Unconcerned and Unprepared
© 2006 FrontLine Security (Vol 1, No 2)

Greg Pellegrino, Global Managing Director, Public Sector, at Deloitte Research, in a Study entitled: “Prospering in the Secure Economy” explains the new secure economy, and the opportunity for enhancing business value by responding through investment in responsible approaches to security.

In so doing, Pellegrino discusses many ‘drivers’ for responding in this way, but cautions that “if the business case for greater security is simply about compliance, the effort ultimately will fall short.” He mentions many other drivers including cost reduction, revenue enhancement, better risk management, brand protection and the preserving of market share.

In the legal sense, I see a distinct parallel between these ‘security’ business drivers and those driving good Emergency Management and Business Preparedness.

Legal issues and liabilities, are often largely ignored, and this exposes any business’ resources to risk.

Why are Directors and Senior Officers considered liable when there is a security breach, emergency or disaster, and how can they defend themselves? The simple answer is that legal issues are all about: (1) negligence and (2) due diligence.

Negligence is a failure to do what a reasonably careful and reasonably prudent person would do in a given circumstance. The relation is such as to produce a risk of foreseeable harm to a stakeholder. The law thus implies a duty of care, and negligence occurs when the deemed prudent degree of care is not met. And there are ramifications if a Senior Officer is found to be negligent.

Directors and Senior Officers can be like the proverbial ostrich that hides its head in the sand, or they can be proactive. Remember: Inaction is a decision, and inaction can be considered negligence! Directors and Senior Managers are legally responsible for both their actions AND their inactions. They have a duty to all stakeholders to keep their business secure and operating!

Every business is exposed to risks and those risks can take many forms which can constitute an unpredictable and challenging continuum: inconveniences (traffic delays), disruptions (local fire, flood), disasters (earthquakes, SARS, West Nile Virus, earthquake, terrorist attacks), catastrophes (9/11, Tsunami and Katrina).

Any of these risks affect the ability of that business to continue operating – limiting or eliminating access to its critical data, capabilities, applications and facilities, and other critical resources.

Failure to visualize, analyze, predict, manage and mitigate those risks is negligence, and may also result in legal exposure and liability.

Business has a duty and obligation to all of its stakeholders: employees, shareholders, investors, regulators, customers and suppliers, to name a few. Employees will sue if they are endangered while on the job or if they lose employment because the business fails to continue after an emergency. Existing or potential investors may lose confidence and cut funding or may choose to invest in a company that is more responsible. Regulators may lay charges for non-compliance with a wide range of legislation.

Whether it be Sarbanes-Oxley legislation in United States or similar Canadian securities legislation and regulations, many businesses fail to realize that today’s laws deal with more than just financial disclosure, auditor and director independence, and audit committee controls. These legislations also provide for the reporting of the status of internal controls. This relates directly to information security and technology controls ensuring that records and data are available, retained, and retrievable. There are also issues of business preparedness and continuity related to the underlying IT infrastructure, and physical and network security. Penalties for non-compliance include financial penalties and/or jail terms.

Consider also the Canadian workplace health and safety legislation. This legislation requires appropriate due diligence. This implies that appropriate policies are in place to ensure that risks to employees in the workplace are foreseen, managed, and mitigated. Such risks would include disasters, emergencies and avian flu pandemics. Recent amendments to the Canadian Criminal Code, C-45, have taken these obligations even further. As a result of the Westray Mining Disaster (In 1992 Plymouth, Nova Scotia when a methane gas explosion killed 26 miners), there are now criminal provisions dealing with criminal negligence in the workplace. The liability reaches down from senior management, to supervisors, and even to union officials. To quote the Honourable Martin Cauchon, former Minister of Justice and Attorney General of Canada: “We have taken a major step toward ensuring employers will be held responsible for criminally negligent acts in the workplace,” said Minister Cauchon. “This legislation sends a strong message that all employees deserve such vital protection under the law.”

The legislation makes organizations criminally liable:

  • as a result of the actions of senior officers who oversee day-to-day operations but who may not be directors or executives;
  • when officers with executive or operational authority intentionally commit, or direct employees to commit, crimes to benefit the organization;
  • when officers with executive or operational authority become aware of offences being committed by other employees but do not take action to stop them; and
  • when the actions of those with authority and other employees, taken as a whole, demonstrate a lack of care that constitutes criminal negligence.

As a result of the SARS epidemic, nurses who contracted the disease have launched lawsuits against the Ontario Government and hospitals for negligence on the grounds that a first wave of SARS should have alerted officials to prepare for a second wave.

In the future, I have little doubt that litigation lawyers will be seeking to establish further bases for legal liability in this area, based on negligent failure to anticipate and prepare for reasonably anticipatable risks.

In addition to the legal liabilities, businesses may make more of an effort to find alternate supply sources for services and materials if they feel their existing provider is unreliable or irresponsible. Businesses want to know that their supply chain has Security Risk Management and Business Preparedness Plans in place and will form relationships with other companies that have these plans in place.

There are more recent lessons to be learned from Katrina: preparedness from the personal level right up to the federal government level was grossly inadequate for an expected hurricane event. Death and destruction will result in lawsuits. On the other hand, the oil refineries in the Gulf were far-better prepared, anticipated the risk and managed it. As a result, their losses were minimized and they were able to carry on business quickly (albeit at lower capacities).

How then, does a business defend against a charge of negligence? The answer is: Due Diligence. This simply means doing what the ‘reasonable man’ would do, and doing it for all the stakeholders. It’s about good corporate governance, best practices and industry standards!

With regard to C-45, the legislation imposes a legal duty on all those who direct work, including employers, to take reasonable measures to protect employee and public safety. Wanton or reckless disregard of this duty causing death or bodily harm will result in a charge of criminal negligence.

How does a corporation exercise due diligence? There is no justifiable defence in claiming that you weren’t expecting some disruption or disaster. Today’s world is such that we know these events will occur, we just don’t know how or when. For that reason, Directors must be proactive. One indispensable element of “due diligence” is to have good Security Risk Management and Business Prepared­ness plans in place.  We can be like the Ostrich and simply hope things will work out, or be like Noah and take steps to ensure survival. Noah had warning of the flood: he planned for it, and implemented the plan. Business leaders must emulate Noah, and not procrastinate.


  1. Understand that senior officers are liable;
  2. Be prepared, have a plan, and practice it;
  3. Practice due diligence;
  4. Assess, manage and mitigate the risks.

Remember: you can’t eliminate risk, but you must at least manage it. Worry a bit now, or worry a lot later!

Jay N. Rosenblatt is a Partner at the Hamilton-based law firm, Simpson Wigle LLP. He is also a member of the Board of Directors for the Canadian Centre for Emergency Planning: www.ccep.ca. He can be reached at rosenblattj@simpsonwigle.com
© FrontLine Security 2006