The Department of Homeland Security has never published guidance on electronic storage of the Form I-9, but has indicated that IRS standards for electronic storage would be considered adequate. In fact, the Immigration and Customs Enforcement (“ICE”) website does endorse the use of electronic storage, since the I-9s are most likely stored in a format that is easier to inspect and can be readily accessed as part of an integrated E-Verify system in which an employer may already be enrolled.
Currently, the law requires that an electronic storage system provide:
- Reasonable controls to ensure the integrity, accuracy and reliability of the electronic generation or storage system,
- Reasonable controls designed to prevent and detect the unauthorized or accidental creation of, addition to, alteration of, deletion of, or deterioration of an electronically completed or stored Form I-9, including the electronic signature if used;
- An inspection and quality insurance program evidenced by regular evaluations of the electronic generation or storage system, including periodic checks of the electronically stored Form I-9, including the electronic signature if used;
- In the case of electronically retained Forms I-9, a retrieval system that includes an indexing system that permits searches by any data element; and
- The ability to reproduce legible and readable hard copies.
These requirements can be distilled as a password-protected, secure database with adequate back-up redundancy, possessing a retrieval system capable of indexing and producing on a timely basis a spreadsheet on all information fields that make up a completed I-9. Additionally, the electronic signature must be capable of confirmation at the time of the transaction.
When selecting an electronic I-9 provider, analyze its system on the basis of: (1) ease of creation, (2) ease of modification and accessibility, (3) safeguards as to authenticity, (4) security and (5) costs.
The provider should confirm its certification of secure storage known as Statement on Auditing Standards 70 (SAS 70), Type II or higher. Be aware that the federal regulations do specifically require that any electronic I-9 system record and retain records of who accesses the I-9s and what actions are taken. The above is also critical to avoid employee actions for unauthorized access to personal information.
The I-9 provider must not only make assurances as to its system’s security, but provide an adequate notification system of any security breach, and have insurance and indemnification for any liability to which your company is exposed thereby. There should also be provisions for access, security and notice in the context of an ICE audit, and delineation of who bears the costs for production within the ICE time frame of 72 hours’ notice. Another related cost that should be settled is whether or not there are additional charges for your own internal review audits on the system as part of your company’s I-9 policy.
The electronic signature capability is in the federal regulations and requires that the system must affix the signature to the I-9 at the time it is completed, create and preserve a record verifying the identity of the person who produced the signature, and provide him or her with a printed confirmation at that time.
Finally, it would be best practice to require the I-9 provider to confirm that it has retained a qualified attorney to evaluate its product and hired a certified third-party testing company to check for cyber-security and provide those reports for your review. Planning ahead, you should know how the I-9 provider integrates its services with E-Verify requirements if and when your company becomes an E-Verify user. This will save the costly mistake of having to change I-9 providers.
The above is a basic overview of considerations that go into selecting an electronic I-9 provider. Failures in the I-9 provider’s system will be deemed by ICE to be your company’s failure. The choice of an I-9 provider is a large financial commitment and usually long-term. Be sure that the electronic I-9 provider with whom your company contracts meets both legal and your company’s present and future requirements. In conjunction with your company’s internal I-9 policies, the I-9 provider your company decides to use will influence the outcome of an ICE audit.