Commercial entities have a number of choices regarding security.These range from providing none at all to securing themselves andtheir employees and customers behind locked gates and high wallswith armed guards, either directly employed or contracted fromsecurity services.

For some organizations, the latter is exactly what is required,if not by law, at least by necessity. Examples of these would benuclear power stations, FAA installations, military bases,chemical, biological, or defense contractor factories,pharmaceutical labs, and similar facilities have a definiteexposure to domestic or foreign terrorist attacks or industrialespionage.

Such entities are not openly accessible to the general public.Visitors must register, perhaps pass through metal detectors orhave their vehicles searched, and, in some cases, have theirpresence verified by whomever they are to visit. Identityclearance, besides name badges or electronic identification cards,often includes high-tech systems, such as fingerprint or eye-printdetection. In 2004, for example, the University of California,operator of the Los Alamos National Laboratory in New Mexico, wasbeing scrutinized for a security lapse resulting in two missingcomputer data storage devices, resulting in almost 20 employees'being stripped of their security badges and privileges.

For premises open to the public — stores, offices, courthouses,colleges, theaters, and similar places — fewer overt security stepsmay be needed. Most courthouses and other government buildings dohave guards who screen visitors or require passage through metaldetectors, because emotions of litigants or reactions of criminalson trial can be violent, and the presence of a visitor with aweapon can be fatal. Few stores, however, require customers toenter through metal detectors, although many merchants haveanti-theft detectors that sound alarms if theft-detector devicesare not removed from products after purchase.

Because stores frequently are victims of shoplifting, securitymore often is aimed at theft prevention rather than customersafety. Traveling gangs of clothing thieves have been known tosteal thousands of dollars of merchandise at a time, costingmerchants and their honest customers more for the productslegitimately sold. Thus, security is constantly being increased tonew levels. In 2004, the CBS news program, 60 Minutes, reported onthe loss of thousands of dollars of clothing due to roving illegalLatin American gangs.

Such security may involve uniformed or plain-clothes guards,video camera surveillance, alarm systems (activated by devices inproducts), locks (for example, furriers often run locked cablesthrough the sleeves of their coats), and similar devices.

Security Hazards

Every type of security provides a risk to someone. Certain typesof mechanical detectors may interfere with medical devices such asheart pacemakers, and subjecting visitors or customers to devicesmight trigger medical incidents. Guards, armed or otherwise, maymake mistakes, arresting innocent customers or having the wrongpeople arrested, exposing security services and stores to chargesof false arrest, imprisonment, or malicious prosecution and otherpersonal injury perils.

A perceived need to act can exceed the need to think first. Manyprivate security guards may not be provided sufficient training incrime detection, evidence securing, weapons, and arrest procedures.In a worst-case scenario, an armed guard may shoot someone,exposing the guard service and the store to a wrongful death actionand, subsequently, to a potential dispute with an insurer overcoverage.

The Hawaiian case, CIA Service Corp. v. W.T.P. Inc. (690F.Supp., 910 [D. Haw., 1988]), addresses claims arising out of theuse of firearms by insureds or insureds' agents. Many courts placethe burden of showing that policy exclusions apply to losses oninsurers. See, for example, Auto Owners Ins. v. Harrington (212Mich App. 682, 538 N.W.2d 106 [Mich, 1995]), or USAA v. Sorrells(910 S.W.2d 774 [Mo., 1995]).

Guards who are provided vehicles for their security patrolslikewise create liability exposures for their employers. Anadditional exposure arises when a guard is absent and a loss — abreak-in, assault, or other crime — is committed that might havebeen prevented had the guard been present or more alert.

Mechanical alarms also can be problematic. One New York Citystudy regarding false alarms outlined the tremendous cost andconfusion caused by defective fire alarm systems (reported by BarryFurey in the March 1984 issue of Firehouse Magazine). At one timeprior to Sept. 11, 2001, more than 1,000 false alarm runs a yearwere made to the World Trade and Rockefeller Centers. The same istrue of malfunctioning burglar alarms that trigger policeinvestigations when no break-ins had occurred. Many cities now areresponding by fining home or building owners for false fire andburglar alarms.

