Risk

Ask the Expert: Are We Liable For a Security Issue If We Don’t Know About It?

January 8, 2021 | 3 min read
Ask the expert liability

Businesses often ask us some form of this question: If we are unaware of a security problem and something happens, can we be held liable for that issue? If, say, a building has a broken door lock, and no one has reported it, will the business be liable if an assault happens inside that building when the assailant uses that door to enter the building.

Ask the Expert: How Do I Identify If an Incident Is Probable?

A closer look at liability


Liability can be tricky, but from a security perspective, the point of liability is to identify issues that can affect people and the company, which the company has the ability to avoid, accept, mitigate, or prevent.. The key is to identify these issues, prioritize them, develop a plan, and implement remediations.

When businesses ask me this question, I try to do a simple analogy. Imagine you own a grocery store, and there’s a puddle of water in one of the aisles. Are you liable if someone slips and fall, even if ou didn’t know about the puddle? You didn’t spill the water yourself. But it’s on premise. It’s something you can control and fix, by having employees patrol the aisles looking for spills.

So yes, you’re liable. It happened on your watch and on your site – even if you didn’t know about that precise spill, you’re responsible for it being there without placards informing shoppers of the hazard or employees mopping it up within a reasonable amount of time.

In this case, as with most liabilities, your responsibilities include a course of action:

  1. Accept hazard
  2. Inform people about it and use preliminary safety precautions
  3. Resolve it


Those are your responsibilities as a business. If you’re worried about slip and fall fraud, you can evan protect yourself by installing cameras, so that if someone purposefully spills water themselves and “slips,” you have proof that you aren’t liable.

How can you prepare for an active shooter? 5 best practices

What about businesses who don’t want to know?

Liability is one thing. Neglect is another. We will sometimes encounter a business where decision-makers will say that they “don’t want to know” about an issue. Or they’ll ask us if their customers would be aware of a hazard before they consider fixing it.

If your business is aware of a hazard but you choose to do nothing, that’s gross neglect, and it’s even worse than being held liable for a security issue. If you can reasonably foresee an issue happening, if you have the power to correct it, and if it’s on your site, you’re liable for it.

If you claim not to know, and it’s later proven that you did, the legal and reputational consequences will be worse for you than simply being held liable for a hazard. The bottom line is that the liability will exist even if you don’t acknowledge it. And if you ignore it, the worse it will become.

Ask the Expert: What Should We Think About After an Incident to get Back to Normal?

Protecting yourself from liability (without ignoring hazards)

Vulnerability and liability aren’t the same thing. You can have (and acknowledge) vulnerabilities without being liable.

There are also ways to protect yourself from liability in civil cases without shirking your responsibilities as an organization. For example, when you ask an attorney to review your liabilities and advise you on them, you are protected by attorney-client privilege.

While that privilege doesn’t extend to the security consultants who conduct risk assessments, you can also protect your assessments by filing them with the Cybersecurity & Infrastructure Security Agency’s (CISA) Protected Critical Infrastructure Information (PCII) program. If you file your assessments with PCII, rather than keeping your assessments internally,that assessment is sealed, and cannot be used against you in civil liability cases, or be uncovered by requests filed under the Freedom of Information Act (FOIA).

The most important thing to understand, however, is that you as a business are liable for everything that happens on your site. It’s best to know about any security issues or hazards, because the sooner you correct them or remediate them, the less severe the liability can be, and the safer your staff and customers will be.

Do you have a security project you need help with? Schedule your personalized demo today.

Are you ready to improve your organization’s risk resiliency?

Book a Demo to See Circadian Risk In Action.
Request a Demo