4 Reasons Why I-9 Compliance Plague CEOs
In a recent article, I read that the top seven risks plaguing companies were issues involving (1) violations of the Foreign Corrupt Practices Act (FCPA), (2) cybersecurity threats, (3) insider trading, (4) supply chains disruptions, (5) whistleblower threats, (6) data privacy protection and (7) economic sanctions.
What makes I-9 compliance a particularly troubling area of risk management for companies is that it involves four of these top seven risks. Surprisingly, it seems most companies are still relatively in the dark about the mounting impact I-9 compliance (and by association E-Verify compliance), has on a corporations’ bottom lines. Stanford Law Professor Dan Siciliano’s nearly$104 billion figure (an unrealized liability based on a conservative annualized calculation), might have alerted some company executives. From a legal perspective, legal risks fall into a black or white area. Risk is bad. Reduce or eliminate it. Though, I suspect most CEOs (more likely their risk managers or delegates) manage risk differently by conducting a risk analysis, risk assessment or a business impact analysis.
Threat 1: Cybersecurity Threats from Hackers
When the company’s I-9 records are managed electronically, executive risk managers must conduct a risk analysis to identify probable threats to the company in order to analyze the company’s weaknesses from these threats. I-9 records are a goldmine for cyber thieves. It contains all the necessary information a thief needs to harvest data for nefarious purposes. Probable cyber security threats include utilizing vendors who have not taken, at minimum, industry-standard precautions to protect the company. A prime example involved Minnesota State Colleges and Universities.
Threat 2: Data Privacy Protection
In addition to protecting the cyber and networking infrastructure of a company, executives also have a duty to implement methods of protecting its client (and by extension its employee) data. Protecting the personally identification information (belonging to clients or employees) is mandated by many state and federal regulations. We wrote about this issue here. Where personally identifiable information (PII) exists, whether in digital or paper format, corporations must safeguard its client and employee data. The theft of a company laptop, the misplacement of flash drives or hard drives, openly accessible binders all contribute to potential breaches in data privacy. Company executives must conduct a risk assessment by examining their policies to ensure what protocols have been implemented to prevent data breaches from occurring and to minimize the impact and repair the damages of such breaches. This means ensuring security of physical infrastructure, limiting employee access to digital and physical data, as well as security logs to track who has accessed data.
Threat 3: Whistleblower Threats
Section 404 of the Sarbanes Oxley Act (SOX §404), according to the Securities Exchange Commission (SEC), “requires public companies’ annual reports to include the company’s own assessment of internal control over financial reporting, and an auditor’s attestation.” Under Section 922 of the Dodd Frank Wall Street Reform and Consumer Protection Act, the SEC has implemented a whistleblower program to further encourage reporting of SEC violations and reward whistleblowers. Whistleblowers can certainly raise concerns as to the way I-9 records are managed or prepared at a public company. The key is for executives to conduct a risk assessment to determine whether their I-9 business processes and protocols are sufficient to overcome potential threats from whistleblowers.
Threat 4: Economic Sanctions
Enforcement of I-9 compliance (and collaterally E-Verify compliance), has garnered the attention of multiple government enforcement agencies bringing with them a host of economic sanctions. Prime examples include civil sanctions issued by Immigration Customs Enforcement, Office of Special Counsel and maybe even the Securities Exchange Commission (pending the conclusion of currently ongoing investigations). The reality is that many public corporations still have not conducted a thorough business impact analysis to determine what impact their non-compliant I-9 processes would cost their corporations.
- How much money in civil fines might the company potentially face?
- How much money in lost employee hours would the company lose if sanctioned with training and monitoring by government agencies?
- How much value would the stocks suffer if I-9 non-compliance resulted in financial loss to the company?
- What would be the likelihood of a lawsuit from shareholders for failure to report this line-item liability on quarterly and/or annual filings?
It is possible that CEOs (or their delegates) or in-house counselors are unaware of the many risks that befall their organizations entirely stemming solely from I-9 non-compliance. The troubling detractor is that I-9 compliance is not about immigration (per se) but about managing data and instituting the right protocols. It may be a long time, perhaps even years, before executive management may fully integrate I-9 compliance into its usual risk management area.
For corporations vetting I-9 vendors, there may be even more risks! For the corporations who have already adopted and implemented a robust compliance strategy, congratulations on being ahead of the curve (for now)!