property liens, deeds of trust, child support orders,
and other legal documents often contain social security numbers.
The author contends, however, that access to social security
numbers has nothing to do with the underlying rationale of the
Public Records Act. Open public records provide notice to
citizens of various legal or governmental actions that have been
taken. This purpose can still be served even if the social
security numbers are truncated or removed. In fact, the author
contends that "ready access to full Social Security numbers
through local agencies stands the concept of public records on
its head: public records should allow people to monitor
government, not each other."
In order to remedy this problem and preserve the intent of the
Public Records Act, this bill would require a local agency to
truncate social security numbers in all public records so that
no more than the last four digits are displayed, unless the
agency is required by a federal law to display the entire
number.
Colleges and Universities : According to the author, in 2006
American universities and colleges reported 52 breaches of
personal information. For a variety of reasons, institutions of
higher education collect and maintain a great deal of personal
information on students and employees. For example, colleges and
universities must maintain student records for several years in
order to respond to requests for grade transcripts. A social
security number helps to ensure that transcripts are in fact
those of the requesting student, since many students may have
common names. However, this vast amount of personal information
- whether it is maintained in on-campus computer databases or
code-accessible websites - is subject to "hacking" or can
otherwise fall into the hands of unauthorized persons. For
example, in December of 2006 UCLA reported a security breach
that resulted in unauthorized access to the personal information
of 800,000 current and former students and employees, and even
student applicants who had never attended the university.
UCLA was not alone. A list of security breaches maintained and
frequently updated by the Privacy Rights Clearinghouse contains
a disproportionate number of colleges and universities. Indeed,
as this analysis was being drafted, the University of California
at San Francisco announced a security breach that may have
�
AB 1168
Page 6
compromised the personal information, including social security
numbers, of 46,000 students, faculty, and staff.
In light of the peculiar vulnerability of institutions of higher
learning, this bill would require all colleges and universities
located within the state to implement policies and procedures
regarding the retention of social security numbers in electronic
records that are accessible through the Internet. At a minimum,
these policies and procedures must provide for the redaction of
social security numbers unless it is necessary for operational
reasons to have the full number. In addition, the bill would
require that the college or university discard records and
applications after a reasonable period of time if those records
contain social security numbers along with other pieces of
personally identifiable information.
State Franchise Tax Board : The California Franchise Tax Board
was created to administer the state's personal and corporate
income tax laws. As part of this duty, the Board must file tax
liens and other records that are created by the Board. These
records are disclosable under the California Public Records Act.
As with documents filed by local agencies, these tax-related
documents often contain social security numbers. This bill
would, therefore, require the Board to truncate all but the last
four digits in any document that it files as a public record.
ARGUMENTS IN SUPPORT : Like the author, the many supporters of
AB 1168 point to the fact that identity theft is easily one of
the fastest growing crimes in the nation and the fact that the
social security number is a key facilitator of that crime.
Supporters contend that public agencies should have the same
obligation to protect social security numbers as private
businesses. The Consumer Federation of California (CFC), for
example, points out that current law imposes a number of
limitations on how a private business may use, handle, or
display social security numbers, but expressly exempts public
records. (Civil Code Sections 1798.85(a) and 1798.85(c).) But
CFC sees no rationale for this exemption, given that "the
routine, legally sanctioned release of Social Security numbers
through public records [is] a violation of consumer privacy and
every bit as serious as a breach of data at a bank, hospital, or
retail outlet."
The Privacy Rights Clearinghouse (PRC) supports all the
provisions of this bill, but it especially highlights the need
�
AB 1168
Page 7
to regulate colleges and universities. PRC, which closely
monitors data security breaches, points out that of 327 data
breaches occurring in 2006, 52 (or about one in six) were at
institutions of higher learning. This included, of course, the
massive security breach at UCLA, which compromised the personal
information of 800,000 past and present students, applicants,
staff, and faculty. Crime Victims United of California argues
that students are especially "good targets for identity theft,"
in part because students "change their residences frequently and
credit card companies are not surprised when an application is
filed with a new address."
