Avoiding Pandemic Paranoia

Posted on 1, Dec | Posted by Billy Gordon Green, Jr. M.Ed., CPP, CHS

sick personTwice during the past decade and a half, the specter of pandemic has been a cause for prudent worry in the public health sector, among business continuity planners, and certainly within the security community. Security professionals would not be tasked with reducing the impact upon the public or generally with providing for the continuity of operation for a large corporation, campus, or agency.

The security manager and planner would, however, be responsible for planning and implementing contingency security operations in the face of epidemic conditions or pandemic threat. The mission and role of the security department is ancillary to the direct mission of most all organizations. As such, the security planner is concerned with the effect that widespread disease would have on the ability of the security organization to fulfill its mission of protecting the personnel and assets of the parent organization.

The effects of a pandemic or epidemic upon an organization and subsequently on the security group depend on the business and mission of the larger entity. For instance, a healthcare facility such as a hospital would be impacted exponentially. Not only would the organization’s internal casualties make it harder to deliver services, the external client/customer system would be greatly expanded as the illness spreads through the population and they seek help from the healthcare provider. In the same way – although to a lesser degree – health care suppliers would see demand for products and equipment increase dramatically while they too were trying to cope with increased activity with a workforce affected by the disease.

The demand for security services in the chaotic conditions a pandemic or severe epidemic could create within the healthcare delivery system would be substantial. The threat would also be significantly increased as valuable and perhaps limited medical treatment and drugs become potential targets for crime or lead to possible breakdowns in public order in the clamor to receive lifesaving medical help. This may sound a little like a doomsday movie script, but security professionals and law enforcement authorities are fully aware that civilized society is held together by the thinnest of threads, and under the right conditions, they may fray or break completely.

Faced with all this, the security manager must respond with the necessary services and infrastructure to safeguard the parent organization, no matter what the business. As with planning for catastrophic emergencies, which a pandemic certainly is, there must be preparation to stand alone by predicting the impacts on the security organization and planning realistically to meet those needs in a contingency manner, with fewer people and little infrastructural support because those agencies and companies will be affected too.

It is not the security organization’s job to maintain business continuity or deliver services to the client or customer. It will be security’s job to protect those who will be trying to do so, while facing the same impediments. It will require a contingency plan that rebalances the integrated security formula toward non-human assets. It also will require an accurate assessment of the intensity and duration of the pandemic or epidemic.

All past pandemics have involved Influenza A viruses. These viruses that cause influenza are much more easily spread among larger groups in the population because of the nature of transmission as aerosols and the respiratory characteristic of the disease. Whether or not other viral and bacterial disease can become that virulent when confronted with modern medicine and public health practices remains to be seen. The experience with Ebola has suggested that while it is contagious, it may not have the capacity to spread like influenza has in the past. Time will tell. There are historical data and scenarios that can be examined and studied to identify and gauge the effects of widespread disease on healthcare, service, and production organizations. We can learn from history, hopefully so we do not have to repeat it. Security professionals do not treat disease, but we can study the effects it may have of the organizations and the population in order to prepare as best we can to provide the envelope around our organizations so that they can continue to function during the crisis.

As with any threats, the prudent security professional should research the threat and be familiar with the potential for such a threat developing. Historically, the development of pandemic or severe epidemic disease has a run up period during which it becomes apparent that a problem is looming. It does not have the sudden onset of catastrophic weather or a terrorist attack. Forethought and modest advance planning in advance will provide the foundation for more precise preparation and decisive response should the problem intensify.

The following sources can be used to better understand and prepare for this kind of emergency.

About Pandemics from Flu.gov – http://www.flu.gov/pandemic/about/
Pandemic Influenza from CIDRAP – http://www.cidrap.umn.edu/infectious-disease-topics/pandemic-influenza
Guidance on Preparing Workplaces for an Influenza Pandemic from OSHA – https://www.osha.gov/Publications/influenza_pandemic.html

Always prepare for the worst and hope for the best.

Continue reading

Chris Peterson Published in Campus Safety Magazine

Posted on 3, Nov | Posted by RMA

“Public Safety Departments Need More Resources, Support to Comply With Clery & SaVE” was published in Campus Safety Magazine on November 3, 2014.

