TalkText to a human — (888) 965-5150Investigators Available Now
Client LoginOrder Services Online
Encyphir Risk Management
← Back to Blog
6 min read

FCRA and GLBA Compliance for Insurance Investigations

Ruby Park
Ruby ParkPresident
April 11, 2026
FCRA and GLBA Compliance for Insurance Investigations

Table of contents

FCRA: The BasicsWhen FCRA Applies to Insurance WorkFCRA Permissible PurposesFCRA Adverse ActionGLBA: The BasicsThe GLBA Pretexting ProhibitionGLBA Permissible PurposesState Privacy Law LayersDriver's Privacy Protection Act (DPPA)HIPAA for Medical InformationInvestigator LicensingDocumentation of Permissible PurposeWhat Compliance Looks Like in PracticeOur ApproachDual-Use Output: The Quiet Compliance TrapSocial Media, Open Source, and the Permissible Purpose QuestionVendor Management and the Carrier's Residual LiabilityData Retention, Safeguards, and the Post-Investigation Lifecycle

Categories

ComplianceInsuranceLegal

Permissible purpose is the legal foundation of modern insurance investigation. Get it right and your evidence stands up. Get it wrong and the investigation can create civil liability, regulatory exposure, and evidentiary problems, even when the underlying work product is accurate. The two dominant frameworks are FCRA (Fair Credit Reporting Act) and GLBA (Gramm-Leach-Bliley Act).

FCRA: The Basics

The Fair Credit Reporting Act (15 U.S.C. § 1681) governs "consumer reports" and "investigative consumer reports" used for defined purposes. These purposes include insurance underwriting, employment, and credit decisions. For insurance investigation, FCRA applies when:

  • An investigation is used for underwriting eligibility or premium determination
  • A background report is provided for employment decisions
  • A consumer report (credit header, MVR, etc.) is obtained

When FCRA Applies to Insurance Work

  • Underwriting. Background information used to issue, renew, or rate a policy.
  • Employment. Pre-employment background on the insured's employees or on investigator employees.
  • Consumer-reporting agency output. Reports produced by CRAs for any regulated purpose.

FCRA typically does not apply to:

  • Claim investigations where the output is not used for a FCRA-covered purpose
  • Investigations of claimants in bodily injury or liability cases where the report is used for litigation, not underwriting
  • Fraud investigations that don't implicate an FCRA permissible purpose

Carriers that use the same investigative output for both purposes need to manage the FCRA track distinctly.

FCRA Permissible Purposes

FCRA permissible purposes include:

  • Written authorization of the consumer
  • Application for credit, insurance, or employment
  • Court order
  • Legitimate business need in connection with a transaction initiated by the consumer

Investigative consumer reports have additional disclosure and consumer-notice requirements.

FCRA Adverse Action

When an insurance decision is based in whole or in part on information in a consumer report, FCRA requires:

  • Notice to the consumer that a report was used
  • Identification of the consumer reporting agency
  • Consumer right to obtain a free copy of the report
  • Consumer right to dispute inaccuracies

GLBA: The Basics

The Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) governs "nonpublic personal information" held by financial institutions. This includes insurance carriers, banks, and credit unions. For investigators, the key GLBA issue is the prohibition on obtaining customer information from financial institutions through false pretenses (pretexting) under Section 521 (15 U.S.C. § 6821).

The GLBA Pretexting Prohibition

An investigator cannot obtain financial-institution customer information by:

  • Pretending to be the customer
  • Pretending to be authorized to receive the information
  • Making false representations to obtain information

This means no phone-pretext "do you have an account at X" calls to banks. No posing as a customer service representative. No fabricated authority.

GLBA Permissible Purposes

GLBA does allow financial-information access for several permissible purposes:

  • Lawful use by the customer
  • Routine operations of the financial institution
  • Law enforcement activity
  • Investigation of suspected criminal activity (with appropriate authorization)
  • Certain state-licensed debt collection activities

Insurance asset investigations typically work around GLBA by:

  • Using legitimate databases that don't require pretexting
  • Using public records that indirectly identify financial institutions
  • Coordinating with litigation counsel for subpoena-based discovery
  • Using permissible-purpose frameworks built into investigator-licensed database access

State Privacy Law Layers

On top of FCRA and GLBA, many states layer additional privacy protections:

  • California's Consumer Privacy Act (CCPA) / CPRA
  • California's Investigative Consumer Reporting Agencies Act (ICRAA)
  • State-specific financial privacy laws
  • State-specific investigator licensing rules

A California insurance investigation runs under at least four distinct privacy frameworks at the same time.

Driver's Privacy Protection Act (DPPA)

The DPPA governs access to motor vehicle records. Permissible purposes include:

  • Insurance-related use in connection with claims investigation
  • Litigation use
  • Use by licensed private investigators for specific permissible purposes

DPPA permissible-purpose documentation is required for DMV / MVR access.

HIPAA for Medical Information

Medical information obtained during a claim investigation operates under HIPAA:

  • Medical canvass requires HIPAA-compliant authorization
  • Medical record handling requires HIPAA-compliant processes
  • Unauthorized medical record access creates HIPAA liability

See our apportionment post for medical canvass workflow.

Investigator Licensing

Each state licenses private investigators, and licensing carries compliance responsibilities. Insurance investigations conducted by unlicensed investigators in states requiring licensure can:

  • Create evidentiary challenges to the investigation
  • Create civil exposure for the hiring carrier
  • Trigger state regulatory action against the investigator

Our insurance fraud investigator regional post covers the multi-state licensing picture.

