What to do if a rep makes unauthorized calls from your company CRM

A rep made unauthorized calls from your CRM. Here's how to assess your TCPA liability, stop the bleeding, and fix your process before a lawsuit lands.

LeadCompliant Team
22 min read
In This Article

Last updated 2026-07-11

Manager reviewing printed call logs at a sales office desk after unauthorized CRM calls
Manager reviewing printed call logs at a sales office desk after unauthorized CRM calls

TL;DR

When a rep makes unauthorized calls from your CRM, your company can still be liable under TCPA even if you never ordered the calls. Suspend the rep's access, preserve every log, check whether called numbers were on the National DNC Registry, and document your fix. Statutory damages run $500 to $1,500 per call. Speed and paperwork are your defense.

Why does your company face TCPA liability even if you didn't authorize the calls?

Your company can be on the hook even when a rep went rogue. The Telephone Consumer Protection Act, 47 U.S.C. § 227, doesn't ask whether you meant for a call to go out. It asks whether the call used company equipment, whether you had control over the caller, and whether the person called had given prior express consent. If a rep used your CRM, your dialer integration, or your VOIP lines, those calls almost certainly meet the "on behalf of" test the FCC uses for vicarious liability. [1]

The FCC's 2013 declaratory ruling made this explicit. A company can be held liable for TCPA violations its agents commit under common law agency principles: actual authority, apparent authority, and ratification. [1] Ratification is the trap. Learn a rep made bad calls, then sit on your hands, and a court can later say you ratified the conduct.

Real settlements show how fast this compounds. The Cash App TCPA class action settlement and the Credit One TCPA settlement both landed in eight figures, driven by call volume times statutory damages. At $500 per call for a negligent violation and $1,500 for a willful one, a rep who dials 200 unauthorized numbers creates $100,000 to $300,000 in exposure before anyone files a thing. [2]

None of this is legal advice. Get an attorney involved early. What follows is what to do operationally while counsel gets up to speed.

What should you do in the first 24 hours after discovering unauthorized calls?

Stop the bleeding first. Speed beats polish here, and the one thing that matters most is that no more calls go out.

Suspend the rep's CRM access immediately. Don't fire them yet. You may need their cooperation to understand what happened, and cutting someone loose before you've documented the facts can complicate later proceedings. Suspend access, not employment, as move number one.

Export and preserve the call logs next. Every CRM record, VOIP log, and dialer report tied to that rep for the relevant period gets locked down under a litigation hold. Delete or overwrite records after you have reason to expect a suit, and that's spoliation. It makes everything worse, and courts punish it. [3]

Third, pull the list of numbers the rep called and run it against the National DNC Registry. Registered numbers that got called with no prior express written consent record are your highest-risk bucket. [4] Compare what you claim you scrubbed against what actually got dialed.

Fourth, check whether any called number sat on your internal suppression list or had already opted out. A call to a number that previously opted out is often treated as willful, which triples the per-call damages.

Fifth, write a dated internal memo: when you found the problem, what you saw, and what you did about it in the first hours. Courts and the FTC care whether you treated this as a real compliance failure or shrugged it off.

How do you figure out the actual scope of exposure?

Get a true count before you guess at dollars. Pull every outbound call record tied to that rep's user ID in your CRM and dialer. Sort by date range, number type (mobile versus landline changes the auto-dialer analysis), and consent status.

For each called number, answer four questions. Was it on the National DNC Registry when the call went out? Do your records show a signed or recorded prior express written consent? Was it on your internal do-not-call list? And was the call made with an ATDS (automatic telephone dialing system) or a prerecorded voice?

The ATDS question is still messy after Facebook v. Duguid (2021), which narrowed the term to systems using a random or sequential number generator. [5] But if your CRM ties into a power dialer, a preview dialer, or any tool that auto-populates and fires calls, you may still sit in ATDS territory depending on your circuit. Get counsel's read for your exact stack.

Once you have counts by category, you have a rough liability estimate. A simple table gets you there.

