Continuous Monitoring of Employees Gaining Traction

On the morning of Monday, August 19, 2019, 76-year-old Evelyn Udell Smith opened her door to let in a deliveryman who was hauling the appliances she had purchased at Best Buy. That man, Jorge Luis Dupre Lachazo, entered the Boca Raton, Fla. home and beat Udell Smith to death with a mallet and doused her with a chemical, causing Smith to burst into flames. A month earlier, Dupre Lachazo’s driver’s license had been suspended for failure to show up to a court hearing after running a stop sign. But it is unlikely that the delivery contractor that had hired Dupre Lachazo knew about the suspension.

Years earlier, just weeks before his rampage, Navy Yard shooter Aaron Alexis had had his federal security clearance renewed, despite having been arrested three times in the previous decade. His superiors didn’t know about those arrests.

Cases like these, as well as the prospect of liability for negligent hiring or retention, have sparked heightened interest in continuous monitoring (CM). That’s having a firm send an employer alerts if staff members get arrested or incarcerated, or in some cases, if they have liens filed against them, have become liable for civil judgements, appear on no-fly lists, lose their medical license, get disbarred, or otherwise appear in a database that calls into question the safety or security implications of keeping them on board.

Pre-employment screening is the cornerstone of a responsible personnel security program. Ninety-six percent of organizations conduct preemployment checks, according to the National Association of Professional Background Screeners and HR.com. In many regulated industries and positions, the practice is mandated.

But both the Boca Raton and Navy Yard cases exposed the limitations of preemployment checks. They represent a fixed point in time that looks backwards, blind to any nefarious activity that occurs post-check. “The day the background check is done, it’s dated,” declares Raj Ananthanpillai, the CEO of Endera, a subscription-based SaaS provider of continuous monitoring services.

Limited Adoption so Far

Hence the appeal of CM. But few employers use the service. Why the limited uptake so far? First, it’s relatively new, in part because the technology for immediate alerts hadn’t been widely available. Then there are budget and oversight issues. “Background screening is baked into corporate costs,” says Vince Brodt, VP of Customer Experience at SJV Data Solutions. “CM isn’t.”

While background screening typically falls under human resources, CM doesn’t. It requires collaboration among HR, risk, security and compliance, according to Brian Matthews, president of Appriss Insights, which provides data solutions related to background screening and CM.

Also, “continuous” sometimes means “continual.” Experts point out that a true CM program is literally continuous, with little or no latency between when an incident is recorded and when it becomes available to the employer. With some programs there’s a lag before the employer receives an alert.

Scott Vanek, CEO of SJV Data Solutions, points out that there are 2,000 or so firms that collect data on individuals and supply it to client employers in the U.S., “But it’s single digits in terms of who is using a true real-time CM product today,” he says. Some firms don’t forward data for 30 or 60 days, Vanek adds.

Doing CM Right

Compliance issues figure heavily in creating a sound program.

“Monitoring is a great thing when done correctly,” according to Pamela Devata, a partner at Seyfarth Shaw LLP who heads the law firm’s Background Screening Compliance and Litigation Defense team. A user must navigate several issues. First, a monitoring company might be considered a credit reporting agency under the U.S. Fair Credit Reporting Act (FCRA); many factors weigh into that determination, says Devata. If the FCRA applies, companies must have a “permissible purpose” for obtaining an employee’s background information, including hiring, promotion, reassignment and retention. Since CM is undertaken for all these purposes except hiring, “permissible purpose” is usually not an obstacle, says Devata. Similarly, the FCRA requires that staff members authorize employers to obtain and act upon consumer reports. It’s unusual for an employee to refuse, says Devata because an organization can make CM a condition of employment.

State laws also apply. For example, under California law an employer must obtain separate consent from the employee every time it seeks a new investigative report, but with some exceptions, which creates ambiguity.

Other issues may be more troublesome. Devata and Nick Fishman, an expert in screening and CM, caution about taking action against employees who have been arrested but not convicted. Guidance from the U.S. Equal Employment Opportunity Commission issued in April 2012 establishes that arrest records per se create an adverse impact on minority populations under Title VII of the Civil Rights Act of 1964.