Privacy Issues

Invasion-of-privacy allegations often accompany improperlyconducted background investigations or claimant surveillance. Badlyhandled investigations by independent contractor privateinvestigative firms for insurers or self-insurers are a frequentsource of litigation. In one case known to the Iconoclast, aninvestigator misrepresented himself and appeared at a claimant'shome late at night to conduct an interview. On another occasion,private investigators trespassed on private property to conductsurveillance of claimants. In a third, the investigator followingthe claimant was so obvious that she believed that she was beingstalked and had the investigator arrested.

In perhaps the most blatant case, an insurer learned that aninjured claimant was going to be married and advised theinvestigative service of that fact. A female operative was sent tothe wedding. She was very conspicuous in taking video pictures bothduring the wedding ceremony and at the reception, to which she wasan uninvited guest. The investigator also became intoxicated at thereception and created a scene. Finally, after filming the bride andgroom dancing, she departed with one of the waiters.

When viewing the official photos from the wedding, the husbandcommented, “That cousin of yours sure made a scene.” The wifereplied, “My cousin? I thought she was your cousin.” When theyfound out who the intruder was, they sued the insurer and detectiveservice for the entire cost of the wedding. The case was settledout of court.

One common, and criminal, stunt occasionally pulled byinvestigative firms intent on filming subjects doing labor whenthey are claiming disabling injuries is to stage scenes. This mayinclude letting the air out of subjects' tires so that they eitherchange the tires or get someone to change them, or to drop heavyitems in the subjects' driveways so that the claimants must liftthem out of the way. Besides being unusable evidence in any courtof law, the danger of such practices is that if the person truly isdisabled, the required activity may exacerbate the injury,resulting in a separate injury claim against the insurer, theinvestigator, and, perhaps, the insured. It may also result in apunitive damage demand.

Typical of the type of invasion-of-privacy suit that can resultfrom investigation of claimants, newly hired employees, vendors, orcustomers is that of a California case, Jeffrey H. v. Imai, Tadlock& Keeney (1087167 [Cal. App. 1st Dist, Div. One, 2000]). Theplaintiff was injured in an auto accident and sued the tort feasor.A law firm was hired to defend, and it subpoenaed the plaintiff'smedical records from a hospital. Within the records that werecopied and delivered were several marked, Confidential: Do Not CopyWithout Specific Authorized Consent. These included the results ofthe plaintiff's HIV tests, which were positive.

The plaintiff demanded that all the confidential documents bedelivered back to him but, when the matter went to arbitration, twoconfidential documents were included in the defendant's file. Theplaintiff sued for invasion of privacy, and the trial courtsustained a demurrer to his complaint. On appeal, the court ruledthat California's constitutional guarantee of privacy is broaderthan that of the federal Constitution, and that it extends to thedetails of a person's medical history. The fact that the plaintiffwas seeking compensation for injuries sustained in an autoaccident, said the court, did not obviate his expectation ofprivacy relating to his HIV status.

A number of privacy suits under the Freedom of Information Acthave been instituted against the Department of Homeland Security,the Federal Bureau of Investigation, and others, arising from theway that they have handled privacy issues. One involves the meansby which federal agencies sought information from various airlinesregarding their passengers and later disclosed this information toa defense contractor and to Transportation Security Agencycontractors.

Legislation has been introduced in Congress to consider the useof biometrics in airport access control. This would include factorssuch as fingerprint or hand geometry reading. Suits involving theJustice Department also specify the Patriot Act and the TSA'sComputer Assisted Passenger Profiling System. See, for example,Electronic Privacy Information Center v. Dept. of Homeland Security(Civ. No. 04-0944 [D.D.C., 2004]), and other EPIC cases.

