Cutting the Gordian Knot Requirements for Electronic I-9 Storage
IIn 2004, Congress passed Public Law 108-390, a short piece of legislation—less than half a page in length—amending the Immigration and Nationality Act (INA) to allow electronic signature and electronic storage of I-9 forms, which employers use to verify an employee’s identity and to establish that the worker is eligible to accept employment. At the time, the amendment was viewed as a progressive step toward taking advantage of modern technology and processes. Many believed it would simplify the I-9 verification process.
Unfortunately, while Congress opted for brevity and simplicity in the amendment, the regulatory agencies opted for complexity, issuing regulations to implement the statute that are lengthy, cumbersome, difficult to understand and at times contradictory. To complicate matters even further, auditors are also unfamiliar with the regulations and may demand documents that the employer is not strictly required to store or produce.
Furthermore, the government has done a poor job of informing businesses of these regulations. Many businesses assume that the statutory approval of electronic storage and signature means that I-9 forms can merely be scanned and saved onto a hard drive. A lack of documented procedures can result in a violation of the INA, an unpleasant surprise for employers who fancied themselves compliant.
Since the regulations are a web of confusion, this article will address the many requirements of a compliant electronic I-9 storage system, highlighting both what is specifically required and what auditors sometimes mistakenly believe is required. It will conclude by highlighting some steps employers can take to ensure they comply with the regulations, proactively averting potential problems before they arise.
A compliant storage system
In addition to scanning and storing legible copies of I-9 forms, businesses are required to meet certain standards for electronic retention. These are outlined in 8 C.F.R. §274a.2(e). According to the regulation, the system for electronic storage must include reasonable controls to ensure the integrity, accuracy and reliability of stored documents, as well as reasonable controls designed to prevent and detect the unauthorized or accidental creation, alteration or deletion of stored documents. Storage systems should also have inspection procedures, be able to produce legible paper copies, and have an indexing system.
While all these features are required, there is only an incidental documentation requirement. Employers are required to maintain descriptions of their indexing system and the generation and storage system, including any procedures for using it. While it is not required, the regulations also provide that employers may maintain a spreadsheet of the data stored electronically. The regulation provides, however, that any such spreadsheet must be produced to an auditor if requested.
Paragraph (g) of the regulation introduces additional requirements for the security of the electronic storage system. Specifically, only trained, authorized personnel may have access to the system. Also, the system must have backup and recovery features to prevent loss of data. Employees who use the system must be trained to minimize the risk of alteration or deletion of the records. This paragraph also requires a “secure and permanent record” of who accesses and alters documents. This record is referred to as an “audit trail” and represents—as we shall see—one of the more problematic aspects of the storage system.
Note, however, that while employers are required to document descriptions of the indexing system, generation system and storage system, they are not expressly required to maintain documentation of the security features. Furthermore, failure to have these security features in place is not in and of itself a violation of the law. Rather, employers who do not use adequate security will be found in violation only if data is actually lost or altered due to lack of proper security. See 8 C.F.R. 274a.2(g)(2).
The dotted line
In addition to the requirements for storage, there are special requirements when an employer elects to use electronic signature. Specifically, the system used must record the time, date and identity of the signature. It must also include some form of attestation. Businesses can use any form of attestation, provided it adequately ensures that the signatory has read the attestation before signing it electronically.
Many employers opt to provide a PIN number to each employee completing an I-9. This PIN is entered when the form is signed. Other employers use a “Click to Accept” feature similar to that of electronic software licenses. While either method is acceptable, employers are required to document which one they use and produce this documentation to auditors when requested.
The sections of the regulation discussed so far have no enforcement mechanism other than liability if data are lost or destroyed. However, the regulation does contain a limited enforcement provision in the form of required disclosure.
Specifically, the regulation permits auditors to compel production of documentation of business processes that (1) create the electronically stored forms, (2) modify and maintain the forms, and (3) establish the authenticity and integrity of the forms. The regulation provides that insufficient documentation of these three business processes is a violation of the I-9 verification requirements and that the auditor can compel (by subpoena) the production of any documentation required by the regulation.