Documentation of Permissible Purpose

Best practice: document permissible purpose at the start of every investigation. Include in the file:

  • The carrier's claim or policy number
  • The business purpose of the investigation
  • The FCRA / GLBA / state-law framework applicable
  • The specific permissible purposes invoked for each data source

If permissible purpose is challenged later, the contemporaneous documentation is the defense.

What Compliance Looks Like in Practice

A compliant insurance investigation:

  • Operates under documented permissible purpose
  • Uses investigator-licensed database access
  • Avoids pretexting or false-representation data gathering
  • Handles medical information under HIPAA authorization
  • Provides FCRA-compliant deliverables where underwriting or employment use applies
  • Maintains chain-of-custody for all evidence
  • Produces reports that identify sources and methods

Our Approach

Our insurance background and asset investigation services, along with all of our insurance fraud investigation services and AOE/COE services, operate under documented FCRA, GLBA, DPPA, HIPAA, and state-law compliance frameworks. We produce deliverables that work in both litigation and underwriting contexts, with permissible-purpose documentation in every file.

Dual-Use Output: The Quiet Compliance Trap

The most common compliance failure we see in insurance investigation is not pretexting or unlicensed work. It is dual-use output. A carrier orders a claim investigation under a litigation theory. The resulting report includes lifestyle and employment information. Six months later, the same file is pulled into a renewal underwriting decision. At that moment, the file crosses into FCRA territory. The carrier now has an adverse-action notice obligation it may not even recognize.

The fix is to segregate investigative output by intended purpose at the point of creation. A claim file produced for litigation should state on its face that it was prepared for claim defense and is not a consumer report. If underwriting wants similar information, it should be ordered separately through a FCRA-compliant workflow. That workflow needs the consumer disclosures, investigative consumer report notices, and reinvestigation procedures FCRA requires. Mixing these tracks after the fact is how carriers end up defending class actions rather than individual claims.

This issue shows up repeatedly in our surveillance and activity checks engagements. Video and observation logs are technically factual observation rather than consumer-report content. But the written narrative wrapped around them can cross the line if it incorporates database pulls obtained under a non-FCRA permissible purpose. Clean compliance requires drawing the boundary in the work product itself.

Social Media, Open Source, and the Permissible Purpose Question

Investigators and carriers sometimes assume social media and other open-source intelligence fall outside FCRA and GLBA because the underlying data is public. That assumption is half right. The raw observation of a public profile is generally not a consumer report. The problem arises when an investigator compiles, curates, and repackages that information into a dossier used for a FCRA-covered purpose. At that point, the compilation itself can qualify as a consumer report under the 2011 FTC guidance and later case law, even though every individual data point was publicly available.

Practical guidance: treat social media reports the same way you treat database reports. Document the permissible purpose. Limit the collection to information relevant to the stated purpose. Preserve the collection methodology so authenticity can be established later. Avoid dragnet collection that sweeps in information about the subject's family, political views, or protected-class characteristics unless they are directly relevant to the claim. This discipline also matters in executive misconduct investigations and due diligence engagements, where the same open-source content supports different legal frameworks depending on how the client intends to use the output.

Vendor Management and the Carrier's Residual Liability

FCRA and GLBA liability does not end at the investigator's door. Carriers that hire investigation vendors retain residual compliance exposure under both statutes, and under most state insurance codes, for the acts of their vendors. The carrier's vendor management program is itself a compliance control. A weak one will not survive a regulatory examination.

A defensible vendor file includes:

  • The investigator's current state licenses in every jurisdiction where work is performed
  • Evidence of E&O and general liability coverage at appropriate limits
  • Written permissible-purpose certifications tied to each assignment category
  • Data-handling and retention terms consistent with GLBA Safeguards Rule expectations
  • Periodic audit rights the carrier has actually exercised

Carriers that treat investigator onboarding as a procurement exercise rather than a compliance exercise tend to discover the gap only when a bad file becomes a deposition exhibit.

For counsel managing these relationships on behalf of carriers, our work with law firm clients often includes helping draft the permissible-purpose language and scope-of-work templates that make vendor oversight auditable rather than theoretical.

Data Retention, Safeguards, and the Post-Investigation Lifecycle

Compliance does not end when the report is delivered. The GLBA Safeguards Rule, the FTC's updated requirements that took effect in 2023, and a growing set of state data-security statutes all impose obligations on how investigative files are stored, accessed, and destroyed. An investigator who collects nonpublic personal information during a permissible-purpose investigation becomes a custodian of that information for as long as it is retained. The retention period should be justified by the business purpose rather than defaulting to indefinite storage.

Reasonable practice includes:

  • Written retention schedules that match the underlying claim or litigation timeline
  • Encryption of files at rest and in transit
  • Role-based access controls limiting which staff can view which files
  • Defensible destruction procedures with logging
  • Incident-response procedures for suspected data exposure

When an investigation involves digital forensics or the handling of recovered electronic evidence, the ret

Related posts

Activity Check vs. Surveillance: Which Does Your Claim Need?

Activity Check vs. Surveillance: Which Does Your Claim Need?

Jeremy MasonJeremy Mason
Apr 4, 2026
Address and Residency Verification for Rate Evasion

Address and Residency Verification for Rate Evasion

Craig BiggsCraig Biggs
Apr 10, 2026
Admissible Surveillance Video: Chain of Custody and Authentication

Admissible Surveillance Video: Chain of Custody and Authentication

Craig BiggsCraig Biggs
Apr 9, 2026