Clery Act legislation with the newly enacted SaVE requirements and Title IX are federal statutes that require colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. Clery Act compliance is a requirement of the entire institution, not just the security or police department. This is an important distinction and one that too many college and university administrators fail to recognize and embrace. Until administrators recognize this distinction and put in place top-down responsibility and accountability for Clery Act compliance, institutions will be at risk from a compliance and litigation perspective.

To read the entire article, please visit Campus Safety Magazine.

Continue reading

Managing Global Integration of Systems

Posted on 1, Nov | Posted by Kevin M. McQuade, CPP

global integrationDuring the last several years, we have seen many companies expanding within their own organization or through mergers and acquisitions. Growth of any kind challenges the expansion of systems utilized within the company or organization, such as network infrastructure, payroll systems, and other technology. One area that is always a challenge is the security systems that protect the organization. Card access and digital video systems manufactured today are designed so that they can grow exponentially as the company grows. The question is how to implement and oversee the installations of these systems at a regional, national, or global level.

There are security integration companies today that through their own expansions and mergers have a national or global footprint that can be utilized to assist an organization with the implementation of their security systems. What happens if the current system or systems being used by an organization are not supported by a large national or global integration company? The task becomes a lot tougher to assure that the same quality equipment and installation practices used in one facility are used throughout an entire organization.

One way to accomplish smooth security integration would be to assign an existing employee as a project manager. This individual should already be familiar with the security program. His or her tasks would be to:

  • find qualifying integration companies in each location where a new or upgrade installation might take place,
  • prepare design and standardization documents, coordinate with the IT department and other trades that would be involved,
  • attend coordination meetings (via conference call or in person),
  • perform installation reviews during the installation,
  • follow up on the record documentation once the project has been completed,
  • become familiar with and address any issues specific to the site including local codes, state regulations, or country requirements, and
  • perform their current duties.

Since most companies seem to be running as lean as possible, there probably is not a single person available that would be able to handle this. If this is the case, then what is the next option?

There are security integration companies that can offer some of these services through a network of companies on a regional or a national level, but not necessarily on a global level. This places a lot of responsibilities on the security integrator. What happens if the relationship between the security integration company and the organization takes a turn for the worse? What happens if the account manager leaves the security integrator? What happens if the security integrator is purchased by another company or changes their business model? You’re back to square one.

Another option would be to hire a company that understands security and security programs. What we have seen work well is organizations that can partner with a company that can handle all system integration at multiple sites. This company – which would not provide installation or service of any security equipment – would be product agnostic but knowledgeable on the organization’s systems. In addition, they would have the capability of providing a team of professionals that would divide and conquer all of the associated tasks and provide a Project Manager as a direct line of communication with the Security Director Of course there is a cost associated with this, however if the implementation of a large multi-regional new installation or upgrade does not go well, there is the potential that the costs and internal manpower to coordinate and correct any deficiencies could exceed the dollars spent to bring a company like this on board as part of the team.

If a large-scale security installation or upgrade is in the future for your organization, begin the planning early, assess exactly how the plan will be implemented, and designate who will do the work to assure that all goes smoothly.

Continue reading

Behind the Scenes of the Recent IHSSF Crime Survey

Posted on 11, Jun | Posted by Dana M. Frentz, CHPA

hospitalIn summer 2013, the International Healthcare Security and Safety Foundation (IHSSF) tasked a small group of members to develop a hospital Crime Survey based on a common metric regardless of the number of participants or size of the facility.

The goal of the Crime Survey was to create measurable and trending data based on three different denominators – bed count, average daily census, and square feet. These indicators, combined with the crime data would then provide a framework in which future Crime Surveys could be conducted with consistency. Since the team was establishing this new framework for the survey with timing permitted, they were able to collect 2012 and 2013 data, which allowed an equivalent foundation upon which to base answers.

Survey results revealed that average daily census was either not completely understood as a metric or was not readily available to respondents. However, bed count and square footage corresponded so consistently that bed count was used for the common denominator.

The team agreed the most valuable and accurate questions would come from the basis of the FBI’s UCR (Uniform Crime Report), since these are national definitions and not based on an individual state’s penal code or a particular organization’s crime classification. Because the organization is international and there is a large contingent of Canadian members, a separate survey was sent to the Canadian membership with questions based on the Canadian Criminal Code. To further assure consistency in the survey, the team provided respondents with the UCR definition, along with a healthcare-related example.