As this is the only true enforcement provision regarding storage of electronic documents, this is not surprisingly the source of the most confusion regarding electronic document storage. The problem is that auditors feel they can compel production of anything that is useful to their audit, on pain of declaring the employer in violation of the law. However, this is an overly broad interpretation of the disclosure requirement.
Specifically, auditors can only compel production of documentation of business processes. This means that auditors can examine policies and procedures that are used to create and store documents.
It would be rare for an employer to select a storage method that is not secure. However, employers often do not have all the ideal procedures in place. One of the most troubling requirements is the “audit trail.” Simply put, auditors want to see some form of access log to the records, but employers often do not have one in place. This can result in a failed audit and hefty compliance fines.
However, a careful look at the regulations shows that audit trails are not specifically required to avoid violation of the law. The only specific requirement for an audit trail comes with the security provisions—and, as we have previously discussed—a failure of a security feature is not a violation until data loss results.
Auditors will point to the disclosure requirement as requiring audit trails. However, the wording of the disclosure provision only requires disclosure of the business process that establishes the authenticity and integrity of I-9 forms. The wording of the regulation is illustrative, meaning that audit trails would satisfy this requirement but are merely one of many ways to do so.
Ultimately, an employer could probably appeal a fine imposed for audit-trail failure. However, in such a situation, the employer will be forced to waste valuable time and resources. If an employer is not using an audit trail, it would be advisable to begin doing so immediately. While technically not required, the fact that the law encourages it means that auditors will request it. The same logic applies to most other aspects of the data storage requirements. Auditors are simply not well-versed enough in the law to know what they can and cannot demand. Therefore, it is important to attempt to create a data storage system that will be beyond reproach.
In the wake of the regulations, commercial vendors have developed data entry and storage services. These systems promise compliant storage and hassle-free data management. However, in choosing a vendor, it is important to consider the possibility of an audit.
Do not assume that any commercial product is compliant or will be approved if audited. Many vendors do not specifically contemplate the possibility of an audit when preparing service proposal packages. Some may not have the ability to produce large batches of I-9 forms in a short time window. Others may be able to produce batch printouts, but may be unable to provide forms for specific individuals.
Before deciding on a vendor, ask the salesperson about what audit support service is offered. Speak with an immigration professional to learn the types of data production that an audit may require. Before agreeing to spend time or money on data entry services, make sure you are getting exactly what will be required, or at least be aware of the limits so you can plan for audits accordingly.
Cutting the knot: making an existing system compliant
One strategy to prepare a compliant system is to try to untangle the various pieces of the regulation. However, this will lead to confusion and disagreement with an auditor. Another strategy is to circumvent the whole process and simply provide adequate documentation—which will ultimately be less costly and more effective in ensuring that a document storage system is unassailable.
The first step is to put into place a written I-9 policy that goes beyond the bare requirements of the regulation. While there are no specific requirements, the policy should be a simple document, as auditors tend to reject lengthy, technical documents. It should address the following areas: Document creation: How is the electronic copy of the hard-copy I-9 produced? What happens with the original I-9? What type of file is used?
• Storage and indexing: Describe the indexing system. What controls are in place to ensure the integrity, accuracy and reliability of the electronically stored I-9 forms? What controls are in place to prevent unauthorized or accidental creation, alteration or deletion of stored I-9 forms?
• Inspection and audit: What inspection, audit and quality assurance programs are in place to ensure continued accuracy of the I-9 forms? How often do audits occur? How are audit subjects selected? Who performs the audits and what is the procedure? What form of compliance report is generated and how?
• Security: What security features are in place? What backup procedures are used? Who has access to files and what training do they have? What encryption and firewall programs are in place?
• Electronic signature: What attestation language and signature procedure are used? What records are kept of the electronic signature? If a password or PIN is used, how is this generated and assigned? If “Click to Accept” is used, how can the employer be sure that the person who clicks and accepts is the person who is supposed to be signing it? Are IDs checked upon signature?
When an audit occurs, employers can present the auditor with a copy of the policy. Often, this will satisfy the auditor’s needs. Ultimately, failures of procedures are not an automatic violation of the law, but failures of documentation are. Therefore, having adequate documentation is the employer’s best defense.
Workforce Management Online, July 2010 -- Register Now!