Furthermore, employers should be scrupulous about making sure that the data they receive about employees is accurate. “If someone gets pulled over,” says Devata, “they can give any name they want, and that goes into the database.” That’s why experts say that better matching occurs with more data about the employee: not only name and date of birth, but also Social Security number, post-nominals, driver’s license number and so on.

Accuracy involves timeliness, as well as correct information. Employers have to ask whether the status of an alert will change quickly. “Is the status of an incarceration subject to change with such rapidity that what is reported today is likely to change before an employer acts?” asks Jason Morris, founder of EmployeeScreenIQ. “For instance, what if I rely on an incarceration alert I receive today and use that report to make an employment decision, but the charges are dropped or amended to lesser charges tomorrow?”

Alerts should be relevant to the duties of the employee, experts stress, and they must be relevant for the company to take action based on that information. For example, a manufacturing company might receive alerts if one of its drivers gets arrested for a DUI, but not if one of its accountants does.

Most companies providing CM services offer arrest and incarceration notices. Endera is among those CM companies that provide many other alerts. It boasts 25,000 data sources, covering criminal and civil records, licenses, no-fly lists, watch lists, do-not-do-business lists and so on.

While more data sources cover more territory, those sources need to be pertinent. As Morris puts it, “Make sure your vendor has the most data points that apply to your business — the deepest data from the most sources — tries to normalize that data the best way and can guide employers how to legally use the information properly.”

Setting Policies

Matthews advises that companies implementing CM for criminal activity establish a “clear and consistent self-reporting policy for all criminal behavior, including arrest.” Fishman adds that counsel may advise the employer to “list the types of criminal activities being monitored, or document the spectrum of disciplinary options employees will be subject to in the event of an arrest or any other concerning record.” Matthews emphasizes that the employer investigate, using well-articulated, preexisting policies and procedures,” any activity that a CM program reports about an employee. Employers court major trouble if they fail to investigate an alert before taking an adverse action.

“You’re going to want to update your employee manual,” adds Fishman. “Communicate and explain to staff what you are doing and why you are doing it. Define a process of how you are going to do this, what the different administrative practices are and how you will react to things,” he adds. This will lead to staff understanding and buy-in as opposed to feeling surveilled.

But policies in employee manuals only go so far. “Our customers have employee manuals with do’s and don’ts,” says Ananthanpillai. “For example, in financial services and airlines there are self-reporting requirements. But there is no way to monitor those don’ts.”

Establishing a Beachhead

Despite compliance hurdles, the market for CM is burgeoning. Fishman says that regulated industries, such as financial services, as well as those that serve vulnerable populations, such as child care and nursing homes, have been the first adopters. “You will see larger market adoption,” Fishman says. “But those are ground zero.”

Matthews has been tracking the market growth in CM. According to him, “2019 and 2020 are beachhead years for key industries — education, retail, transportation, healthcare, finance and the gig economy. In each you have one or two top tier companies either doing it or starting it.”

COVID-19, by causing mass layoffs, may accelerate the trend toward the gig economy, which could increase the uptake of CM. “Ultimately, this is going to go into the “Know Your Customer” realm,” Ananthanpillai says. “Workers will move from gig to gig. How do you keep track?”

Morris points out another reason for the likely growth of the industry: the emergence of ban-the-box laws in U.S. states and cities, which prohibit companies from refusing to hire an applicant with a rap sheet. “It’s going to be less socially acceptable not to hire someone because they have a criminal record,” he says. But employers have to protect themselves against risk. “They’re going to say, ‘We will give you a chance, but we will be watching you like a hawk,’” Morris notes.

Companies that have traditionally provided background checks have rapidly added CM services. “We are at the first inning of a tectonic shift in the market from a one-and-done background screen to CM,” says Matthews. “Employers want to make sure they are keeping their workplaces safe. And it’s also just good business.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.