The 10 different types of crime deemed relevant to hospitals included: murder, rape, robbery, aggravated assault, assault (simple), disorderly conduct, burglary, larceny/theft, motor vehicle theft, and vandalism. Both types of assaults were further broken into sub-categories as they are considered workplace violence incidents:

Type 1: Violent acts by criminals, who have no other connection with the workplace, but enter to commit robbery or another crime.
Type 2: Violence directed at employees by customers, clients, patients, students, inmates, or any others for whom an organization provides services.
Type 3: Violence against coworkers, supervisors, or managers by a present or former employee.
Type 4: Violence committed in the workplace by someone who does not work there, but has a personal relationship with an employee – an abusive spouse or domestic partner.

Overall, the survey results showed a significant increase in violent crimes between 2012 and 2013 and a minimal increase in property crimes such as vandalism and burglary during this same time period. The greatest increase fell into the category of disorderly conduct and assaults. Respondents further provided the requested breakdown in types of violence for assaults. The Type 2 category accounted for more than 90% of all assaults.

While the number of this year’s survey respondents was higher than in years past, there is still room for improvement. The team believes that by establishing this basis of calculating crime rates on bed count and square footage, it will mitigate issues that can arise from the number of respondents or different hospitals responding year after year.

The 2014 HealthCare Crime Survey Committee was comprised of Lead Author Karim Vellani, CPP, CSC; IHSSF President Steve Nibbelink, CHPA; David Gibbs, CPP; and Dana Frentz, CHPA. For more information about the 2014 IHSSF Crime Survey, please visit http://iahss.org/PDF/crimesurvey2014.pdf.

IHSSF, the International Healthcare Security and Safety Foundation, was founded in 1981 as the philanthropic arm of IAHSS. The International Healthcare Security and Safety Foundation was established to foster and promote the welfare of the public through educational and scientific research and development of healthcare security and safety body of knowledge.

IHSSF promotes and develops educational research into the maintenance and improvement of healthcare security and safety management as well as develops and conducts educational programs for the public.

Continue reading

Security Assessment at Appalachian State University

Posted on 30, May | Posted by RMA

The specific objective of this project was to provide the University with a “snapshot” of the existing security program in place at the BB Dougherty Administration Building, any gaps in the program, and potential responses to the gaps identified. Security policy, procedures, systems and organization were examined for level of technology, appropriate application, and the efficiency and effectiveness of deployment. Consultants prepared specific recommendations to address the deficiencies or gaps identified. Recommendations addressed each threat/vulnerability in a practical and pragmatic manner.

Appalachian State University is nestled in the Blue Ridge Mountains of North Carolina. Appalachian State University offers a challenging academic environment, energetic campus life and breathtaking location. Appalachian combines the best attributes of a small liberal arts college with those of a large research university. Known for its value and affordability, Appalachian enrolls about 17,000 students and offers more than 150 undergraduate and graduate majors. Small classes and close interactions between faculty and students create a strong sense of community, which has become an Appalachian hallmark. Appalachian, located in Boone, N.C., is one of 16 universities in the University of North Carolina system.

Continue reading

Dana Frentz Attends IAHSS Annual General Meeting

Posted on 23, May | Posted by RMA

Dana Frentz attended the 46th IAHSS Annual General Meeting in San Diego, CA, May 18, 2014, through May 21, 2014. The meeting was held at The Hyatt La Jolla.

Speakers and topics included:

• Keynote Chris Van Gorder – Security Officer to Present Day CEO
• Russell Jones, PhD, CPP, CHPA – If Disney Ran Your Security Department
• William Koffel, P.E., FSEPE – What Is The Impact of NFPA 101-2012?
• Donna Palomba – Jane Doe No More
• Ben Scaglione, CPP, CHPA – How The Affordable Care Act Has Changed Security
• Howard Adams, PhD – Building High Performing Work Teams
• Howard Adams, PhD – Strategic Project Planning: Vision to Execution
• William Richter, RN – Active Shooters in Healthcare Setting
• Martin Williams – Conducted Electrical Weapons (CEWs) Within a Comprehensive Use of Force Model
• Kevin Tuohey – Facility Design and the Security Role
• Jeffery Young, CHPA – Consolidation: Security’s Contribution to Sustainable Healthcare Costs
• Roger Sheets, CHPA and Rocky Prosser – Managing Prisoners in a Healthcare Environment

The International Association for Healthcare Security and Safety, or IAHSS for short, is the only organization solely dedicated to professionals involved in managing and directing security and safety programs in healthcare institutions. IAHSS is comprised of security, law enforcement and safety individuals dedicated to the protection of healthcare facilities worldwide. IAHSS strives to combine public safety officer training with staff training, policies and technology to achieve the most secure hospital environments possible. Additionally, the IAHSS partners with government agencies and other organizations representing risk managers, emergency managers, engineers, architects, nurses, doctors and other healthcare stakeholders to further patient security and safety.