Other privacy suits involve challenges to the Maryland DNACollection Act, which allows the state to collect DNA samples fromcommitted felons and even those guilty of certain misdemeanoroffenses, and a similar suit from a parolee whose DNA was destinedfor inclusion in a nationwide DNA data bank (Maryland v. Raines,Sept. Term, 2003, Case 129, [Md., 2004], and United States v.Kincade [rehearing granted] 02-50380 [9th Cir., 2004]).

“Not since the 1968 Banking Law enactment have we seen suchscrambling … to establish security procedures,” wrote DarrellWilson, security director for Truliant Federal Credit Union inWinston-Salem, N.C. (“Developing an All-Inclusive SecurityProgram,” Security Director News, July 2004). “With the 9/11attack, terrorist threats, and the newly enacted Patriot Act,credit unions and other financial institutions have scrambled tomake sure that they have the necessary security in place to complywith the new laws.

“Many institutions are finding that the old attitude of justappointing anyone as a security director or hiring a lawenforcement officer is not the answer,” Wilson continued. “Securityprograms are built by professional and dedicated individuals whohave expertise in many areas [including] IT, alarms, accesscontrol, digital video operation and installation, as well asextensive investigative experience.” He suggested that financialinstitutions plan at least five years in advance for what they willneed in terms of security procedures and technology.

However, another commentator believes that corporations aredoing too little in the wake of the 2001 terrorist attacks toprepare for better security. In the June issue of the samepublication, Todd C. Vigneault, general manager of InterTech Groupin Elmhurst, Ill., noted that, although budgets for security haveincreased by 10 percent since Sept. 11, 2001, many organizationshave decreased their security postures. “Security managementpositions are part of reduction-in-force packages or are beingsubcontracted due to economies and corporate policies,” Vigneaultsaid. “Budgets for the bulk of corporate America are not increasingin the areas of disaster recovery and asset protection. Theresponse to depressed profits and an over-adjusting market has beenplacing protection needs on hiatus.” The time and energy spent bycorporations preparing for the Y2K crisis, “a catastrophe thatnever occurred,” should be duplicated in anticipation of potentialdisasters, such as terrorist attacks.

Managing Exposure Risks

For any firm with a security exposure, how it handles thatexposure will determine whether it can succeed in avoiding asecurity loss or resulting litigation. Good risk management offersmany options. Commercial entities often can transfer some of therisks associated with security to independent contractors orothers, who then may become responsible if losses occurs.Contractual agreements shifting the exposures, whether forliability to third parties, injuries to employees of either thecontracting security provider or the entity retaining the service,should be drawn carefully to avoid any ambiguities. For example, ifan employer uses a temporary employment agency that is fullyinsured and bonded, to include workers' compensation, many of therisks to or from that employee are transferred to the employmentagency.

In these situations, however, the entity using such a servicemust be certain that the contracts provide the protections needed,and that these are supported by valid and collectible insurance onwhich the entity is named as an additional insured. Any insurancecoverages also should be reviewed by the hiring entity, as specialendorsements may be needed to assure that the coverage will applyto security-related situations. For example, although a commercialgeneral liability policy almost always includes “personal injury”perils, such as false arrest, not all types of public liabilitycontain such coverage. A policy that covers only bodily injury andproperty damage may lack the specific type of coverage that wouldbe needed for a security risk.

Hold harmless and indemnification agreements must clearly spellout the risks being transferred by one party and assumed by theother. Mere exculpatory language (“X will not be responsible for…”) may prove insufficient, as it is simply an agreement that oneparty does not assume liability. Hence, in a loss, it can be arguedthat the other party had assumed such liability. It also isnecessary to watch how clauses such as waivers of subrogation mayfunction, for, as noted in the cases cited above, if a securitycontractor's policy must respond to a situation, it may retain aright of subrogation against any other tort feasors involved inthat situation.

Ken Brownlee, CPCU, is a former adjuster and risk manager,based in Atlanta. He now authors and edits claim adjustingtextbooks.