John Thompson: Avoiding Legal Pitfalls

Attorney John Thompson says security leaders need to be aware of legal issues

September 01, 2005 — CSO —

Q: Can CSOs be held personally liable for security failures?

A: As a general proposition, in the United States, employees cannot be individually liable for conduct that leads to a security failure as long as they were acting in the course and scope of their employment. Employees in these situations are acting as the agent of the employer, not as separate actors who can be sued. Also, many states have a statutory requirement that employers defend and indemnify employees as long as their conduct was in the course and scope of their employment, they were not grossly negligent, they were acting in good faith and so on. This is not to say that plaintiffs won't name CSOs individually in lawsuits, just that the chances of liability are remote if the CSO is doing his job.

The size or type of the organization is not an issue in employee liability. Those factors will affect the underlying issue of whether the company itself can be held liable for a security failure, however. Most such claims are based on an allegation of negligence. In order to establish negligence, the plaintiff must prove that the company did not act as a reasonably prudent company of that size and type would have acted under the circumstances. In other words, bigger companies need more and better security than little companies because they can afford it.

Q: Should CSOs carry special insurance?

A: Most companies that carry insurance for injuries related to security failures will have insurance that covers their employees' acts, again assuming that the employees were acting in the course and scope of their employment. That being said, I always recommend that employees who have significant assets and jobs (both of which could make them a target of a lawsuit) obtain an umbrella policy to supplement their homeowner's insurance. However, most umbrella policies exclude coverage for acts undertaken at work. It is worth having a discussion with your insurance agent to know exactly when your existing insurance will protect you and when it won't.

Q: Should I have a zero tolerance workplace- violence policy?

A: There is nothing wrong with having zero tolerance for workplace violence as long as that doesn't mean the person who has violated your policy always has to be terminated or disciplined. "Zero tolerance" means that you don't tolerate the potential for violence, not that you don't tolerate the individual who is potentially violent. The goal is to minimize the risk of violence, and that does not always mean taking a punitive approach. Often, punitive action by a company can increase an employee's paranoia, anger, depression, stress or whatever is underlying his inappropriate behavior. Many times, zero tolerance means getting to the root cause of the potential violence and helping the individual become less of a risk. Remember, terminating a dangerous employee does not make her less dangerous; I have yet to run across a company that has physical security good enough to prevent a suicidal or homicidal ex-employee from killing on company premises. (And of course, employees can simply stalk and kill their targets outside of work, where security is even more difficult.) So, make sure your policy focuses on taking effective action to reduce risk, not on a one-size-fits-all disciplinary approach to these complex, dangerous situations.

Q: Should I have a formal policy prohibiting alcohol at events ?

A: My question is, Why wouldn't you want to have such a policy? If you have a formal, written policy that alcohol is prohibited unless specific approval is obtained (you wouldn't have to define in advance when you would give approval), then any unapproved consumption of alcohol would be explicitly without authorization.Your argument in a negligence action would be that you had done everything you could to limit alcohol consumption on the premises. It would make it that much easier for the lawyer representing you in a future negligence action to prove you made efforts to keep alcohol off your premises.

Read more about data protection in CSOonline's Data Protection section.

• Print