Continue reading

The “Fractional” Security Manager

Posted on 12, Mar | Posted by Martin F. Coolidge

The “Fractional” Security Manager:

A Cost Effective Approach to Managing Security

Fractional Security Manager I have met with a large number of business leaders – especially in small business – over the years because of a security issues they faced such as internal theft, threat to executives, employee malfeasance, compliance issues, or other security problems. These issues turned into the need for an investigation and/or an assessment to determine what happened and how to prevent future incidents. What I have observed is that most of these problems could have been prevented through the use of sound security practices. The lack of a competent security plan is usually due to lack of industry knowledge and typically due to the lack of a security manager. By security manager, I mean someone dedicated to the position, not someone simply appointed as such, which seems to be common in many small to medium-sized companies.

Security events are not accidental but are the deliberate actions of employees and/or non-employees who have the motivation to take or destroy an asset because they perceive there is no guardianship over that asset. They often take place without warning, requiring quick-minded response. Sometimes security events can develop from minor issues and failures – security events that might have been avoidable with proper security controls in place.

Security is also about people. It’s not about whether a tree branch may fall onto a roof; it’s about how that tree branch is making it easier to gain access to the roof. It’s about deterrence, target hardening, proactively seeking out security lapses and addressing them, properly investigating the incidents that do occur to resolve them, and identifying and installing safeguards to prevent future such incidents. It includes making security a part of company culture. For this to occur, there has to be a competent level of knowledge of current security issues and practices.

If security is not of high importance to a company, it can expect that some people – employees included – will take advantage of them because they are vulnerable. We have seen high-paid executives steal hundreds of thousands of dollars from their employer because the security lapse was so significant it was too inviting to pass up.

A good security program can reduce a company’s exposure to loss, help make risk more manageable, and increase the safety of employees and visitors. However, a good security program needs an effective security manager. For some companies, this is often not practical. For many small businesses, physical security is limited to the obvious: locking doors at night, installing a few CCTV cameras, and installing intrusion alarms. Unfortunately for many of these companies, this is the extent of their security program, making them more vulnerable and more prone to an incident. Many of them already have a security issue in progress and are not even aware of it.

One approach for a small business is to utilize an existing manager or supervisor and then add security duties to that person’s job description, with or without additional salary. However, a title does not bring industry knowledge and it is not what builds a proper security program. There are too many variables in play to expect a job description to create effective security solutions that protect your company’s assets and economic advantage. A security manager is someone educated, trained, and experienced in applying the principles of security, not a human resource representative that took a few “security” courses. To believe otherwise is to not take security seriously.

Another approach is to hire a security manager with the education, training, and experience to create an effective security program. A security manager can help make a business run more efficiently because security issues are addressed before they become problems, employees and vendors know someone is watching, and problems like workplace violence and internal theft can be minimized. While this is a common business practice for larger companies, it is not cost effective for smaller businesses, whose bottom line is usually fairly thin. Every company could benefit by employing a security manager – some just cannot afford to do so. A security manager is likely to cost around $100,000 per year or more with salary and benefits. This cost is absorbed in large business settings where losses could easily total much more than that. An alternative is to find a security manager willing to work part-time, but it is rare to find someone with the requisite skill-set willing to work part-time. It is difficult enough to find a full-time security manager who individually possesses the expertise necessary to effectively manage all of the aspects of a comprehensive security program.

There is a third approach: “lease” a security manager through a professional service agreement (PSA). This is accomplished by contracting with a security consulting company that can provide a security manager with the education, training and experience needed to competently fulfill the position. In our current economy, many companies are switching to “fractional” titles to save money. A PSA provides an economical and efficient solution to security management needs. It is economical because the cost is a fraction of what it costs to employ a full-time, salaried security manager. It is efficient because a company pays only for the time expended on security-related matters as directed by the company, unlike a full-time security manager that is paid 40 hours per week regardless of how the time is used. Under a PSA a company does not pay a full-time salary and does not pay benefits. With a “leased” security manager the company gets the services of a security professional that can conduct professional security assessments, provide loss control, oversee installation of technology, interview employees, create policies, assist HR during terminations, conduct pre-employment background screening, escort individuals from company property, investigate incidents, liaise with law enforcement when necessary, and provide any other security-related function deemed necessary by the company. Similar to a security manager, the “leased” security manager works for and at the direction of the company. Under a PSA model, companies have a security manager who has “real world” experience. The PSA is tailored to create an effective security program, to fit the company’s culture, and to be cost effective and sustainable.

