Forms I-9s used in the employment eligibility verification process contain employees’ personal data.
As noted in guidance recently provided by the American Immigration Lawyers Association to its members, Form I-9s should be properly safeguarded as information on the Form I-9 could be determined to be Personally Identifiable Information (PII) under either federal or state privacy provisions or both.
Since Form I-9s are required to be retained by employers for certain periods of time in accordance with USCIS regulations, best practices include:
- storing such Form I-9s in locations where access is limited or locked,
- storing Form I-9s separately from the employee’s personnel file, and
- purging and properly destroying Form I-9s that have passed the USCIS mandated retention period and that are not required to be retained by any other law.
Electronically stored From I-9s should be password protected and within a records program that ensures only authorized personnel have access, provides for backup and recovery of records to protect against information loss, ensures that employees are trained to minimize the risk of unauthorized or accidental alteration or erasure and ensures that whenever an individual creates completes, updates, modifies, alters, or corrects an electronic record, the system creates a secure and permanent record that reflects the date of access, the identity of the individual who accessed the electronic record and the particular action taken with regard to the record.
Given the possibility of misdirected email or a security intrusion, Form I-9s sent via email should have password protection and should be sent via encrypted email.
If a Form I-9 has been completed but is now lost or misplaced, a data privacy expert should be consulted to identify the steps that an employer must take with regard to any data breach disclosure requirements.
To best protect company and employee information, employers should have a policy in place that defines PII for the company and provides guidance on how such information must be secured. Lost or misplaced Form I-9s should be included in any incident response plans the company has for possible data security breaches.
USCIS addresses email scams regarding Form I-9
U.S. Citizenship and Immigration Services (USCIS) has learned that employers have received scam emails requesting Form I-9 information that appear to come from USCIS.
Employers are not required to submit Forms I-9 to USCIS.
Employers must have a Form I-9, Employment Eligibility Verification, for every person on their payroll who is required to complete Form I-9.
All of these forms must be retained for a certain period of time.
These scam emails come from a fraudulent email address: news@uscis.gov. This is not a USCIS email address.
The body of the email may contain USCIS and Office of the Inspector General labels, your address and a fraudulent download button that links to a non-government web address (uscis-online.org). Do not respond to these emails or click the links in them.
If you believe that you received a scam email requesting Form I-9 information from USCIS, report it to the Federal Trade Commission.
If you are not sure if it is a scam, forward the suspicious email to the USCIS webmaster at USCIS.Webmaster@uscis.dhs.gov. USCIS will review the emails received and share with law enforcement agencies as appropriate.
Please visit this USCIS webpage to read its notice regarding Form I-9 scams.