Secretary of State Debra Bowen supports this bill, especially
those provisions dealing with public records and the filing of
certain financing statements and lien documents under the
Uniform Commercial Code (UCC). In March, Secretary Bowen
learned from the author that many of the public UCC documents on
a Secretary of State website - which are available on the
Internet to anyone who requests them and pays a required fee -
contain social security numbers. Secretary Bowen moved quickly
to, among other things, shut down online access to UCC filings.
The Secretary of State's office is also moving to remove or
truncate social security numbers from all UCC filings and make
corresponding changes in UCC filing forms. The Secretary of
State believes that AB 1168 will be consistent with and
supportive of those efforts.
CURRENT OPPOSITION : The California Land Title Association
(CLTA) supports the general concept of protecting social
security numbers contained in public records, but contends that
the bill could unintentionally make important public records
inaccessible to consumers, lenders, real estate professionals,
title and escrow companies, and other interested parties needing
access to public records.
CLTA points out that, as drafted, this bill requires social
security numbers to be redacted or truncated from public
documents "irrespective of how old those documents are." CLTA
has been informed by some county recorders that this would
require them to examine many paper and microform documents by
hand before releasing them, since this information is not held
within a database format that would allow the recorders to
"search and destroy" portions of the social security number.
CLTA claims that, out of fear of liability for unwittingly
releasing a social security number, county recorders "will
�
AB 1168
Page 8
likely cut off access to all county recorder documents until
this is accomplished." CLTA claims that this happened in Texas
when legislation similar to this bill was passed. CLTA claims
that this lack of access would greatly inhibit real estate
transactions since its members could not conduct the necessary
title searches or issue title policies. In addition, CLTA adds
that "title companies collect millions of dollars in child
support and billions of dollars in government tax liens through
the escrow process." This too, the CLTA claims "would come to a
screeching halt if we cannot get immediate access to county
recorder records."
While these are substantial objections, the CLTA has also
communicated to the Committee that it will continue to work with
the county recorders and the author's office to address these
possible unintended consequences. It is also the understanding
of committee staff that the author and representatives of the
county recorders have discussed this issue and feel confident
that they can continue to work out a solution.
Proposed Amendments : To clarify some provisions in the bill,
the author has agreed to take the following technical and
clarifying amendments:
On page 5, lines 28-30, strike "or in the following form
and format but lacking a space identified for the
disclosure of the social security number of an individual."
On page 8, lines 2-4, strike "or in the following form
and format but lacking a space identified for the
disclosure of the social security number of an individual".
On page 12, line 12, strike "board" and insert
"Franchise Tax Board".
On page 12, lines 15-16, strike "so that no more than
the last four digits of any social security number are
displayed" and insert the following instead: "before
disclosing the record to the public. For purposes of this
section, 'truncate' means to redact the first five digits
of a social security number."
PENDING RELATED LEGISLATION : SB 644 (Correa). As amended, this
bill removes the requirement that abstracts of certain judgments
�
AB 1168
Page 9
contain the social security number of the judgment debtor, and
instead would require only the last four digits of that person's
social security number. This bill would also provide that tax
lien filings that become public records may only contain the
last four digits of the assessee's social security number.
AB 703 (Ruskin). This bill would prohibit a person or entity
from using a social security number as an personal identifier,
except as required by federal or state law. This bill would
also require that records containing social security numbers be
discarded or destroyed in a specified manner, and it would
require the encryption or locked storage or records containing
social security numbers.
REGISTERED SUPPORT / OPPOSITION :
Support
AFSCME
American Association of Retired Persons (AARP)
American Civil Liberties Union
Consumer Action
Consumer Federation of California
Consumers Union
Crime Victims United of California
Gray Panthers of California
Privacy Rights Clearinghouse
Secretary of State Debra Bowen
Opposition:
California Land Title Association
Civil Justice Association of California (to pre-amended version
only)
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334