Guest Commentary: Liability issues that face today's security management

First, let me admit, before my career path took me into the security sector, I used to be one of the “bad guys.”

I was an attorney. I made my living by finding ways to sue corporations. One of the more lucrative avenues that I found was suing companies and utilities for negligent security. Negligent security falls under premise liability. (I will describe it, and ways to defend it, a little later here.)

Let's face it, security is a “non-revenue generating expense.” When programs get cut, usually the first to get cut is security. Lawyers know this and use this against companies—for big verdicts. So I am in a unique position to see liabilities from a lawyer's position and now from a security manager's position.

There are many civil liability hurdles that a security manager must jump in order to defend against potential negligent security lawsuits.

What is negligent security? Negligent security cases involve the failure of companies to implement “reasonable” security measures for protection of their customers from crime.

For instance, let's say one of your customers is walking across a payment center parking lot to pay his bill, a robber runs up behind him, hits him on the head and steals the money. In this example, the company has a “duty of care” to keep that customer safe while the customer is on the utility's premises.

The question then becomes: Was the duty of care breached? There are two elements that must be met in order for a plaintiff to satisfy that question. The first element is “foreseeability.” Was it foreseeable that someone might get robbed in that parking lot? The quick answer is “yes,” because it is foreseeable that an area where a large number of people are congregating to pay a bill with cash would be prone to robbery.

The next element is whether the company made a “reasonable” effort to prevent the crime. To assess “reasonable” effort, juries will look at industry standards: Are there sufficient surveillance cameras, adequate post orders and efficient lighting? How are other similar companies of the same size handling their security measures? If the company is found not to have made a “reasonable” effort as compared to other companies and industry standards, then the company is on the hook for damages.

Furthermore, negligent security case verdicts can be substantial, ranging in the $100 million range [Barrak v. Report Investment Corp., Miami Dade Circuit Court, Fla., 2007].

There are many examples of large verdicts in negligent security in all sectors of the security industry. At banks, casinos, utilities, hotels, apartment complexes, shopping malls, restaurants and other businesses, negligent security can destroy any business's financial outlook and can even cause the business to fail.

Although I have a consulting business where I help companies prevent negligent security and work as an expert witness in negligent security cases, my “day job” is working as the security manager at a large water utility. So, for critical infrastructure security managers, how does negligent security relate? Utilities, besides having a duty to keep customers and employees safe on their premises, also have a duty to provide safe water and power to their customers.

Let's say a criminal act or terrorist attack occurs and a hospital is without water for a significant period of time due to the attack. Let's further assume patients get sick as a result of the hospital not having water. A competent plaintiff attorney would, in the discovery phase of the lawsuit, get copies of all security measures. If the security measures are inadequate or outdated or the utility did not do what they proclaimed they were going to do in a risk assessment, the utility could be held liable for damages.

Moreover, I contend that in the current legal environment, terrorist attacks are now considered foreseeable.

Security managers should be mindful of these liability issues arising out of inadequate security measures. Legal precedent shows companies can be on the hook for substantial verdicts due to this oversight. In the 1993 bombing at the World Trade Center, more than 175 separate lawsuits were filed, 400 claims for compensation and a $1.8 billion dollar verdict. The jury found that, although the risk assessment was adequate, the company had not mitigated its risk as it stated it would do in the assessment. One of the vulnerabilities stated in the risk assessment was that the World Trade Centers were vulnerable to a bomb. Therefore, a terrorist attack using a bomb was deemed foreseeable.

In addition, security managers who do not correct identified security regulatory non-compliance issues can also be held criminally liable. With respect to criminal liability, a post-audit failure to correct an identified problem can show either a knowing or deliberate indifference to a violation, either of which can be construed as criminal intent. [U.S. v. Ming Hong, 242 F.3d 528 (4th Cir.)]

There are several defenses available to utilities for negligent security cases. Governmental immunity is a defense that may shield utilities if a utility is considered part of a state or municipal governmental agency. Many states have laws that limit the amount of liability that a municipality will face. However, there are a few exceptions to governmental immunity. For example, if a potential plaintiff can prove that the utility conducts ultra-hazardous activities, such as using gaseous chlorine in their water treatment process, governmental immunity may be waved depending on the jurisdiction. Some states, however, such as Colorado, have a statutory prohibition against the imposition of negligent security in connection with a utility, regardless of ultra-hazardous activities. Such states may have blanket immunity under state torts claim acts, which are modeled after the Federal Tort Claim Act. In those states, unless conduct falls into a category of situations where immunity does not apply—such as a knowing or reckless failure to protect—a publicly owned facility is not liable for negligence.

An extremely useful defense to negligent security cases arising from a terrorist attack would be under the Support Anti-terrorism by Fostering Effective Technologies Act of 2002. The SAFETY Act provides legal liability protections for providers of qualified anti-terrorism technologies. The SAFETY Act covers products and services, and more recently, certifications and risk assessment methodologies. ASIS International offers certifications that have been designated as SAFETY Act certified. If a security manager holds an ASIS certification, and the manager's utility is destroyed in a terrorist attack, any claims that the manager's certification is insufficient would be dismissed immediately. Risk assessment methodologies that have received the SAFETY Act designation include the RAMCAP methodology used in the water industry. Other industries have similar SAFETY Act certified risk assessment methodologies.

Negligent security is a topic that all security managers, regardless of sector, should always consider when performing security surveys and risk assessments of their businesses.

From personal experience, when asking for funding for security upgrades, using a business case that includes possible negligent security aspects and issues will help you get the funding you need. Most c-suite people like to see a good ROI. With using the actual cost of the “not doing any security upgrades” as it relates to negligent security, you can show true value to your security program.

Scott Starkey is the security director of the Birmingham, Ala., Water Board, which serves more than 600,000 residents and is the state's largest water utility. He is a past Security Systems News' “20 under 40” end user award winner.