WA State CIO apparently OK with ID sent by email

Apparently the Washington State Chief Information Officer (Jim Weaver) does NOT have a problem with Employment Security Department inviting applicants to send identification via email. The State CIO office was asked twice why the State CIO would allow ESD to invite applicants to submit ID via email.

Here’s the image below that shows ESD was offering this method.

The State’s CIO office responded 2020-05-19 with this:

The state Employment Security Department is your best source of information regarding the state unemployment benefits system. It’s our understanding from ESD that fraud victims are submitting their information through a secure webform at


WaTech Communications

The response obviously does not address the evidence that ESD has communicated to applicants that sending ID via email is an option. Therefore, reasonable to assume the State CIO has no problem with ESD inviting applicants to send ID via email.

Interestingly, an ESD web page clearly states that a Social Security number should NOT be sent by email to ESD because “emails you send us may not be secure.” See the image below.

Then, through some miracle of increasing security consciousness, ESD updated the fraud page sometime after April 11, 2020 to say you should “never” send full SS# via email.

Nick Demerice, ESD spokesperson during the 2020-05-21 news conference with Suze LeVine, about 13:44 hours, said:

Some of the letters that went out did indicate that people should send sensitive information to an email address. That is old content before we were able to update the secure online reporting form. So we actually, we apologize for that and we are updating the language in those letters. We ask that folks go ahead and log into the secure system to be able to upload those documents and not send them via email.

Still no mention that sending “sensitive information” by email is a bad idea. Or that the “old” information contradicted what had been on the website for a long time.

Many businesses, for many, many years, have discouraged customers from sending credit card information by email. Recent example:

2020-05-19: “For your protection, we do not recommend e-mailing credit card information.”


PCI DSS Requirement 4.2 states that credit card information must not be captured, transmitted, or stored via end-user messaging technologies (like email). Here’s why: email leaves trails of unencrypted credit card numbers in inboxes, trashes, web browser caches, etc. As with any end-user technology, it’s extremely difficult to secure.

When a credit card number is misused, you can can call the issuing bank and have a new one issued and even with a new number. Try calling the Social Security Administration saying you want a new Socical Security number.

If the business community has clearly adopted a policy that sending credit card information by email is not a good idea, why would sending personal ID, including image of Social Security Card, be a good idea?

Here’s what a small smattering of others have thought about sending Social Security number by email:

Never send your Social Security number or any account information via email, even if you trust the recipient, because you become less secure as soon as you press send.

Why You Should Never Email a Social Security Number

Don’t ever email a Social Security number.

Don’t store electronic documents containing Social Security numbers on your computer, your smartphone or a cloud-storage drive.

1798.85. (a) Except as provided in this section, a person or entity may not do any of the following: Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted.

WA State Law requiring WA agencies to disclose data breaches

Any agency that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.

Related Pages

Seattle Times Editorial Misses Important Details on Employment Security Department

Ticking along with ESD

WA State CIO apparently OK with ID sent by email

Enhancing Seattle Times ESD Article on Missed Red Flags

Washington State Sets Unemployment Benefit to $0 by making up job title