Strategic Planning - The only approach to Achieving I-9 Audit Compliance

According to the Department of Homeland Security’s (DHS) webpage, over 500,000 companies participated in the E-Verify program during 2013.  These 500,000 companies performed more than 25 million E-Verifications on new employees.  Furthermore, the U.S. Immigration and Customs Enforcement (ICE) reported that their ranks have grown to 20,000 auditors housed in 400 offices around the United States and in territories of the U.S.

Audits and fines associated with audits continue to rise:

Federal and State regulations continue to change causing I-9 compliance to increase in complexity. As an example, some of the recent state regulatory changes are included in the table below:

		Examples of regulatory change
Alabama	April 2012	All Alabama employers are required to use E-Verify.
Arizona	December 31, 2007	All Arizona employers are required to use E-Verify. In addition, government contracts can only be issued to businesses using E-Verify.
Colorado	2008	Requires contractors who enter into or renew public contracts for services with a state agency or political subdivision to participate in either E-Verify or the Colorado Department of Labor and Employment Program.
Florida	Jan. 2011	Requirement for state contractors to use E-Verify applies to “all contracts for the provision of goods and services to the state in excess of nominal value.
Georgia	2011	Private employers in Georgia with 11 or more employees must E-Verify newly hired full-time employees.
North Carolina	July 1, 2013	Employers with 25 or more employees are required to use E-Verify to check each new employees work authorization.
Tennessee	Jan. 1, 2013	Employers with 6 or more employees must either use E-Verify or retain documents defined in Tennessee Lawful Employment Act.
Pennsylvania	Jan. 1, 2013	Public works contractors & subcontractors must enroll in E-Verify program and perform E-Verifications.

Employers are responsible for monitoring change to Federal and State regulations and assuring that their company is compliant with all new and modified mandates.   It is not always clear regarding the reason behind the initiation of a I-9 audit.  The drivers for the audits seem to fall in the following categories:

•    A former employee files a complaint with ICE.
•    A current, disgruntled employee files a complaint with ICE.
•    An anonymous party files a complaint with ICE.

The fact is that the number of I-9 Audits are increasing annually.  As such, business enterprises need to be mindful of this increase and work diligently to be prepared.


Audit Initiation Process:

To Avoid Being Caught “ Off Guard”
Best practices include:

Be Prepared: Do not wait until the Notice of Inspection (NOI) arrives.  Rather, immediately prepare your organization assuming that a NOI will arrive shortly.  Select a single point of contact within your company such that one person is responsible for insuring that the entire company is in "a state of readiness" when a NOI is delivered to your company.

Centralized Storage of Documents: Lack of centralized storage of documents will cause increased amounts of time to gather the requested information and to prepare a consolidated list of materials provided for the ICE Auditors.  Typically the employer is allowed only 3 business days to provide the requested records.  Decentralized approaches make compliance difficult.

Electronic Storage of I-9 Documents: Centralized, electronic storage of I-9 documents supports the company’s requirement to respond to the NOI or subpoena quickly and demonstrates a sense of preparedness to the ICE Auditor.   Furthermore, electronic storage allows a company the opportunity to store the I-9 data in an encrypted format assuring that data privacy and data security issues are addressed while also limiting access to a worker’s most personal data.

Written Procedures that Clearly Define “Roles and Responsibilities”: Well documented, written procedures related to gathering, storing, monitoring, maintaining, and ultimately disposing of I-9 documents in a safe and secure manner assure the company and the ICE Auditors that necessary and sufficient steps have been established to assure compliance and to effectively govern “change management” when regulatory (state or federal) mandates cause change to the I-9 and E-Verification process.

Perform Internal Audits: Schedule and conduct regular internal audits to test readiness for an actual audit by ICE. Note inconsistencies, remedy data collection and data recording problems, re-evaluate training materials, and retrain workers involved in the I-9 and E-Verify process.

Assure that Documents for Former Employees are Retained , but also assure that Documents are Properly Destroyed when the Retention Date is Reached:  Employers are required to retain the I-9 form on each worker for a minimum of 3 years from the worker’s start date, but also must assure retention for 1 year after the worker’s end date.  Employers are increasingly aware of their obligation to coordinate their I-9 retention policy with changes to state regulations on retaining a former employee’s personal private information in accordance with state and federal regulations.

