Ignorance Is Not a Defense: Understanding Security Liability

If you don’t know about a security issue at your site and it causes an incident, can you be held liable for that issue?

If a building has a broken door lock, and no one has reported it, will you be liable if an assault happens inside that building when the assailant uses that door to enter the building? What if a light is out, enabling an intruder to sneak onto your property? Are you liable?

As a security professional, I often hear some form of this question from businesses. While there is a simple answer, it’s a dangerous way of thinking about the physical security risk assessment process.

What is liability?

When you’re liable, it means you can legally be held responsible for something.

From a security perspective, liability refers to your responsibility for issues that can affect the safety and security of your people and organization. A company is responsible for providing a safe working environment: meaning it’s your job to identify safety issues, prioritize fixing them, develop a plan, and implement remediations.

That’s where the physical security risk assessment process comes in.

What’s a business’s role when it comes to liability and security?

When businesses ask this question, I use a simple analogy:

Imagine you own a grocery store, and there’s a puddle of water in one of the aisles. Are you liable if someone slips and falls? You didn’t spill the water yourself. You didn’t know about the puddle and neither did your staff. However, the puddle is on premise, and therefore your responsibility. It’s something you can control and fix by having employees patrol the aisles proactively looking for spills.

So yes, you’re liable. It happened on your watch and on your site. Even if you didn’t know about that precise spill, you’re responsible for it being there without placards informing shoppers of the hazard or employees mopping it up within a reasonable amount of time.

In this case, as with most liabilities, your responsibilities include a course of action:

1. Accept the hazard

2. Inform people about it and use preliminary safety precautions

3. Resolve it

Those are your responsibilities as a business. If you’re worried about slip and fall fraud, you can even protect yourself by installing cameras, so that if someone purposefully spills water themselves and “slips,” you have proof that you aren’t liable.

“What if we don’t want to know?”

When it comes to security, “see no evil” is not an option.

We will sometimes encounter a business where decision-makers will say that they “don’t want to know” about an issue. This goes beyond simple liability and into neglect.

The short answer: if you don’t know, you’re still liable. If you do know about a hazard but pretend you don’t, you could be in significant legal trouble.

Here’s the slightly longer answer: if your business is aware of a hazard but you choose to do nothing, that’s gross neglect, and it’s even worse than being held liable for a security issue. If you can reasonably foresee an issue happening, if you have the power to correct it, and if it’s on your site, you’re liable for it.

If you claim not to know about a hazard, and it’s later proven that you did, the legal and reputational consequences will be worse for you than simply being held liable for a hazard. The bottom line is that the liability will exist even if you don’t acknowledge it. And the more you ignore it, the worse it will become.

How can you (legally) protect your business from liability?

Vulnerability and liability aren’t the same thing. You can have (and acknowledge) vulnerabilities without being liable. In fact, the physical security risk assessment process is meant to reduce your liability.

How does the physical security risk assessment process limit liability?

Proactively assessing risk is the first step towards a safer workplace, and towards reducing liability. A thorough security risk assessment gives you a picture of the risk at all of your sites, identifying hazards so those risks can be mitigated.

Remember: you don’t have to fix every single hazard immediately. Instead you can use the data from your risk assessment to build a plan, prioritizing risks and mitigating the most pressing hazards first.

The plan shows that you’re aware of hazards, and taking steps to address them. If a safety incident takes place, you can refer to the assessment and your plan, showing that you’re addressing hazards at your site.

How can you keep risk assessments private?

There are also ways to protect yourself from liability in civil cases without shirking your responsibilities as an organization. For example, when you ask an attorney to review your liabilities and advise you on them, you are protected by attorney-client privilege.

While that privilege doesn’t extend to the security consultants who conduct risk assessments, you can also protect your assessments by filing them with the Cybersecurity & Infrastructure Security Agency’s (CISA) Protected Critical Infrastructure Information (PCII) program. If you file your assessments with PCII, rather than keeping your assessments internally,that assessment is sealed, and cannot be used against you in civil liability cases, or be uncovered by requests filed under the Freedom of Information Act (FOIA).

Keep your organization safe with proactive risk assessment

As a business, you are liable for everything that happens on your site. It’s best to know about any security issues or hazards, because the sooner you correct them or remediate them, the less severe the liability can be, and the safer your staff and customers will be.

Circadian Risk’s comprehensive security risk platform gives you visibility into the physical security at your sites. Our tools transform complex data from multiple sites and systems into visual, actionable insights, helping you quickly identify vulnerabilities, quantify risk, and make confident, informed decisions. Whether you’re assessing physical security, cybersecurity, or organizational culture, Circadian Risk’s risk analysis platform helps ensure your organization is safe and secure.

Schedule your risk-free demo of Circadian Risk’s risk assessment platform today.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.