Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Bill Gates Is Creating Road Hazards Across America | Main | Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is...Part 1 »

Personnel Privacy, New I-9 Forms, Removal of SSN Requirements and IT Involvement

Early this year I did a data flow analysis for I-9 compliance, and I blogged a few months ago about I-9 related issues in "New Tennessee Law Prohibits Using Federal Individual Taxpayer ID as Proof of Immigration Status."

I-9 compliance issues impact many areas of an organization. However, within most organizations many areas, such as IT and information security, are not aware of the I-9 compliance issues and unknowingly put the company at noncompliance jeopardy. Compliance with any law or regulation that involves personally identifiable information (PII) usually require the involvement of legal, IT and information security areas.

On November 7 the Homeland Security Department's U.S. Citizenship and Immigration Services (USCIS) released a revised I-9 form (formally called the "Employment Eligibility Verification Form"). This revision makes significant changes to the kinds of documents a new employee must provide to potential employer to prove his or her identity and employment eligibility.

As opposed to the previous version of the I-9 form, this new version is in compliance with the 1997 regulation implementing the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (starting on page 547).

The revised I-9 removed five (5) of the formerly acceptable types of documents from being an acceptable proof of identity and employment eligibility to eliminate the opportunities for counterfeits and fraud.

A new document was added to the list of acceptable forms of proof of identity and employment eligibility.

The acceptable documents now include:

* The most recent version of the Employment Authorization Document (Form I-766)

* A U.S. passport

* A Permanent Resident Card (Form I-551)

* An unexpired foreign passport with a temporary I-551 stamp

* An unexpired Employment Authorization Document that contains a photograph (Form I-766, I-688, I-688A, or I-688B)

* An unexpired foreign passport with an unexpired Arrival-Departure Record (Form I-94) for nonimmigrant aliens authorized to work for a specific employer

The I-9 processing procedures were also updated to reflect not only these new lists of documents, but also to help strengthen the controls to prevent tampering, fraud and counterfeits.

And this should be of interest to those of you tracking the use of social security numbers (SSNs): Additional changes include not obligating employees to provide their Social Security number in Section 1 of the form, unless the employer participates in E-Verify, DHS's electronic employment eligibility verification system.


So how do these changes impact IT?

Here are just a few possible ways:

* There will likely need to be changes made in the applications used to process and track I-9 forms and associated information. For instance, checks to ensure only the new list of documents are used, removing the 5 documents that are no longer acceptable and adding the new document.

* There may need to be a new check added related to no longer needing to use the SSN, along with validation of E-Verify participation.

* There may need to be changes made within the databases used for storing I-9 forms and information. A new form being accepted often results in the need to restructure databases.


So, how do these changes impact information security and privacy practitioners?

Here are just a few possible ways:

* Controls need to be in place to ensure only those with a business responsibility can access the information contained on the I-9 forms.

* Retention standards need to be reviewed to ensure they are in compliance with the most up-to-date requirements.

* They need to be able to answer questions from employees and job candidates about the security and privacy of PII.

* They need to ensure SSNs are being used only as lawfully allowed throughout the organization.


See the revised I-9 here.

Se a fact sheet on the new form here.

See the revised handbook is here.

Tags:                              
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on November 18, 2007 7:37 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/578

Comments

Rebecca,
Great post! This is the kind of information that needs to be made available to everyone. If you don't mind please either repost this or link to it in the SCC. I'm gonna link to it in a blog post myself.

Posted by: Andy Willingham | November 18, 2007 8:55 PM

Andy, thanks for your note; I appreciate it! I found your related blog posting very interesting, http://andyitguy.blogspot.com/2007/11/compliance-and-audits.html. Wow...your 95% and 99% numbers are amazing! Yes, you definitely had a wide range of compliance issues to contend with.

Posted by: Rebecca | November 19, 2007 8:43 AM

How will us identidy a sub-contracter who is licensed to work as a sub-contracter but does not have a greencard and only have used the TIN number to get his sub-contracter license and is employeed as such?

Posted by: TELMO SARUBBI | December 26, 2007 8:21 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.