Corporate America has intensified its efforts to detect, prevent, and mitigate terrorist attacks.  As part of that effort, many corporations, in good faith, hire outside consultants to review and make recommendations on ways to improve security.  However, a company’s best efforts to protect its facilities and provide a safe and secure working environment for its employees may ultimately result in increased liability.

While hiring a consultant to assess a company’s security program is an essential tool, a consultant’s recommendations, if not heeded, can come back to haunt management.  The findings and recommendations of security consultants are sufficient to put a company on notice of potential threats, regardless of how remote those threats may be.  A company that fails to take measures to remediate a potential threat could be subject to significant liability should that vulnerability ever be exposed.

If a breach of security results in loss and subsequent litigation, consultant reports will be used to demonstrate that the company was on notice of its vulnerabilities and that the event that transpired was reasonably foreseeable and preventable.  Consequently, a company and its management could be held liable for not addressing the findings and recommendations of their security consultants.

Recent court decisions have expanded the definition of what is reasonably foreseeable in terms of security.  In Nash v. The Port Authority of New York and New Jersey, the NY State Appellate Division upheld a jury finding that the owner of the World Trade Center was 68% responsible for damages that occurred in connection with the 1993 World Trade Center bombing.  That finding was based on security consultant reports that were produced in the litigation and that warned of certain threats that the Port Authority failed to address.  The court stated that the absence of previous attacks did not absolve the Port Authority of its duty as a commercial landlord to use reasonable measures to “minimize the risk of harm from criminality upon its premises.”  The court concluded that the attack was reasonably foreseeable because security consultant reports, which were provided to the Port Authority years earlier, warned of the threat of a car bomb in the World Trade Center parking garage.

In In re September 11 Litigation, a federal court in New York, found that it was reasonably foreseeable that terrorists could highjack a commercial airliner and use it as a weapon against American landmarks.  Based on this finding, the court held that the defendant airline companies could be found liable for not taking adequate security precautions addressing these foreseeable events.  The court also held that highjacking is a predictable event and that it was reasonably expected that an airline should foresee the use of an airplane as a weapon.  The court concluded that defendants should have been able to make the connection based on the history of highjackings and the willingness of terrorists to kill themselves in the process of carrying out an attack.

These court decisions are emblematic of why it is no longer possible to take measures and plan solely against the types of threats and dangers that are common or typical.  Courts will hold companies liable for not making the extra connections.  It appears that the terror attacks that we have suffered on our soil and the frequent attacks that we witness overseas, coupled with the imagination of Hollywood screen writers, make nearly any kind of terrorist attack reasonably foreseeable.  If you see it on television or in the movie theater, it’s reasonably foreseeable and you must take the appropriate steps to guard against it.

Corporations must continue to use security consultants to address all hazards, natural and man-made; however, court decisions make it clear that a new construct is in order.  As part of business continuity compliance review, outside legal counsel can retain security consultants to assist in efforts to use standards and best practices as benchmarks to assess a company’s compliance and provide relevant legal advice.  When an attorney is responsible for investigating and advising on business continuity and security issues, that advice is protected by the attorney-client privilege and, therefore, will not be discoverable in future litigation.

Not every recommendation given by a consultant will be feasible or even necessary to ensure the protection of a company’s assets and employees.  By keeping this information privileged, it ensures that a company is not faced with an arsenal of deficiencies merely for having the forethought to hire a consultant in the attempt to better secure its facilities.  Companies should not be penalized for taking the extra step to ensure the safety of their employees and the public.

A company will gain little from sentiments of “should have, could have, and would have” when stockholders are demanding explanations for the lack of prudence in the manner security evaluations were addressed.  The use of an attorney is not indicative of a company’s desire to avoid implementing security measures.  Rather, it will help ensure that, under the “no good deed goes unpunished” category, a company’s efforts to improve its security program through third-party review and validation is not ultimately used against it.