CategoryCallsPer-Call ExposureEstimated Range
DNC-registered, no consentX$500 to $1,500$X to $X
Internal opt-out, called anywayX$500 to $1,500 (likely willful)$X to $X
Mobile, ATDS, no consentX$500 to $1,500$X to $X
Consent record existsX$0 (low risk)low

This is the document your attorney needs. Build it before your first call with them, not after.

TCPA unauthorized call: key liability figures Statutory thresholds and enforcement benchmarks under 47 U.S.C. § 227 and FTC TSR $500 Per-call damages, negligent… $1,500 Per-call damages, willful v… $52k TSR civil penalty per violation (current) $225M FCC fine, 2021 robocall enforcement action Source: Cornell LII (47 U.S.C. § 227), FTC TSR, FCC 2021 enforcement action

Do you have to notify the people who were called?

No federal statute forces you to proactively notify called parties the way HIPAA forces breach notifications for health data. The practical math is trickier than that clean answer suggests.

If you know specific people got hit with illegal calls, some companies choose to offer remediation before suits land: a written apology, a small credit, a settlement offer. Done right, with counsel steering, that can shrink the size and number of individual TCPA claims. Done clumsily, it reads as an admission and draws more plaintiffs to your door.

What you probably should do is stand up a dedicated log of everyone who called back to complain or opt out because of these calls, and honor every opt-out immediately. Under the FTC's Telemarketing Sales Rule, a company must honor a residential subscriber's do-not-call request within 30 days. [4] For mobile numbers the practical standard is now. Any delay in honoring those requests after your discovery event multiplies the damage.

If the volume is large, your attorney may push proactive outreach as part of a global settlement play. That's a legal judgment call, not an operational one. Your operational job is clean, accurate records of who was called and exactly when you stopped.

What process failures let this happen, and how do you fix them?

Unauthorized CRM calls almost always trace to one of four gaps: no role-based access controls, no pre-call DNC scrubbing, no consent check at the point of call, or a culture where quota pressure beats the rules.

Role-based access control means a rep can only initiate a call to a contact that has a valid consent record and has cleared your DNC scrub. Salesforce, HubSpot, and most enterprise CRMs enforce this with workflow rules. If a rep could click "call" on any number with no gate, that's a configuration problem before it's a people problem.

DNC scrubbing runs on a schedule, not once. The FTC requires sellers and telemarketers to scrub against the National DNC Registry at least every 31 days. [4] If your cadence is slower, every call made in the gap is unprotected. You access the registry through the FTC's registry portal at donotcall.gov. [6]

Consent verification at the point of call means the CRM shows the rep the source and date of consent before the call fires. If a rep sees only a name and a number, you built a system that invites violations. Add a consent record field. Make it required. Log it.

Culture doesn't yield to a config change. If missed dials get flagged on dashboards and compliance misses don't, you've told your reps what actually counts. Some teams now put a TCPA compliance metric right on rep scorecards. Not a bad idea. LeadCompliant's free compliance kit has a sample scorecard framework if you want a starting point.

For the mechanical rules your reps should know before they pick up the phone, the cold calling overview is a good reference.

Can the company recover anything from the rep personally?

Sometimes, but it's harder than it sounds. Collecting is the real obstacle.

If the rep signed an employment agreement or offer letter with a compliance clause, and that clause says the employee is responsible for losses from policy violations, you have a contractual basis to seek indemnification. Turning that basis into cash is another story. Most reps don't have assets worth chasing.

In at-will states, you can and probably should terminate a rep who made unauthorized calls, after you've documented the facts. Documenting first matters. You want a clear record that termination was for cause tied to a specific policy-violating act, not to soft performance.

The bigger move is to treat this as a systems audit, not a personnel drama. If your system let this happen without a gate, another rep can repeat it next month. Firing the person while leaving the hole open does nothing for your future liability.

What records do you need to keep, and for how long?

