BILL ANALYSIS �
AB 1168
Page 1
Date of Hearing: April 17, 2007
ASSEMBLY COMMITTEE ON HIGHER EDUCATION
Anthony Portantino, Chair
AB 1168 (Jones) - As Amended: April 17, 2007
SUBJECT : Social security numbers
SUMMARY : Requires specified public agencies, including
colleges and universities, to truncate Social Security numbers
(SSNs) in any records that might be displayed to the public.
Specifically, this bill :
1)Requires all colleges and universities, located in California
to truncate SSNs in their electronic records at both the
campus and systemwide levels, so that no more than the last
four digits of any SSN are displayed.
a) Applies to the University of California (UC) and its
campuses only to the extent that its provisions are adopted
by the UC Board of Regents.
b) Authorizes the Attorney General, or any injured person,
to bring a civil action to enforce this provision.
2)Prohibits a local agency from disclosing to the public any
record that is required to be open to the public by any
provision of law if the record displays more than the last
four digits of any SSN and makes conforming changes to the
Commercial Code relative to the filing of financial statements
under the Uniform Commercial Code and the forms required for
such filings.
3)Requires, unless prohibited by federal law, the Franchise Tax
Board (FTB) to redact the first five digits of any SSN on lien
abstracts or any other public records created by FTB.
EXISTING LAW prohibits any person or entity from publicly
posting or displaying in any manner an individual's SSN,
printing an individual's SSN on any card required to access
products or services, requiring an individual to transmit his or
her SSN over the Internet, requiring an individual to use his or
her SSN to access an Internet Web site or printing an
individual's SSN on any materials that are mailed to the
individual, excepting documents that are recorded or required to
�
AB 1168
Page 2
be open to the public pursuant to the California Public Records
Act.
FISCAL EFFECT : Unknown
COMMENTS : Background : Identity theft occurs whenever someone
uses the personal identifying information of another person for
an unlawful purpose, including obtaining or attempting to obtain
credit, goods, services or medical information in the name of
the other person without that person's consent. According to
the Federal Trade Commission (FTC), identity theft has
consistently topped the list of consumer fraud complaints for at
least the last six years. The 255,000 complaints of identity
theft filed with the FTC in 2005 constituted 37% of all
complaints, far surpassing any other single complaint. The most
common form of identity theft is opening a line of credit in the
victim's name. For the identity thief, the SSN is the
single-most useful tool.
Use of SSNs in higher education : Existing state privacy law
prohibits the public display of SSNs, including printing SSNs on
any identification (ID) card needed to access goods or services.
The law was written to allow UC, CSU and CCC a delayed
implementation; as of January 1, 2007, all three systems must be
in compliance. The law has been credited with ending the
practice of printing SSNs on student ID cards at colleges and
universities across the state.
However, the law explicitly does not prevent or dictate terms
for "the collection, use, or release of a SSN as required by
state or federal law or the use of a SSN for internal
verification or administrative purposes."
For a variety of reasons, institutions of higher education
collect and maintain a great deal of personal information on
students and employees. For example, colleges and universities
must maintain student records for several years in order to
respond to requests for grade transcripts. A SSN helps to
ensure that transcripts are in fact those of the requesting
student, since many students may have common names. In
addition, federal student aid programs use SSNs as the sole
student identifier, requiring colleges and universities to use
SSNs in order to participate in these programs. However, this
vast amount of personal information-whether it is maintained in
on-campus computer databases or code-accessible websites-is
�
AB 1168
Page 3
subject to "hacking" or can otherwise fall into the hands of
unauthorized persons.
Recent examples of data breaches at California colleges and
universities : UC has recently been the victim of two large data
breaches that exposed the SSNs of students, faculty, employees
and, in some cases, even applicants-800,000 affected individuals
in a University of California, Los Angeles case in December and
46,000 affected individuals in a UC San Francisco (UCSF) case
this month. UC is not alone: A list of security breaches
maintained and frequently updated by the Privacy Rights
Clearinghouse contains a disproportionate number of colleges and
universities, including the following:
1)April 6, 2005, at UCSF: A server in the accounting and
personnel departments was hacked that contained information on
7,000 students, faculty and staff members;
2)August 17, 2005, at CSU Stanislaus: Hacking exposed 900
records;
3)August 30, 2005, at CSU Chancellor's Office: Hacking exposed
154 records;
4)July 14, 2006, at Cal Poly San Luis Obispo: A laptop computer
was stolen from the home of a physics department professor
July 3, that included the names and SSNs of physics and
astronomy students from 1994-2004;
5)November 28, 2006, at CSU Los Angeles Charter School of
Education: An employee's USB drive was inside a purse stolen
from a car trunk. It contained personal information on 48
faculty members and more than 2,500 students and applicants of
a teacher credentialing program, including names, SSNs, campus
ID numbers, phone numbers and e-mail addresses;
6)February 15, 2007, at City College of San Francisco (CCSF):
Names, grades and SSNs were posted on an unprotected Web site
after summer session in 1999. CCSF stopped using SSNs as
student ID cards in 2002, affecting 11,000 records; and,
7)March 7, 2007, at Los Rios Community College: Student
information including SSNs was accessible on the Internet
after the school used actual data to test a new online
application process in October, affecting 2,000 records.
�
AB 1168
Page 4
Need for the bill : According to the author, the state's policy
should be to minimize both the collection and storage of this
information at colleges and universities, given the odds of it
being released to unauthorized viewers, by prohibiting the use
of all but the last four digits of the SSN and by requiring
colleges and universities to discard records and applications
after a reasonable period of time if those records contain SSNs
along with other pieces of personally identifiable information.
Related legislation : AB 381 (Galgiani), pending in the Assembly
would allow a hospital-based physician to submit to the state
Medi-Cal program a reimbursement claim or an eligibility
verification request containing a patient's SSN. AB 703
(Ruskin), pending in the Assembly, would prohibit a person or
entity from using a SSN as an identifier, except as required by
federal or state law, would require that records containing SSNs
be discarded or destroyed in a specified manner and would
require the encryption or locked storage of records containing
SSNs. SB 216 (Cox), pending in the Senate, would delete the
requirement that abstracts of judgment requiring the payment of
money or ordering a party to pay spousal, child or family
support contain the SSN and would instead require that they
contain only the last four digits of the SSN. SB 644 (Correa),
pending in the Senate, would remove the requirement that
abstracts of judgment contain the SSN of the judgment debtor,
instead requiring only the last four digits of the number and
would provide that tax lien abstracts filed with as public
records only must only contain the last four digits of the SSN.
SB 741 (Ackerman), pending in the Senate, would encourage a
school district or a school that has the ability to omit the SSN
and birth date of a pupil from materials sent by the school
district or school of attendance of a pupil to the residence of
the pupil to do so. SB 904 (Battin), pending in the Senate,
would require a county recorder upon request by a veteran to
redact the address, date of birth and SSN from military
discharge records and certificates or statements of military
service.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file.
�
AB 1168
Page 5
Opposition
None on file.
Analysis Prepared by : Sandra Fried / HIGHER ED. / (916)
319-3960