The attack in Boston will no doubt be examined for a long time to come. Sponsors and organizers of large public events will obviously have to take notice of the results of that analysis and adjust security procedures accordingly. But as a general proposition, a mere "hardening of the targets" will not be enough to secure events and places that involve large public gatherings. Instead, the approach to security will have to be taken to an even higher level, where on-site physical protection measures are complemented by even more sophisticated approaches to providing patrons, customers and invited guests a suitably secure environment. Doing so is not just a necessity to meet what will likely be an increased standard of care, but it is also both the right thing to do, as well as potentially good business practice. In light of the tragic Boston events, it is worthwhile to consider each of these imperatives for addressing the business security environment going forward.
It is well established that businesses owe their customers and patrons a level of security that meets a standard of care necessary to protect against reasonably foreseeable criminal conduct. See, e.g., Chapman v. E.S.J. Towers Inc., 803 F. Supp. 571 (D.P.R. 1992) (the issue underscoring the imposition of liability is whether the criminal conduct of third parties was foreseeable and preventable); Nieswand v. Cornell University, 692 F. Supp. 1464 (N.D.N.Y. 1988) (duty of care arises if harm is foreseeable or if past criminal activity indicates that criminal incident is a significant, foreseeable possibility). Factors relevant to support a finding that criminal conduct is reasonably foreseeable include presence of suspicious individuals, compliance — or noncompliance — with security measures, likelihood of criminal activity and whether security measures would have deterred criminal conduct. See, e.g., Meyers v. Ramada Hotel Operating Co. Inc., 833 F.2d 1521, 1523-24 (11th Cir. 1987) (listing factors relevant to a foreseeability determination). Whether a criminal act is foreseeable may evolve proportional to both relevant risks and to available measures to mitigate the risks.
In regard to large public gatherings, industries as well as individual companies are well advised to assess both the risks and the available means to mitigate them and then address where the line of reasonable care can be drawn. While this need not be an overly burdensome task, and improvements in physical security measures may be readily identifiable, a more vexing issue arises concerning the acquisition of knowledge that can aid in both risk identification and mitigation.
It is axiomatic that one of the most effective tools to detect and prevent terrorist violence is the acquisition of information, or intelligence, about the capabilities of groups and specific individuals, as well as similar information about their actual plans and intentions. Because the principal responsibility for public safety has been traditionally reposed with the government, we have largely viewed the function of acquiring such information as exclusively a governmental responsibility. With the exception of liaison services between the government and private entities for major events such as the Super Bowl, we have not seen evidence of a dedicated program by which the government shares such information with private-sector operators and sponsors of events and facilities where the public gathers.But this state of affairs may be evolving rapidly due to changes in the general risk profile occasioned by events, such as the recent bombings in Boston. After the tragedy of September 11, 2001, there were no known foreign-inspired or -directed terrorist attacks on U.S. soil through 2008. But a series of events since 9/11 has altered the basis for a reasonable assessment of risk, beginning with the failed in execution, but successfully initiated, underwear and shoe bombers attempts, through the Fort Hood military base shootings, the successfully thwarted attacks in New York, and now the Boston Marathon bombing. It is not unreasonable to objectively view these occurrences as having occasioned a significantly increased level of risk in the homeland.
That raises new issues for companies, especially those whose business entails significant public gatherings, in re-evaluating their response to this change in risk profile. Companies most closely affected include the obvious, such as sponsors and venues used for large sporting events, as well as private venues where the public regularly gathers in significant numbers, such as shopping centers, theaters, festivals and the like. But the altered risk profiles extend further to companies that manufacture, transport or trade in commodities that, released to the environment or converted for illicit use, can present grave dangers to public health and safety.
Part of the evaluation of and response to changed risk factors can be grounded in good business practices. Those businesses that assure a relatively safe and secure environment are more likely to enjoy the presence of their customers and patrons than are those that do not. At the same time, establishing internal procedures designed to meet any evolution of risk is bound to help insulate companies from liability and/or reduce the extent of liability should violence causing injury or death nonetheless occur. Last, the evolution of security measures and being on the leading edge of their development does in fact "harden the target," and that, by itself, is a valued element of deterrence. Still, one could anticipate a tendency to wait and see what the after-effects of Boston might be before businesses re-evaluate security measures. But it can also be argued that re-evaluating security to identify reasonable levels of improvement can be an important element of the overall response to the incident and can help deter further escalation of such violent acts.
It also would seem that good corporate citizens will recognize their role in enhancing the security of our public environment as we acknowledge living in the post-9/11 world, where events like Boston will remain a realistic threat. In an economy that depends in significant part on consumer spending, an environment where the public is fearful of public places and gatherings is not conducive to economic well-being. While public safety is and will remain a core governmental responsibility, the government’s ability to meet desirable and business-friendly public-safety objectives will be substantially strengthened by affirmative corporate participation and partnership with the government in achieving public-safety goals.
One approach to assessing new risks could involve grounding security evaluations in legal risk-management procedures. Corporations engage in privileged reviews of many types of risks for purposes of identifying effective risk-management measures. These include anti-corruption compliance assessments; health, safety and environmental examinations; and the like. The same approach could be used for purposes of security evaluations done under the auspices of counsel with the assistance of outside expertise. Such evaluations have been recognized by the courts to enjoy the protection of privilege so long as they are undertaken as part of a legitimate legal risk-management process with an obvious eye toward more-than-merely-speculative litigation. See Logan v. Commercial Union Ins. Co., 96 F.3d 971, 976-77 (7th Cir. 1996). Although there is no guarantee that in any given circumstance a court would recognize such a project as privileged, the more indicia of legal purpose and evaluation that attaches to the process, the greater the opportunity that can be expected to achieve privilege and work-product protection.
Another sensible step may involve achieving more regularized communication between private entities and the government about information relevant to threat assessments and responsive defensive measures designed to enhance security in light of such information. Including such information in a legal risk-management procedure may also assist in protecting an entity from current and subsequent disclosure and that, in turn, may facilitate more open communication from government sources concerning useful information. Again, the parameters of privilege protection are yet to be defined with particularity, but it seems well advised to ground these efforts in legal risk-management processes so as to maximize the opportunity for privilege protection. Companies could also pursue agreements with both government and private sources of information that have enforceable confidentiality provisions built into their terms.
Inasmuch as government and business share the objective of providing a safe and secure environment for public events and gatherings, many of which are essential to a sound economy, it behooves businesses to seek innovative approaches to the security challenges that the post-9/11 world presents. Lawyers and knowledgeable professionals steeped in security procedures — coupled with an appreciation of the benefits of security-related intelligence — can combine to enhance business entities’ security risk-management efforts.
George J. Terwilliger III is a partner in Morgan, Lewis & Bockius’ Washington office, where he is a member of the firm’s global white-collar and litigation practice. He previously served as a front-line federal prosecutor, a U.S. attorney, the deputy attorney general and acting attorney general of the United States.