Keep the paper for at least four years. The FTC's Telemarketing Sales Rule requires sellers and telemarketers to hold required consent records for 24 months from the date of collection. [6] For TCPA, plaintiffs' attorneys routinely demand call logs, consent records, and DNC scrub logs going back the full limitations period, which under TCPA is 4 years for federal claims (28 U.S.C. § 1658) and sometimes longer under state analogues. [7]

For every call the unauthorized rep made, preserve four things: the CRM contact record as it stood at call time, the call log from your VOIP or dialer, the DNC scrub result for that number at call time, and the rep's access log showing when they were in the system. Keep these after the rep is gone. Keep them even if a year passes and nobody calls.

If you use a third-party data provider or list broker, pull and save their scrub certification for the batch that included the called numbers. Courts have accepted vendor scrub certifications as part of a good-faith compliance defense, but only for companies that actually kept the documentation.

The do-not-call list article covers what registry records look like and how to pull your own compliance documentation.

What is the FCC's "established business relationship" exception, and does it help here?

The established business relationship (EBR) exception lets you call a DNC-registered residential number without separate consent, but only for a limited window and only for landlines. Under the rules tied to 47 U.S.C. § 227, a company generally can't call a number on the National DNC Registry unless it has prior express consent or an EBR with the called party. The EBR covers calls for up to 18 months after the most recent transaction, or 3 months after a consumer inquiry. [2]

The statute defines the term as a relationship "formed by a voluntary two-way communication between a person or entity and a residential subscriber with or without an exchange of consideration, on the basis of the subscriber's purchase or transaction with the entity within eighteen (18) months immediately preceding the date of a telephone call," per 47 U.S.C. § 227. [2]

Does it help after a rep made unauthorized calls? Only if the specific people called actually had a recent transaction or inquiry with your company. If the rep worked from a purchased list or pulled a CRM segment they weren't cleared to touch, the EBR defense probably doesn't apply. And on mobile numbers, EBR doesn't override the ATDS consent requirement anyway.

Honest read: don't lean on EBR as your primary defense. Check your consent records first. EBR is a backup argument for your attorney, not a clean exit.

How do you prevent this from happening again?

Prevention runs on three layers: technical controls, a written policy, and training with teeth. Skip any one and the other two carry a load they can't hold.

On the technical side, every number in your CRM should carry a "call eligibility" status that the system enforces, more than displays. Numbers on the DNC Registry, on your internal suppression list, or lacking a valid consent record should not be callable with one click. Some teams add a hard gate: the rep must confirm the consent source before the call initiates. That 10-second friction has saved companies from serious exposure.

On policy, your outbound calling policy should say, in plain language, which lists can be called, what consent documentation is required, how DNC scrubbing works and when it runs, and what happens when a rep breaks the rules. Get it signed at onboarding and re-signed every year. Keep it short enough that people actually read it.

On training, run a 30-minute TCPA basics session annually. Cover the TCPA rules, the DNC Registry, what prior express written consent means, and what to do when a called party asks off the list. Record attendance. Test with three or four scenario questions. File the results.

Use LeadCompliant's free tools to run a DNC check against your CRM export before you turn access back on for the rest of the team. That's a solid immediate step while you build the longer-term controls.

For teams that also send texts, the rules rhyme but add layers. The text message marketing article covers where SMS consent differs from voice.

If your team calls mobile numbers, check your list management against the mobile phone do not call list guidance.

What does a real TCPA enforcement action look like after unauthorized calls?

Most TCPA claims come from private plaintiffs, not the government. The Act creates a private right of action, which is why so many cases settle. Plaintiffs' attorneys can recover fees, and aggregated damages get large enough to draw class action treatment. [2]

Here's the usual sequence. A called party gets a call they never consented to, looks up your number, and calls a TCPA plaintiff's firm. The firm sends a preservation letter, files individually or as a class, and demands call records in discovery. Early-stage defense alone can run $50,000 to $150,000 before anyone talks settlement. Then the settlement number arrives.

