Don’t Forget about E-Verify Program Requirements when Selecting an Electronic I-9 Solution
[Editor’s Note: today’s blog is courtesy of Dan Brown of Berry Appleman & Leiden LLP]
The right electronic I-9 solution can help employers dramatically improve their overall compliance posture while simultaneously reducing the everyday costs and administrative burdens of completing and retaining I-9 forms. If you are an E-Verify employer, choosing the right electronic I-9 program will also significantly ease the burdens of managing the E-Verify process. Any serious I-9 solution will provide you with access to the DHS E-Verify program and make initiation of the E-Verify query a seamless part of the process for completing an I-9 form. The importance of E-Verify access will only become more important as Congress will likely consider E-Verify legislation this year in addition to the E-Verify mandates that are increasingly being imposed at the state and local level, as well as the requirements that federal contractors already face.
It is critical that employers considering whether to use an electronic I-9 program exercise sufficient levels of due diligence before choosing any particular solution. Any I-9 program must meet the minimum requirements set out in the DHS regulations for electronic retention and signature of I-9 forms or an employer risks the possibility of having its I-9s (created and retained in the program) invalidated by U.S. Immigration and Customs Enforcement (ICE) during an I-9 inspection. However, one important aspect of the due diligence process that might be less obvious to employers shopping for an I-9 program is an I-9 program vendor’s compliance with its E-Verify program obligations.
Virtually all electronic I-9 program vendors provide their customers with access to E-Verify as Web Services E-Verify Employer Agents (formerly known as Web Services Designated Agents). Companies providing customers with such access to E-Verify or who develop or market software to do so must sign a memorandum of understanding (MOU) with the Department of Homeland Security. The MOU sets out important requirements for companies marketing and developing web based E-Verify services. Employers who use E-Verify or who will be required to use E-Verify in the future should ensure that any I-9 program that they are considering meets the following requirements as set out in the DHS mandated MOU:
- Maintenance and Improvements to the E-Verify Program—Web services E-Verify providers must have sufficient staff and resources to meet the requirements to maintain and update the web services interface with the DHS E-Verify program when required. DHS regularly makes enhancements and improvements to the E-Verify program, such as the recent addition of the US passport photo matching process. The MOU requires E-Verify providers to incorporate such updates and enhancements within six months after the government provides notice of those changes. We suggest that you check to ensure that the I-9 program provider is using the latest version of the E-Verify program (currently E-Verify version 22) and inquire about the potential vendor’s history of meeting deadlines for previous enhancements. When vendors have had difficulty in the past keeping up with E-Verify changes as they occur, that may be a signal the vendor is devoting insufficient attention and resources to keep up with government changes.
- Compliance with E-Verify Logic—E-Verify Web Services providers must also ensure that any system or interface they develop for accessing E-Verify follows the program’s rules and procedures for processing E-Verify queries and handling tentative non-confirmation responses. For example, the vendor’s program must allow an employer to close an invalid case where appropriate and should not automatically close or refer a tentative non-confirmation response, which we have heard was true of a number of programs. When reviewing an E-Verify provider’s product we suggest you work with counsel to ensure that the program’s processes and procedures for handling E-Verify transactions closely mirrors the E-Verify rules and program requirements.
- Training—The MOU also requires Web Services E-Verify agents to provide their customers with training that meets the E-Verify program’s standards. As part of this requirement, the vendor must provide a focused study of the topics covered in the E-Verify User Manual, pertinent Supplemental Guides, and other E-Verify materials including the tutorials. Be careful of vendors that attempt to shirk these responsibilities by simply referring your staff to the E-Verify web site tutorials. Under the MOU, the software vendor is clearly responsible for instructing employers on the E-Verify rules, and can even face penalties for failure to provide adequate training. From a practical standpoint, it also makes little sense to have employees access the USCIS-provided E-Verify tutorial, which contains specific instructions and screenshots for using the web interface, most of which will be highly irrelevant to employers with electronic I-9 systems.
- All E-Verify Software Development and Maintenance Must Be Done in the U.S.—Many employers may be surprised to learn that the DHS MOU for software developers and Web Services requires that any development, housing, infrastructure, or maintenance of Web Services software be conducted in the U.S., defined as the 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands. Any software development or update outside of the U.S., regardless of how limited, is prohibited. We strongly suggest that employers check with any potential I-9 program vendor whether any software development or maintenance is conducted outside the U.S.
- Data Protection and Contingency Planning— Web Services E-Verify agents must utilize proper Internet security (such as using HTTP over SSL/TLS when dealing with government systems in order to prevent the interception of sensitive data by hackers. In addition, the vendor must maintain physical, electronic, and procedural safeguards to appropriately protect the information shared against loss, theft, misuse, unauthorized access, and improper disclosure, copying use, modification or deletion. Further, in the event of a data spill or accidental release of Personally Identifiable Information (PII), the Web Services E-Verify agent is contractually obligated to report immediately upon discovery to DHS any and all suspected or confirmed breaches of owned or used systems or data spills related to E-Verify.
Why are these requirements important to a company considering whether or not to select a particular electronic I-9 program and its E-Verify component? Because the MOU gives DHS the authority, based upon any failure to comply with the terms of the MOU to suspend, terminate or cancel a Web Services provider’s account. This can mean loss of access to the E-Verify program for any of the provider’s customers without warning or notice from the government. For those employers who are required to use E-Verify, whether due to state law or because they are a federal contractor, this can be a critically important compliance issue since E-Verify queries will still need to be initiated within 3 days of hire.