11019.7. (a) A state agency shall not send any outgoing United States mail to an individual that contains personal information about that individual, including, but not limited to, the individual’s social security number, telephone number, driver’s license number, or credit card account number, unless that personal information is contained within sealed correspondence and cannot be viewed from the outside of that sealed correspondence.
(b) (1) Notwithstanding any other law, commencing on or before January 1, 2023, a state agency shall not send any outgoing United States mail to an individual that contains the individual’s social security number unless the number is truncated to its last four digits, except in the following circumstances:
(A) Federal law requires inclusion of the social security number.
(B) The documents are mailed to a current or prospective state employee.
(C) An individual erroneously mailed a document containing a social security number to a state agency, and the state agency is returning the original document by certified or registered United States mail.
(D) The Controller is returning documents to an individual previously submitted by the individual pursuant to Chapter 7 (commencing with Section 1500) of Title 10 of Part 3 of the Code of Civil Procedure.
(E) The document is sent in response to a valid request for access to personal information, pursuant to Section 1798.34 of the Civil Code.
(2) (A) On or before September 1, 2021, each state agency that mails an individual’s full or truncated part of a social security number to that individual, other than as permitted by paragraph (1), shall report to the Legislature regarding when and why it does so.
(B) A state agency that is unable to comply with the requirements of paragraph (1) of this subdivision shall submit an annual corrective action plan to the Legislature by December 15 of each year until it is in compliance with that paragraph. The annual corrective action plan shall include, at a minimum, all of the following:
(i) The steps the agency has taken to stop including full social security numbers on outgoing United States mail.
(ii) The number of documents sent as outgoing United States mail from which the agency has successfully removed full social security numbers and the approximate mailing volume corresponding with those documents.
(iii) The remaining steps that the agency plans to take to remove or replace full social security numbers it includes on documents sent as outgoing United States mail.
(iv) The number of documents and approximate mailing volume associated with those documents that the agency has yet to address.
(v) The expected date by which the agency will stop sending documents that contain full social security numbers as outgoing United States mail to individuals.
(C) A report required by subparagraph (A) of this paragraph or corrective action plan required by subparagraph (B) of this paragraph and communications made in connection with these documents that bear on what mailings do and do not contain an individual’s social security number, are confidential and shall not be disclosed to the public pursuant to any state law, including, but not limited to, the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1).
(3) (A) The requirement for submitting a report imposed under subparagraph (A) of paragraph (2) is inoperative on January 1, 2024, pursuant to Section 10231.5.
(B) A report to be submitted pursuant to subparagraph (A) or (B) of paragraph (2) shall be submitted in compliance with Section 9795.
(c) Upon appropriation by the Legislature, if the Employment Development Department fails to comply with paragraph (1) of subdivision (b) by January 1, 2023, the department shall provide access to and pay for identity theft monitoring for any individual who receives outgoing United States mail from the department that contains the individual’s social security number in violation of paragraph (1) of subdivision (b).
(d) “Outgoing United States mail” for the purposes of this section includes correspondence sent via a common carrier, including, but not limited to, a package express service and a courier service.
(e) Notwithstanding subdivision (a) of Section 11000, “state agency” includes the California State University.
(Amended by Stats. 2022, Ch. 28, Sec. 60. (SB 1380) Effective January 1, 2023.)