Businesses across the country face a deluge of physical, legal, and financial risks because of September 11. Additional attacks on the United States will reinforce the federal government's commitment to protect transportation with the passage of numerous new laws and regulations, said speakers at the 2002 Dairy Distribution and Fleet Management Conference in San Antonio, Texas.
“More Americans will be injured and killed,” said Edwin R Bethune, a partner in Bracewell & Patterson, a Houston, Texas, law firm. “It will cost the country additional money, and there will be many new federal laws. As one FBI agent said to a congressional committee when asked whether America will have more terrorism attacks, ‘count on it.’”
A former member of Congress representing the second district of Arkansas and a former FBI agent, Bethune chaired an ad hoc committee to evaluate, at congressional request, the terrorism threat to Washington Reagan National Airport after the September 11 attacks. The committee report was one factor in the decision to reopen the airport.
“Before September 11, members of Congress were debating the merits of an imaginary lockbox for the social security trust fund,” Bethune said. “For the foreseeable future, the most important political force in our country will be the safety of the American people. The second trump card is the protection of our infrastructure. These trump cards override all other government activities. Additional attacks on the United States will keep Congress focused on these trump cards. If industry doesn't develop its own policies, the government will create new laws to achieve these goals.
“The greatest threat to your business isn't the possibility of a terrorist crashing an airplane into your building,” he said. “Rather it's the huge number of new laws and regulations that Congress will mandate in an effort to protect the transportation industry.
“Every area of government will develop a roadmap similar in nature to the environmental impact statement — something like a security impact statement. Predicting or forecasting the final impact of these new laws is the key to compliance. You can save yourself a lot of heartburn and money.”
At the very least, the September 11 attacks have put the business community on notice that it is vulnerable to terrorism, he said. The difficulty facing the corporate world is determining what level of security it will be held responsible for providing.
Common law requires companies to apply the “reasonable man” standard of care — a standard of conduct demanded by the community for the protection of others against unreasonable risk. Established legal precedent says that a company can be held liable if it fails to provide adequate security to prevent or deter a reasonably foreseeable terrorist attack. For example, airline insurers were required to pay damages after the court held that Pan American Airways was negligent in allowing a bomb to be taken aboard Flight 103.
What is deemed reasonable today will turn largely upon what is foreseeable, Bethune said. Today's public climate suggests that virtually any sort of attack on large or prominent infrastructure — from major skyscrapers to stadiums to refineries — is now foreseeable.
It also suggests that what the public will demand from the private sector in the way of security has changed. Should companies be expected to track shipments of hazardous materials to prevent them from being hijacked by terrorists? Should airports be reasonably expected to use better screening procedures with passengers? Would the reasonable financial services company have its online systems protected from cyber terrorists? For prudent companies, the answer always is yes.
The first step in managing these new security risks is to understand current vulnerabilities, devise a risk-based security audit using a multi-disciplined approach, and execute it, said Lon R Williams Jr, a Bracewell & Patterson partner from Dallas, Texas, and head of the North Texas labor and employment law practice. A security audit should begin with an expert assessment of the specific threats a company may face and an analysis of the ability of the company's security to deal with those threats.
“In developing a threat assessment, analyze the laws already in place to determine if they apply to your business,” Williams said. “If your company isn't large enough for in-house legal counsel, it may be necessary to hire a consultant who can provide legal advice.”
Audits need to review a wide range of security-related issues, including personnel policies, evacuation plans, due diligence checklists, information management systems, crisis management and communication plans, employee assistance programs, liaison with appropriate federal, state, and local authorities, and legal and regulatory compliance, ranging from environmental, health, and safety rules to employment discrimination mandates such as the Americans with Disabilities Act.
Companies should be careful in reviewing their contracts, particularly provisions on force majeure and acts of war; insurance coverage and items regarding business interruption and relocation; key employee life; kidnap and ransom; and restoration of key data and critical documents.
“Determine what happens because of noncompliance,” Williams said. “If you have knowledge of a threat to your company and don't take any action, what are the associated risks? As you develop your threat assessment, you can't buy something from the shelf or the Internet and fill in the blanks. The threat assessment response plan must be unique to your company. This doesn't mean it has to be expensive, but it will cost the brainpower of your employees to create an assessment team.”
An assessment team must contain certain key people. Using a senior management representative shows employees that the security audit is a serious project for the company. “Don't select the assistant librarian as the senior management representative,” Williams said. “It should be someone in the company who carries a big stick.”
A lawyer can determine how new legislation will impact business. Communications personnel should draft the plan and educate employees about their roles in the security audit. Someone with security expertise can assess potential threats. Information technology specialists help protect valuable databases from cyberspace attacks. Engineers are familiar with the strengths and weaknesses of the company's infrastructure.
After a security audit has been conducted, the company must take action to address foreseeable risks. But the task doesn't end there. Effective security systems are not static. “There is a tendency to leave the plan on the shelf and revisit it in a couple of years,” Williams said. “Review the plan as new security issues affect your company.”
Maintaining physical security requires constantly assessing a changing threat environment. Companies should participate in efforts by federal authorities to provide better, more timely intelligence.
Tracking New Laws
Companies also need to remain constantly aware of the new laws, rules, and regulations being developed in response to terrorist attacks. Companies will want to have a say in the drafting of these proposals.
Of the 137 pieces of legislation pending in December 2001, 50 dealt with food processing, transportation, and distribution, said Victoria M Garcia, a Bracewell & Patterson partner from San Antonio, Texas. One of them, “Protecting the Food Supply from Bioterrorism Acts,” requires that anyone who handles, processes, or transports food must register with the federal government. As part of that registration process, companies must open their facilities to inspection.
“Inspectors could examine your records, how you track your deliveries, and they might even dictate how you must track a product that is delivered through interstate commerce,” Garcia said. “As part of the new security guidelines, you have additional mandates for more thorough background checks of applicants. But employers are extremely limited in the sources of information they can access for investigations. For example, the Fair Credit Reporting Act requires that employees be given notice of investigation under certain circumstances.”
The American Trucking Associations currently is lobbying Congress to give it the authority to send fingerprints of new hires and existing employees to the FBI for background checks, Garcia said. The only companies doing this now are banking, airlines, and nuclear power generators. Very few circuit courts will accept fingerprinting as a legitimate part of the hiring process. In some states, such as New York, it is illegal.
“Employers are being told to scrutinize their employees,” Garcia said. “Yet federal laws written before September 11 are still in place to protect against discrimination, including Title VII of the Civil Rights Act of 1964.”
Board certified in labor and employment law by the Texas Board of Legal Specialization, Garcia said the new guidelines will create another battlefield for companies with unionized facilities. The introduction of additional safety rules and procedures is a mandatory issue in bargaining with a union.
For example, when the US Postal Service spent millions of dollars on respirators for employees, the union advised postal workers not to wear the masks because there had been no bargaining. In addition, the Occupational Safety and Health Administration required proper fitting and training before the respirators could be used.
OSHA requires that every employer with more than 10 employees have a written safety plan, including instructions on how to evacuate the building, Garcia said. In developing an evacuation plan, employers also must follow guidelines described in the Americans With Disabilities Act, according to a statement issued by the Equal Employment Opportunity Commission in November 2001.
“That means there are restrictions regarding the questions you can ask your employees who have disabilities,” Garcia said. “You have to be diligent in thinking about every law that affects you as an employer while you review your safety plan.”