As your partner, PeopleMatter periodically conducts internal reviews to help improve processes and our services to you. In a recent review, we discovered some companies appear to be using shared logins; this means, for example, that multiple managers are all logging in under one store account.
This puts your company at significant risk for noncompliance, and we felt it was necessary to remind all customers that sharing PeopleMatter logins is not allowed. Here’s why:
- As a condition of using our electronic onboarding and I-9 verification system (including the federal E-Verify program), you agree to assign unique login credentials (ID and password) to each user through our system and not to allow employees/users to share their unique login credentials with other users.
- This also means that individual users must not access the system under someone else’s unique login credentials. Login credentials are assigned to a specific user and constitute authentication for electronic signatures needed in the system, for instance for signing the federal I-9 Employment Eligibility Verification Form. Sharing login credentials not only makes it impossible to trace a particular record to a specific user in order to monitor quality or resolve disputes but it can also be interpreted by federal agencies as fraudulent conduct that could lead to criminal sanctions against the company and individuals.
- Furthermore, users of the federal E-Verify program must agree to pass a mandatory knowledge test before being allowed access to the program, and the employer must be able to demonstrate in a government audit that each E-Verify user passed the required test. Allowing users to share login credentials increases the risk that individuals access the E-Verify systems who did not take or pass the required knowledge test, and which would constitute a violation of the E-Verify program rules and may lead to the employer being barred from using the E-Verify program.
The following best practices regarding usernames and access to PeopleMatter should be immediately implemented.
- DO create admins with unique login credentials for each person (ID and password)
- DO NOT use mailinator.com or other open email servers that do not require passwords for access
- DO NOT allow admins to share passwords or login information with other users
- E-Verify Self Assessment Check List:
- The E-Verify Self-Assessment Guide (SAG) for Web Services Users assists participating employers in complying with the E-Verify user requirements.
- “Does each user have a separate user ID and password?” (p4, Question 1.0)
- E-Verify Training Requirements and Guidelines
- PeopleMatter is required to prevent access to E-Verify until each user has been provided training and passes the knowledge test at 70%.
- PeopleMatter User Terms and Conditions
- All users in PeopleMatter agree to the PeopleMatter Terms and Conditions, including confidentiality of login credentials.
Question 1: How do we start to fix this?
- Create new administrative accounts with unique logins for your administrators and store managers. You can do this via the PeopleMatter Company Settings page. You can manually add employees through the “Add New” button. Or, you can bulk upload several employees at once through the “Bulk Upload” feature which allows you to enter the information from a template provided in Comma Separated Value (CSV) format.
- After the new user accounts are in place, separate the shared employee that was the account with the non-unique login so that it may no longer be used.
- We do not suggest that you edit existing accounts that use shared logins to non-shared logins as it will not require them to re-complete the required E-Verify training needed with their new unique logins. (e.g. do not edit the name and email address for Store Manager 2 to Joe Smith).
- Additionally, we thought you may be interested to know that later in 2015, we are planning to add more flexibility in the account creation process. We know that email can be difficult to obtain from some of your users. Therefore, we plan to provide additional flexibility to allow users to create a unique ID that is not their email address. We’ll keep you updated on these plans as this project progresses.
Question 2: Will our administrators need to take the E-Verify training and test again?
- Yes. If your administrators are created or imported again with their unique names and logins, they will be required to re-complete the E-Verify training and test. This is an excellent opportunity to have a record of their completion for E-Verify purposes.
Question 3: What about our existing I-9s that have shared logins?
- The action recommended for your situation can vary based on a variety of factors, so we suggest you consult your legal counsel to determine what changes (if any) are required. If you plan to take action on your I-9s, there are two product features which may be helpful:
- Edit I-9s: Completed I-9s may be edited using the “View/Edit” action. All changes will be tracked in the audit history.
- I-9 Documentation: In the settings area under “I-9 Documentation”, you may define “Other” types of documents to be attached on the employee record. This allows a memo to an auditor explaining corrections to the I-9 to be attached to the employee record. In the case of an audit, the memo will be included with the I-9 and other related documentation.
Question 4: How does this impact an E-Verify cases that were already completed?
- PeopleMatter does provide the name of the person completing the I-9 Section 2 data to E-Verify for each case. However, E-Verify should never be used to re-verify the employment authorization of an existing employee (source: E-Verify User Manual for Employers).