Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

INSIGHT: Employers Need to Grasp Risks of Continuous Monitoring Services

Sept. 14, 2020, 8:00 AM

Employers are increasingly exploring continuous monitoring services that address workforce risk by providing alerts on changes in an employee’s credit history, criminal background, arrest history, litigation history, and even the employee’s inclusion on a terrorist watch list.

On first blush, this type of service may appear to implicate the Fair Credit Reporting Act (FCRA) and related state laws. But, some continuous monitoring services take the position that they are not subject to the FCRA and prohibit employers from using their services in ways that implicate the FCRA.

Below are important points employers should consider when deciding to engage a continuous monitoring service.

Does FCRA Apply to Continuous Monitoring Services?

The FCRA states that a “consumer report” cannot be used for “employment purposes” (hire, promotion, reassignment, or retention) unless a clear and conspicuous disclosure has been made in writing to the employee before the report is obtained and the employee consents in writing.

The failure to meet these requirements exposes the employer to civil penalties and civil liability, including actual damages, attorneys’ fees, and, if willful noncompliance, punitive damages.

Is a Continuous Monitoring Service a Consumer Reporting Agency?

It depends. The FCRA defines a consumer report as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for…employment purposes.”

The type of alerts provided by continuous monitoring services—changes in credit history, criminal background, arrest history—likely fall within this definition. The question then turns on whether a continuous monitoring service is a consumer reporting agency.

A continuous monitoring service may argue that it is not a consumer reporting agency. The FCRA defines a consumer reporting agency as any person that regularly engages in assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

Courts have routinely held that whether a company is a consumer reporting agency depends on subjective intent, which requires analyzing the totality of the circumstances. See, e.g., Kidd v. Thomson Reuters Corp. (S.D.N.Y. 2017).

In one case, a company was found not to be a consumer reporting agency where it had taken affirmative steps to ensure that its services were not being used for FCRA-related purposes, including training and testing personnel on prohibited uses, requiring personnel to report misuse, investigating misuse, and even terminating subscriptions for misuse.

In other cases, courts have emphasized that self-serving disclosures that a company is not a consumer reporting agency, without more, are not enough.

Continuous monitoring services may argue that they only provide “tips” that the employer must then independently verify; thus they are not in the business of “assembling or evaluating” consumer information and are not a consumer reporting agency. Whether this position would prevail has yet to be tested in courts.

In any event, when evaluating a continuous monitoring service, an employer should pay careful attention to the services provided by the company and not rely solely on its assertions to determine whether the FCRA is triggered.

What if an Employer Engages a Continuous Monitoring Service?

If an employer wants to use a continuous monitoring service, it can consider the following steps to potentially limit liability under the FCRA:

  • Seek legal advice to determine whether its particular circumstances trigger FCRA or related state law obligations. If so—or if the analysis is inconclusive—the employer may want to take steps to mitigate its risk of liability under those laws.
  • The employer may determine that disclosures are appropriate to mitigate risk. The FCRA mandates that the disclosure be in a standalone document that consists solely of the disclosure. The disclosure must be “clear and conspicuous,” so that it is reasonably understandable and readily noticeable by the employee. State laws may have additional requirements. For example, California requires that contact information for the consumer reporting agency also be disclosed.
  • Obtain consent in advance of procuring the report. An employer may want to consider asking at the time of hire for consent to obtain consumer reports throughout the term of employment, not solely for the initial reports obtained when hiring a new employee.
  • Consider instituting a procedure for handling the continuous monitoring alerts that limits the alerts’ recipients and mandates that the alerts be independently verified before being shared with anyone making employment decisions regarding the implicated employee.
  • Conduct careful review of the continuous monitoring services’ terms and conditions to ensure the employer’s actions are not running afoul of the terms and conditions, such as a prohibition against referring to the continuous monitoring service as a consumer reporting agency.

Technology often progresses faster than lawmakers and courts can keep up. Employers should pay careful attention to see how courts treat continuous monitoring services going forward.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Margaret Hope Allen is a partner in the Commercial Disputes and Litigation practice at Sidley Austin LLP and represents individuals and corporations in complex disputes in international arbitration and in courts across the U.S. She has represented board committees in internal investigations and whistleblower actions all over the world, often involving allegations of fraud and corruption.

Tiffanie N. Limbrick is an associate in the Commercial Disputes and Litigation practice at Sidley Austin LLP and focuses on a broad array of commercial disputes, including purchase price disputes, securities, trade secret misappropriation, breach of contract, and employment disputes involving issues of overtime pay, discrimination, and non-competition/non-solicitation agreements.

This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not reflect the views of the firm.