Another benefit of a PSA agreement is that, depending on the “leasing” organization, the company gets the investigative and administrative support that complements a security and investigations program. This is something large companies with security managers rarely have. With the right organization, the company retains an entire division of security and investigations professionals at their disposal complete with security experts, design experts, and former police investigators, complete with thousands of hours of professional law enforcement, security and military training.

So how does a PSA work? Each PSA is tailored to meet the needs and budget of each individual company. It starts with an evaluation of security needs based on current security posture, trends in the community, company history, vulnerability and exposure, industry, annual hiring rate, and interviews with company officials. A minimum monthly rate that fits the company’s budget – the base rate – is agreed on for which time and expenses are incurred. Services are anything related to security that a company requests, such as workplace violence and other training programs, internal and external investigation, employee investigation, outplacement of terminated employees, background investigations, security assessments, threat assessments, policy development, review/check security systems operations, card readers/keypad systems, CCTV, oversee installation of new systems, creation of security related documents, reports and logs, and many other services. PSAs not only help businesses achieve effective security solutions but they can also be used to provide training and expert security consulting to existing security directors and security managers.

Failure to properly address security is like driving without insurance: you’re gambling your personal worth on a hope that a mistake is not made by you or someone else. Most likely that failure is driven by company economics. With a fractional security manager under a PSA, security management can not only be achieved, it is cost-effective.

Continue reading

Termination Guidelines

Posted on 16, Oct | Posted by Julius Stanley Carroll, CPP, CFE

pink slipTerminations are often a stressful situation, both for the terminated employee and for the individual responsible for conducting the termination. Listed below are some guidelines that could help diffuse volatile situations and make the process run more smoothly.

  1. Always plan the termination. Think it through.
  2. Always have two supervisors/managers present during the termination. The meeting should be cordial and professional but also attempt to accommodate the employee’s feelings and concerns. Regardless of whether the employee becomes angry or upset, do not resort to harsh words or language.
  3. If you feel the termination might become heated, contact security and discuss prior to the termination. If you don’t have a security director, obtain guidance from a company like RMA that has security professionals who have participated in hundreds of outplacements.
  4. If the employee is known to be highly volatile and potentially prone to violence, consider having security present and ensure you have an appropriate plan to respond to those concerns. Provide reason(s) for the termination. However, do not engage in a debate. The decision has been made and arguments should be avoided.
  5. Carefully choose the room to be used for the termination.
    • When possible use a room with two access points.
    • Remove or hide things that can be used as a weapon. Keep the room “clean” (sanitize).
    • The setting should be private. Allow the employee to retain their dignity.
  6. Try to avoid Thursday and Friday as a day for the termination. Monday and Tuesday is better. Select a time during the day when there are fewer employees around.
  7. If offering a separation package, avoid a detailed review of the package at the termination meeting. The employee will likely remember little of that discussion. Do, however, tell the employee that the package is confidential and must not be discussed with others.
  8. If the termination goes as planned:
    • Retrieve all company property i.e. keys, ID badge, monies, etc.
    • Do not let the individual go back to his or her personal workspace but ascertain if the individual has personal belongings such as a purse or medications that you need to retrieve for them. Advise the individual all their personal property will be mailed/shipped to them.
    • Do not let the individual leave the facility and come back into the facility.
    • Walk the individual out of the facility and watch them leave the property but do it in a cordial way.
    • Notify the proper facility managers of the termination so the individual can’t get back into the facility.
    • Have the individual removed from the card access system immediately
  9. If the termination becomes heated, never challenge or argue with the employee.
    • Advise the individual to leave the property. If they don’t comply, call 911.
    • Do nor challenge or argue.
    • Report to HR and Safety/Security immediately.
    • Be prepared to go into lock-down.
Continue reading

The Clery Act – Costs of Noncompliance

Posted on 24, Sep | Posted by Christine L. Peterson, CPP, ISP

Jeanne Clery

Photo obtained from http://clerycenter.org/.