Public cases give you scale. The FCC proposed a $225 million penalty against Texas-based health insurance telemarketers for illegal spoofed robocalls in 2021, the largest robocall fine the agency had ever proposed at that point. [8] Private class action settlements routinely land anywhere from $1 million to $75 million depending on call volume and violation type. [9]

The gap between a $20,000 settlement and a $2 million one usually comes down to documentation. Companies with clean consent records, timestamped DNC scrub logs, and a documented response to the violation consistently do better. Companies that can't produce records, or whose records contradict their story, face far bigger numbers.

For a real-case sense of the figures, the Credit One TCPA settlement is one of the more instructive public examples.

What should you do if you receive a TCPA demand letter or lawsuit?

Don't answer the letter yourself. Don't ignore it. And don't call the plaintiff's attorney without your own counsel on the line.

A TCPA demand letter is a formal legal document, and anything you say back can be used against you. Your first move is to forward it to your company's attorney, or hire one immediately if you don't have anybody who handles TCPA. Then issue a litigation hold to everyone with access to relevant records: CRM admins, dialer system owners, the rep's manager, and HR.

While that's happening, assemble everything you built in the first-24-hours response: call logs, consent records, DNC scrub results, and your dated notes on when you found the problem and what you did. That package tells your attorney what settlement value looks like against defense cost.

A class action complaint changes the math. The timeline compresses and the stakes climb. TCPA class actions have produced settlements that bankrupt small companies when call volumes ran high. Early resolution, when the facts warrant it, is often cheaper than full litigation.

One more thing. Many TCPA demand letters, especially from individual plaintiffs rather than established firms, are settlement fishing expeditions. Your attorney can tell you which category you're facing and calibrate the response. Not every demand letter turns into a lawsuit.

Frequently asked questions

Can a company be held liable for TCPA violations a rep made without permission?

Yes. Under the FCC's 2013 declaratory ruling, companies can be vicariously liable for TCPA violations their agents commit under actual authority, apparent authority, or ratification theories. If the rep used company systems and you failed to act after discovering the violations, courts can find you ratified the conduct. Liability attaches to the company even when the rep acted against internal policy.

What is the per-call penalty for unauthorized TCPA calls?

Under 47 U.S.C. § 227(b)(3), statutory damages are $500 per call and up to $1,500 per call if the violation was willful or knowing. There is no cap on total damages, which is why high-volume class actions produce multi-million-dollar settlements. Calling a number that had already opted out is often treated as willful, triggering the $1,500 figure.

Should I fire the rep immediately after discovering unauthorized calls?

Suspend CRM and dialer access first, then document the facts before deciding on termination. Firing someone before you've built a clear record can complicate later proceedings and may cost you the rep's cooperation. Once you have documented evidence of a policy violation, termination for cause is appropriate. Keep all documentation even after the person leaves.

How do I check if the numbers called are on the National DNC Registry?

The FTC runs the National Do Not Call Registry at donotcall.gov. Registered telemarketers access it through the FTC's compliance portal to scrub their lists. The FTC requires scrubbing at least every 31 days. If your rep called numbers without a recent scrub, those calls may violate the Telemarketing Sales Rule on top of TCPA.

Does the established business relationship exception protect us from liability for calls to existing customers?

Possibly, but only for residential landline numbers on the DNC Registry, and only if the last transaction or inquiry was within 18 months. The EBR exception does not override the ATDS consent requirement for mobile numbers. If the rep called cell phones without written consent, the EBR argument almost certainly fails for those numbers regardless of transaction history.

At minimum 4 years, matching the federal statute of limitations under 28 U.S.C. § 1658. Some state TCPA analogues run longer. The FTC's Telemarketing Sales Rule requires keeping consent records for 24 months from collection. For any calls flagged as potential violations, preserve everything indefinitely until an attorney tells you the risk window has closed.

What is a litigation hold and when should we issue one?

A litigation hold is a formal instruction to stop deleting, overwriting, or modifying records that may matter to anticipated or actual litigation. Issue one the moment a lawsuit is reasonably possible, which is essentially the moment you discover unauthorized calls. Send it to CRM admins, IT, the rep's manager, and HR. Courts treat spoliation (destroying evidence after a hold should have existed) as serious misconduct.

