Protecting Personal Data on I-9 Forms

If you’ve ever had to fight a charge on your credit card you didn’t make, or have been the victim of identity theft, you’ll know firsthand how traumatic and stressful repairing your account can be. It sometimes feels like you’ve been presumed guilty until you prove yourself innocent! In the workplace, the amount of information we must provide on I-9 Forms leaves us equally vulnerable should the data ever get into the wrong hands. Because employers are required to complete I-9 Forms for every employee, the method by which employers safeguard that information is very critical. While most employers conscientiously secure their I-9 Forms, there are still certain (questionable) methods that will leave you scratching your head. I’ve listed five of these not-so-novel methods below:

1. THE DESK METHOD

Desks come in all shapes and sizes, but one thing remains a constant: finding stacks of paper on them. I-9 Forms left unattended on a desk, available for anyone to see (or take) poses very real risks for the employer and employee. The I-9 Forms may become misplaced, discarded, lost, and putting employers at risk for not having an I-9 record on file for employees. Privacy issues can also arise when the I-9 Forms are viewed by other employees (or individuals) who are not authorized to view it.

2. THE TRASH BIN METHOD

Discarded I-9 Forms, intact and placed in trash bins potentially exposes the data found on the I-9 Forms to a host of unknown individuals.

3. THE FILING CABINET OR BOOKSHELF METHOD

While probably the safest of all the methods indicated so far, an unlocked filing cabinet or bookshelf renders I-9 Forms available to anyone with access.

4. THE OUTSOURCED VENDOR METHOD

Outsourced vendors managing your I-9 Forms can be highly beneficial and cost-effective but the hidden danger may be that those vendors also outsource their work (without you knowing). For example, vendors may contract with employers to migrate the data from prior paper I-9 Forms to an electronic format. The actual person(s) performing the data entry, however, may not be employed by the original vendor at all, but by another, outsourced third vendor who may not have conducted background checks on its employees, nor put into place special protocol for physically handling and safeguarding I-9 documents. Your employees (and your) I-9 Forms could very well have sat on a desk, somewhere, unattended for anyone with access to it.

5. THE EMAILING METHOD

Emailing I-9 Forms and employee lists or documents to vendors is another head-scratching method of security. If your organization is in the process of migrating paper I-9 Forms to an electronic format, or preparing an I-9 audit through an outside vendor (including attorneys), consider this. Established data security experts do not ask organizations to email documents. Instead, they provide safer alternatives to upload or send documents. The threat of unintended exposure to I-9 Forms (and other associated documents) is a very real threat in today’s business climate. You can read the story here and more on the data here. Other forms of liability include derivative shareholder actions against organizations as a result of security breaches, the cost of notifying employees of the breach, credit monitoring services, in addition to potential state laws regarding data security breaches.