To determine whether the Department of Labor (Department) has taken appropriate steps to oversee and manage the Unemployment Insurance system and to comply with selected portions of the New York State Information Security Policy and Standards. The audit covered the period from January 2020 to March 2022.
About the Program
The Department’s mission is to protect workers, assist the unemployed, and connect jobless workers to jobs. One of its key tasks in assisting the unemployed is administering the State’s Unemployment Insurance (UI) program. The UI program is a joint federal–State initiative that provides benefits to eligible workers who become unemployed through no fault of their own (as determined under State law) and meet other eligibility requirements of State law. In March 2020, Executive Order 202.8 – New York State on PAUSE – directed the temporary closure of all non-essential businesses statewide to mitigate the spread of COVID-19. In addition, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), also enacted in March 2020, created temporary programs that allowed for enhanced UI benefits for those affected by COVID-19. The COVID-19 pandemic and the addition of temporary benefit programs, like Pandemic Unemployment Assistance (PUA) which had less stringent requirements than traditional UI, contributed to a dramatic increase in UI claims. Collectively, these factors not only increased the demand for as well as the amount of UI benefits but also increased the risk of improper payments and fraud, largely the result of identity theft.
Further, even without considering claims from the temporary federal programs, according to information derived from the federal Benefit Accuracy Measurement (BAM) program and reported on the U.S. Department of Labor (USDOL) website, for the period April 1, 2021 to March 31, 2022, the estimated fraud rate in New York’s UI program increased to 17.59% – up from 4.51% just 2 years earlier.1 Prior to and during the pandemic, the Department performed matches of applicant information against databases from agencies such as the Social Security Administration and the Department of Motor Vehicles to assist in verifying applicants’ identity and eligibility and identify potentially fraudulent claims. Department officials also added new protocols to assist with identifying fraudulent claims, particularly those attributed to identity theft. In February 2021, the Department began using ID.me, Inc. (ID.me) to provide identity verification services.
In addition to managing UI benefits and record claim volumes during the pandemic, Department officials were still responsible for maintaining the UI system in accordance with appropriate standards, including those issued by the Office of Information Technology Services (ITS). As the owner of UI system data, the Department is responsible for classifying the data in its systems, determining the commensurate controls, and ensuring the controls are in place as needed. ITS maintains the Department’s systems and is responsible for implementing those controls.
From April 1, 2020 through March 31, 2021, the Office of the State Comptroller authorized more than 218.2 million UI payments totaling over $76.3 billion – an increase of nearly 3,140% over the amount of payments authorized in the prior fiscal year.
- Overall, we found deficiencies with the Department’s oversight and management of its UI system that ultimately compromised its ability to effectively mitigate risks related to the processing of claims – fraudulent claims in particular – and system and data security.
- During the pandemic, faced with the high demand for UI benefits and the need to process claims quickly, the Department resorted to stop-gap measures to compensate for system limitations, which ultimately proved to be costly to the State. We found its workarounds resulted in misclassification of claims as State instead of federal liabilities, overpayment of claims, and supplemental spending to maintain the outdated UI system infrastructure while the new system was in development.
- Department officials were unable to provide us with granular data or analyses to support their management of and response to fraudulent claims on the UI system, including:
- Support for $36 billion in fraudulent claims reported by the Department as prevented;
- The number of claims that were actually paid to fraudulent claimants before being detected;
- The length of time from when claims were filed to when they were identified as fraudulent (to determine the number of weeks that payments were made); and
- How the claims were originally identified as fraudulent (e.g., whether through departmental procedures or based on complaints from individuals whose identities were used by impostors to file false claims).
- Department officials could not provide supporting information for or otherwise explain why the estimated fraud rate derived from the federal BAM program for the Department’s traditional UI increased more than threefold during State fiscal year 2020-21, nor could they provide information on certain performance measures related to the implementation of the ID.me identity verification service.
- The Department did not take some fundamental, critical steps established in the Security Policy and the Classification, Encryption, Authentication, and Logging Standards to secure its UI system and data. As a result, the Department has minimal assurance that its substantial information assets are protected against loss or theft.
- The Department’s slow response to certain requests – in some cases up to 6 months after the fact – delayed our findings and recommendations and, in turn, the Department’s ability to promptly address serious problems.
- Continue the development of the replacement UI system and ensure its timely implementation.
- Take steps, including collecting and analyzing data related to the identity verification process, to ensure the correct balance between fraudulent identity detection and a streamlined process for those in need of UI benefits.
- Follow up on the questionable claims identified by our audit to ensure adjustments have been made so they are paid from the proper funding source and overpayments are recovered, as warranted.
- Ensure the current and new UI system and data comply with provisions of the Security Policy, the Classification, Authentication, Encryption, and Logging Standards, as well as the Change Management Process and Policy.
- Improve the timeliness of cooperation with State oversight inquiries to ensure transparent and accountable agency operations.