Yes, and you should. Most major CRMs support workflow rules or validation logic that block a call unless a consent record field is populated and a DNC check has cleared. This is a configuration task, not a custom development project. With the gate in place, a future unauthorized call requires the rep to actively falsify a record, which is far easier to document and defend against.

What's the difference between a TCPA claim and a Telemarketing Sales Rule violation?

TCPA (47 U.S.C. § 227) is enforced by the FCC and through private lawsuits, covering auto-dialer and prerecorded call consent rules. The Telemarketing Sales Rule (TSR) is an FTC regulation covering DNC Registry compliance, calling hour limits, and disclosure rules for telemarketing. One unauthorized call can trigger both. TSR violations can draw FTC civil penalties up to $51,744 per violation as of recent adjustments.

Does TCPA apply to calls made from a regular phone by a human rep, or only auto-dialers?

Manual calls to residential numbers on the DNC Registry still violate TCPA's DNC provisions regardless of whether an auto-dialer was used. The ATDS consent rules apply specifically to automated calls to mobile numbers. A rep manually dialing cell phones without consent may not trigger the ATDS provisions after Facebook v. Duguid, but DNC Registry and state law violations still apply.

What should our outbound calling policy include to prevent unauthorized calls?

At minimum: which contact lists are approved for outbound calling, what consent documentation is required before a call, how often DNC scrubbing runs and who owns it, permitted calling hours, how opt-out requests get logged and honored, and the consequences of violating the policy. Have it signed at onboarding and reviewed annually. Keep signed copies in personnel files.

How often do TCPA class actions actually go to trial versus settle?

The overwhelming majority settle before trial. TCPA's statutory damages, with no cap on aggregate liability, push defendants hard toward settlement once a class is certified. Published data from major cases shows settlements from under $1 million for small call volumes to over $75 million for large-scale violations. Defense costs alone often push early settlement even when liability is disputed.

Can the rep be personally sued for TCPA violations, or only the company?

Both. TCPA allows suits against any person who initiates a violating call. In practice, plaintiffs' attorneys usually name the company because it has more assets. But individual liability is legally possible, and some cases have named officers and managers who oversaw non-compliant programs. A rep who acted against explicit company policy is in an odd spot: the company may hold indemnification arguments against them while both get named in the same suit.

Sources

  1. Legal Information Institute, Cornell Law School, 47 U.S.C. § 227, Restrictions on use of telephone equipment: Statutory damages under TCPA are $500 per violation and up to $1,500 for willful or knowing violations; the established business relationship exception applies for 18 months following a transaction.
  2. Federal Rules of Civil Procedure, Rule 37(e), Spoliation of Electronically Stored Information: Courts can impose sanctions for failure to preserve electronically stored information when litigation is reasonably anticipated.
  3. FTC, Complying with the Telemarketing Sales Rule (TSR): Sellers and telemarketers must scrub against the National DNC Registry at least every 31 days; companies must honor do-not-call requests within 30 days.
  4. Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 516 (2021): The Supreme Court narrowed the ATDS definition to systems that use a random or sequential number generator to store or produce telephone numbers.
  5. FTC, National Do Not Call Registry, Business Compliance: The FTC requires sellers and telemarketers to access and scrub against the National DNC Registry; consent forms must be retained for 24 months under the TSR.
  6. Legal Information Institute, Cornell Law School, 28 U.S.C. § 1658, Statute of Limitations: The general federal statute of limitations for civil actions arising under Acts of Congress is 4 years.
  7. FTC, Overview of the Telemarketing Sales Rule: TSR civil penalties for violations were adjusted to $51,744 per violation under the FTC's penalty inflation adjustment process.
  8. FCC, Consumer and Governmental Affairs, Stop Unwanted Robocalls and Texts: The FCC enforces TCPA restrictions on auto-dialed calls, prerecorded messages, and calls to numbers on the National DNC Registry.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

LeadCompliant
Build My Kit