As data breaches become more common and widespread, it is as important as ever to protect our personal information. Employers also possess substantial personal information of their employees given the amount of information that can be found on an I-9, so it is important to take certain precautions in order to protect employees.

As a best practice, to reduce exposure, employers should:

  • Store I-9s in a secure location, where access is limited and is locked (or password protected if stored electronically) when not in use;
  • Store I-9s separately from the employee’s personnel file to limit access and assist in adherence to retention guidelines; and
  • Purge and properly destroy I-9s that have passed the retention period (3 years from the date of hire or 1 year from the date of termination, whichever is later).

For electronic I-9 storage, USCIS advises that employers implement an effective records program that:

  • Ensures that only authorized personnel have access to electronic records;
  • Provides for backup and recovery of records to protect against information loss;
  • Ensures that employees are trained to minimize the risk of unauthorized or accidental alteration or erasure of electronic records; and
  • Ensures that whenever an individual creates, completes, updates, modifies, alters, or corrects an electronic record, the system creates a secure and permanent record that establishes the date of access, the identity of the individual who accessed the electronic record, and the particular action taken.

When transmitting I-9s electronically, employers and attorneys should take additional precautions. Given the possibility of misdirected email or a security intrusion, I-9s sent via email should be secured. At a minimum, the file should have password protection. Taking these simple steps will help protect employees’ personal information.   One of the services we offer clients are internal I-9 audits to review some of these measures as well as important compliance items.