Insight

Gunster's immigration law practice

Forms I-9s used in the employment eligibility verification process contain employees’ personal data.

As noted in guidance recently provided by the American Immigration Lawyers Association to its members,  Form I-9s should be properly safeguarded as information on the Form I-9 could be determined to be Personally Identifiable Information (PII) under either federal or state privacy provisions or both.

Since Form I-9s are required to be retained by employers for certain periods of time in accordance with USCIS regulations, best practices include:

  • storing such Form I-9s in locations where access is limited or locked,
  • storing Form I-9s separately from the employee’s personnel file, and
  • purging and properly destroying Form I-9s that have passed the USCIS mandated retention period and that are not required to be retained by any other law.

Electronically stored From I-9s should be password protected and within a records program that ensures only authorized personnel have access, provides for backup and recovery of records to protect against information loss, ensures that employees are trained to minimize the risk of unauthorized or accidental alteration or erasure and ensures that whenever an individual creates completes, updates, modifies, alters, or corrects an electronic record, the system creates a secure and permanent record that reflects the date of access, the identity of the individual who accessed the electronic record and the particular action taken with regard to the record.

Given the possibility of misdirected email or a security intrusion, Form I-9s sent via email should have password protection and should be sent via encrypted email.

If a Form I-9 has been completed but is now lost or misplaced, a data privacy expert should be consulted to identify the steps that an employer must take with regard to any data breach disclosure requirements.

To best protect company and employee information, employers should have a policy in place that defines PII for the company and provides guidance on how such information must be secured. Lost or misplaced Form I-9s should be included in any incident response plans the company has for possible data security breaches.

USCIS addresses email scams regarding Form I-9

U.S. Citizenship and Immigration Services (USCIS) has learned that employers have received scam emails requesting Form I-9 information that appear to come from USCIS.

Employers are not required to submit Forms I-9 to USCIS.

Employers must have a Form I-9, Employment Eligibility Verification, for every person on their payroll who is required to complete Form I-9.

All of these forms must be retained for a certain period of time.

These scam emails come from a fraudulent email address: news@uscis.gov. This is not a USCIS email address.

The body of the email may contain USCIS and Office of the Inspector General labels, your address and a fraudulent download button that links to a non-government web address (uscis-online.org). Do not respond to these emails or click the links in them.

If you believe that you received a scam email requesting Form I-9 information from USCIS, report it to the Federal Trade Commission.

If you are not sure if it is a scam, forward the suspicious email to the USCIS webmaster at USCIS.Webmaster@uscis.dhs.gov. USCIS will review the emails received and share with law enforcement agencies as appropriate.

Please visit this USCIS webpage to read its notice regarding Form I-9 scams.

Related Professionals

Related Capabilities

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek