In the course of ordinary business, employers often come into possession of personal and very confidential information pertaining to its employees, including Social Security numbers, dates of birth, bank account information, and even health information developed through a wellness program, requests for leave or disability benefits. This information may come from background investigations or from forms the employee is required to complete upon hire. Other information might be contained on requests for leave, disability applications, lien notices, medical information and a variety of other sources.
Businesses are under an obligation to safeguard all such sensitive information and could face liability in the event such information was stolen if adequate safeguards had not been implemented. Recently, there has been a trend toward targeting W-2 and I-9 forms. In fact, this kind of activity prompted the USCIS to recently issue the following notice warning of scam emails requesting I-9 information:
USCIS has learned that employers have received scam emails requesting Form I-9 information that appear to come from USCIS. Employers are not required to submit Forms I-9 to USCIS. Employers must have a Form I-9, Employment Eligibility Verification, for every person on their payroll who is required to complete Form I-9. All of these forms must be retained for a certain period of time. Visit I-9 Central to learn more about retention, storage and inspections for Form I-9.
These scam emails come from a fraudulent email address: firstname.lastname@example.org. This is not a USCIS email address. The body of the email may contain USCIS and Office of the Inspector General labels, your address and a fraudulent download button that links to a non-government web address (uscis-online.org). Do not respond to these emails or click the links in them.
If you believe that you received a scam email requesting Form I-9 information from USCIS, report it to the Federal Trade Commission. If you are not sure if it is a scam, forward the suspicious email to the USCIS webmaster. USCIS will review the emails received and share with law enforcement agencies as appropriate.
Although it would not be possible to eliminate all risk of a breach of sensitive data, employers must take reasonable steps to prevent as much risk as possible. This may include protocols in place for responding to any request from an outside entity for private employee information, notification to the employee of any such request before information is provided, definitive steps to maintain confidentiality of all computer and written material including limitations on access to such material, and other similar efforts. In addition, any disposal of employee information must be done in a way that ensures confidentiality. Rather than simply throwing away or recycling paperwork that contains any confidential information, employers should shred the material or engage a shredding business or similar entity that maintains confidentiality of that information. Employers may also want to be familiar with the Guide for Businesses produced by the Federal Trade Commission entitled Protecting Personal Information, which can be found on its website at business.ftc.gov.