Potentially Select an E-Verify Agent: If it suits your company's culture, select an E-Verify agent that possesses subject matter expertise in the I-9 and E-Verify arena.  A qualified E-Verify agent will bring written procedures, software tools and audit experience to your company such that you can achieve audit preparedness very quickly and have the assurance that your company is in a "state of readiness" for an audit of any nature.

Burden of Proof with Relevancy to I-9 Violations

In law, there is something called the burden of proof, or the onus probandi, if one speaks Latin.  Simply put, it is an obligation on the person making the claim to provide sufficient evidence to overcome or shift the default position to the position of the claim.   The most familiar example of the burden of proof comes from the criminal trial.  There, the prosecutor is claiming that the defendant is guilty and must present enough evidence to overcome the default presumption of innocence, or in other words, provide enough proof beyond reasonable doubt.  The opposite of the burden of proof is the benefit of assumption – it is assumed that the claim needs no supporting evidence.   Using the criminal trial example again, the defendant is free to sit back and do nothing because they have the default assumption of innocence.

In the realm of immigration and employment law, each completed Employment and Eligibility Verification Form I-9 (Form I-9) becomes a claim by the employer that they have performed their legal duty and ascertained that all hires are legal workers.  Therefore, when U.S. Immigration and Customs Enforcement (ICE) sends out Notices of Inspections (NOIs), it is demanding that those employers assemble enough evidence to prove that they are not in violation of immigration hiring policies.  With an estimated 20,000 employees in 400 offices in the U.S. and around the world, ICE’s audits are part of a $138 million worksite enforcement effort that seeks to level the playing field for companies by punishing infractions with hefty fines and possible prison sentences for key managers.   The fines are listed on ICE’s website:

• $375 to $16,000 per violation for knowingly hire and continuing to employee violations
• $110 to $1,100 per violation for substantive violations, which includes failing to produce a Form I-9

The fines add up – Infosys recently agreed to pay $34 million in a civil settlement for visa fraud and systemic I-9 violations.

The problem with complying with the Immigration and Nationality Act (INA) is that employers are essentially asked to make a subjective judgment on whether they believe that the documents presented and the information listed are legitimate.  When the audit occurs, the government makes yet another subjective judgment on whether it believes that the employers knowingly erred on form or if the error occurred from negligence.  That’s a lot of subjective judgment that the employer has to overcome or face ponying up fees.

There’s good news.   If a party fulfills the burden of proof effectively, they now have the benefit of assumption, and pass the burden of proof off to the other party.  For example, in the criminal trial, the prosecution presents their case first and when they rest, it is with the belief that they have proved their case beyond a reasonable doubt.  They have now shifted the burden of proof to the defendant to introduce that doubt.  For I-9s, the government has provided a tool to help employers overcome their burden of proof from the beginning, before the NOI and the audit: E-Verify is an internet-based program to help employers verify work authorizations.  Currently, a total of twenty-one states require the use of E-Verify for at least some public and/or private employers, with eight states requiring E-Verify for all employers.

Source: National Immigration Law Center

It is important to note, however, that E-Verify only provides a presumption of good faith for employers who use it – E-Verify does not eliminate the timely and costly aspect of catching and correcting mistakes that can occur during the I-9 process.  Here’s a list composed by the United States Citizenship and Immigration Services (USCIS) of common mistakes: there are eight for employees and an alarming eleven for employers.  These common mistakes are chances for fines that are present for each I-9 filled and the complications that carry over to each piece of data entered into E-Verify, which often result in delays and uncertainty.   Employers need to eliminate these common mistakes with a system that minimizes repeat data entry, streamlines the I-9 and E-Verify process, and stores all information in a convenient location that is readily accessible in the event of an ICE audit.

Remember that the goal for the employer is to shift the heavy burden of proof to the government.  By utilizing E-Verify with a streamlined data entry and storage system, the employer can, like the defendant in a criminal trial, force the government to work hard while they sit back and rest easy knowing that they have already completed their legal duty long before receiving the NOI. 

