I was recently asked to present webinars to both the International Association of Healthcare Security & Safety (IAHSS) and American Society of Healthcare Risk Management (ASHRM) and to write an article that will be appearing in the next issue of the Journal of Healthcare Protection Management on the topic of security related litigation in the healthcare sector. I received some great feedback on the webinars which led me to creating this blog post. Security related litigation is by no means unique to the healthcare sector, in fact there are several sectors where security related lawsuits are even more common, so I felt that a brief industry agnostic blog entry on the basics of avoiding security related litigation might be useful. Businesses in a multitude of industries can find themselves faced with litigation related to failure, or perceived, failures in the security programs, though they are most common in industries where the business is open to the public. Some industries that may have an increased risk of litigation are:
Hotels and motels
Apartment and condominium complexes
Shopping centers, strip malls, and retail stores
Bars and nightclubs
Hospitals, clinics, and long-term care facilities
Parking facilities
Casinos
Schools, both Higher Ed and K-12
Gas stations and convenience stores
Banks and ATMs
Office buildings
Houses of worship
Entertainment venues
and many others
Each of these industries faces their own unique challenges when it comes to protecting their patrons from harm, but the basic elements necessary for a security related lawsuit remain constant. For a person, the plaintiff, to successfully sue an entity, the defendant, after a security incident there are several elements that they must prove to the court’s satisfaction.
First they must show that the defendant had an obligation, or duty, to protect them from whatever incident occurred. An important piece of duty is the reasonable foreseeability of the incident. The court will ask the question of whether the defendant could have been reasonably expected to know that the incident that occurred could have been expected to occur or was foreseeable. This often plays into whether other similar incidents have occurred at the same location, but can also include whether it is, or should be, common knowledge that similar types of incidents occur in similar settings or in the geographic area where the incident occurred.
Secondly, the plaintiff must prove that the organization was negligent, and that because of that negligence there was a breach of duty it owed to the plaintiff. In other words, the defendant did not live up to the expectations of what they should have provided to keep the plaintiff from suffering harm.
Third, the plaintiff must prove that they experienced actual harm, or damages, from the incident. The damages may come in the form of physical, mental, or financial damages. The plaintiff, must then also demonstrate that the incident was the actual and proximate cause of the damages that were suffered, meaning that without the occurrence of the incident the damages would not have been suffered.
Most litigation arising from security incidents falls within one of two primary categories premises liability or intentional torts. Legal actions falling within the prevue of facilities liability typically allege that the organization provided inadequate security for one or more reasons. Intentional tort claims are made when the negative actions of someone that the organization should exert control over, such as an employee, resulted in the damages to the plaintiff. Additionally, many security related actions in healthcare have a potential medical malpractice angle to them and in Education many may also have Clery Act or Title IX ramifications.
A lawsuit based on a claim of premises liability due to inadequate or negligent security asserts that the organization had a duty to maintain a certain level of security, and the fact that it was negligent in doing so resulted in the damages suffered by the plaintiff. This can take many forms and result from incidents such as robberies, shootings, or sexual assaults.
As mentioned earlier, a significant burden in proving inadequate security rests on proving the foreseeability of the incident. While it is not necessary in all jurisdictions to have had a previous substantially similar crime occur in the location, the fact that one has occurred will, short extenuating circumstances, generally guarantee that the incident is determined to be foreseeable.
Another common cause of allegations of inadequate security is when a business has implemented security solutions, typically technology, but has then failed to maintain that equipment to keep it in working order. Maintenance issues can also come into play in litigation regarding doors that fail to lock, non-functional (or fake) video surveillance cameras, and inoperative or unanswered emergency call boxes.
The second type of commonly experienced security related litigation is that related to intentional torts, or wrongful acts done purposefully by the organization’s staff or someone under their control, such as a contracted employee. The person committing the act does not have to intend harm, they simply need to intend the act that ends up causing the harm.
The most common security related intentional tort litigation deals with acts by the organization’s Security staff, whether in-house or contracted through a third party. Acts often cited in litigation are use of excessive force or false imprisonment by security or loss prevention personnel.
Other intentional torts involve allegations of negligent hiring or negligent retention by the organization when an employee commits an act that while outside of the scope of their employment should have been expected based on what the organization knew or should have known about them. This type of litigation is often seen in cases where an employee may sexually assault or otherwise cause harm to either an invited guest of the organization or a member of the public who happened to be present on the business's property.
Based on the very nature of their business most organizations cannot remove all risk of security related litigation but keeping the elements discussed above in mind, how can an organization to reduce the likelihood of being on the losing side of litigation related to its Security practices?
The organization’s security leadership should have a good understanding of the risk landscape of their facilities and the operations within them.
The security leader should also ensure that they are tailoring the security solutions they implement to match those risks and adjusting their solutions as their risk situation changes or as more information on threats and the effectiveness of their current mitigation measures becomes available.
There are also several different things an organization may do to potentially transfer some of their litigation risk to a third party, such as through insurance or indemnification clauses in their contracts.
The organization should ensure that it has a defensible background investigation process in place and should provide adequate supervision and discipline to ensure that negative behaviors by its employees that might result in liability are identified and corrected quickly.
The organization should try to avoid inconsistency in its security operations from one location to another that have similar risk profiles.
In addition to seeking risk driven consistency for the security programs across an organization’s own facilities, the organization should also seek to align its program with best practices and standards across its industry.
An organization should also make an effort to be consistent in the deployment of its security program, if the decision has been made to implement a control aimed at reducing the risk posed by one or more security threats the organization should ensure that it maintains that control until either the threat dissipates or another more effective control is put in place.
As a business’ security program develops, their security leadership teams often become so invested in the program that they have created that they can develop “blind spots” to gaps that may exist. Because of this it often behooves the organization to engage in regular outside reviews of its security program for a fresh perspective. This can be accomplished by contracting with an outside consulting firm to conduct a review either of its entire security program or of specific elements of the program.