Keeping Data Safe: All the Different Ways to Lose Personal Information

Many people tend to associate personal information protection and security with electronic data stored somewhere on the Internet.  The common belief is that hackers are responsible for a majority of the breaches associated with data loss and that by avoiding use of these systems it is somehow possible to avoid losing personal data. In truth, while these events tend to get the most media attention, they certainly are not the only scenarios leading to the loss of sensitive personal information.

The Privacy Rights Clearinghouse, who is a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers, collects reported personal data breach incidents and categorizes the breach into several different categories:

• Physical loss (PHYS) - Lost, discarded or stolen non-electronic records, such as paper documents

• Unintended disclosure (DISC) - Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail.

• Portable device (PORT) - Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc

• Stationary device (STAT) - Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility. 

• Insider (INSD) - Someone with legitimate access intentionally breaches information - such as an employee or contractor.

• Hacking or malware (HACK) - Electronic entry by an outside party, malware and spyware.

Aggregating this data year-over-year, you can examine the relative impact of these events and an upward trend in the number of reported incidents.  The chart below graphs this data according to the above categories:

Its difficult to conclude that more data breaches are occurring today than in 2005 because there was less emphasis on reporting an incident 10 years ago.  Additionally, one should not immediately conclude that the disproportionate increase in electronic hacking breaches indicates that personal data stored electronically is somehow less safe than maintaining it on paper.  More importantly, this data illustrates that personal data can be lost or stolen in many ways and a company's data protection policy must address all possible scenarios to ensure data remains secure.

There are generally two ways to record personal data: paper or electronic.  However, I tend to break electronic into two categories: local and remote.  Local data is anything stored on a laptop, flash drive, smartphones, etc which generally has limited controls on access and physical location.  Remote data is stored on a server specifically engineered to be located in a physically secure location, monitor access, and contains counter-measures for protecting against unauthorized access.

Using specific breaches from the Privacy Rights Clearinghouse, here are three examples to illustrate these main categories:

Paper Records

A packet of invoices was sent via the United States Postal Service.  The package was damaged when it arrived at the USPS facility and some of the invoice pages were missing.  The information in these missing pages included names, dates of birth, the last 4 digits of individuals Social Security number and the type of lab tests conducted.

Local Data

A flash drives containing patient names, dates of birth, information regarding individual diagnosis, individual treatment and insurance information were stolen from an employee's vehicle. The computer was encrypted but the flash drives were not. 

Server Data

The company discovered that a server was infected by a malicious software that caused a breakdown in the server's security barriers allowing the hackers to obtain personal information. The information included names, dates of birth, ages, genders, addresses, race/ethnicities, medical record numbers, lab results all associated with research provided by individuals as part of research studies.

Looking at these incidents, one should hopefully see that any means of recording, storing, and transmitting personal data is capable of being breached.  Each mechanism has its own vectors of attack that thieves can use to acquire the data.  What companies must do is employ measures to reduce the number of potential attack points to mitigate their risk of data breaches.  

One of the reasons the number of reported hacking incidents is higher is because IT security professionals are deploying better monitoring technology to detect and report possible breaches.  While prevention is clearly a goal, there will always be vulnerabilities.  The point is to limit your susceptibility to data breaches and have mechanisms in place to detect and report a breach when one does occur.  

Data policies that limit the use of paper and local storage mechanisms for sensitive data can significantly reduce a company's exposure to the potential of undetected data loss.  Those two means of maintaining data have limited capabilities for monitoring a breach event.  They also tend to require less talent and knowledge to actually acquire the data.  On the other hand, well designed server-based data storage is specifically configured to employ safeguards against unauthorized access.  Additionally, by keeping all this data in one known, secure location, one can reduce the effort required to monitor and protect the data.  

A computer can be programmed to be infinitely vigilant.  It will perform the same task over and over again without wavering forever.  On the other hand, a human being becomes easily complacent and distracted.  Its in those moments a mistake is made and security is potentially compromised.   Constructing data protection policies that reduce the dependency on humans and increase the automation available in computer technology  to ensure security will ultimately result in better control and protection of our sensitive personal information.