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 U.S.C. § 1092(f)(2011), is a federal statute requiring colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. The U.S. Department of Education conducts reviews to evaluate an institution’s compliance with Clery Act requirements. A review may be initiated when a complaint is received, a media event raises certain concerns, the school’s independent audit identifies serious noncompliance, or through a review selection process that may also coincide with state reviews performed by the FBI’s Criminal Justice Information Service (CJIS) Audit Unit.

The shooting and death of 32 students and faculty on the campus of Virginia Tech served as a stark reminder of the seriousness with which the Department of Education views the Clery Act. In March 2011, the Department of Education fined Virginia Tech $55,000 for failing to follow its stated policies regarding the issuance of timely warnings. This is particularly noteworthy because Virginia Tech had and generally followed a fairly well-developed crisis communication plan. Nevertheless, because it failed to follow its procedures to the letter, it was found to have violated the Clery Act.

It was also cited for failure to issue a timely warning in response to the first two shootings at West Ambler Johnston residence hall. This is also noteworthy because, according to Department of Education’s findings, the first officers arrived on scene at West Ambler Johnston residence hall at 7:24 a.m. Less than one hour later, the university’s policy group convened to determine how to notify the university community. Practically speaking, the effort to gather the pertinent facts and assemble the advisory group on less than one hour’s notice was nothing short of monumental. Nevertheless, it was ultimately deemed deficient.

As imposing as the fine against Virginia Tech may be, it is far from the largest sanction ever imposed. Clery authorizes the assessment of fines of up to $35,000 per violation. (Penalties increased from $27,500 per violation to $35,000 per violation in 2012.) In 2004, Department of Education handed down a then-record setting penalty of $250,000 against Salem International University for under-reporting campus crime over a two year period. Three years later, Department of Education set a new record when it issued a $375,000 penalty against Eastern Michigan University.

The goal of Clery compliance is not simply to follow the rules to avoid fines, but to help people stay informed and safe.

Collectively, this statutory and regulatory scheme, commonly referred to as “The Clery Act,” imposes a number of disclosure requirements on postsecondary education institutions. These requirements generally fall into three main categories: (1) the Clery crime statistics and security-related policy requirements, which must be met by all institutions; (2) the Clery crime log requirement, for institutions with campus police or security departments; and (3) the HEOA missing student notification and fire safety requirements, for institutions that have at least one on-campus student housing facility. While these laws permit a certain degree of flexibility in the manner in which compliance is achieved, the requirement for complete and timely compliance is absolute. As already stated, failure to do so can result in civil penalties of up to $35,000 per violation for substantial misrepresentations of the number, location, or nature of crimes required to be reported, or for violation of any other safety- and security-related provision of the HEA.

Since 1988, Risk Management Associates has been a security advocate for businesses and agencies including colleges and universities across the country. The Clery Act is a critical piece of the security program of all colleges and universities, and yet even after the tragic events at Virginia Tech, Penn State, Yale, and many other institutions of higher learning, too often there is a lot of misunderstanding and misdirected efforts with regard to Clery Act compliance. Why is this, and what can be done to improve the effectiveness of security programs and Clery Act compliance at colleges and universities? This is the million dollar question. There are two very diverse elements of any successful security program that we believe are at play in these cases.

First, security programs protect people and assets from deliberate actions of other people. The Clery Act in its most very basic terms is an effort to provide college students and their families with intelligence to make the best college choice by providing information about security. This includes specified security and communication policy disclosures and in some cases crime logs, missing student notification information, and fire safety information. However this is just the beginning. Because the application of the requirements of the Clery Act is dynamic, the mechanisms used to collect and publish data are constant and require an equal if not greater effort to ensure compliance. This requires the college or university to acknowledge and address security issues and ideally create some form of a comprehensive security program.

Second, a successful security program starts at the top of any organization where the resources are available to set the tone, communicate the messaging to all stakeholders, and provide the resources that will be required for success. Too often, administrators may not understand the criticality of Clery Act compliance to the college in the form of the protection of human assets, reputation, and federal funding. Unlike many compliance areas, Clery Act compliance requires a concerted effort and resources that supersede silos and departments and requires buy-in by all stakeholders. Later in this article, we will talk about some of the fines that have been assessed for non-compliance. Monetary fines are important, but the real cost is in the unnecessary or avoidable human costs, reputation, and lost enrollment that is the repercussion of a lapse in the safeguards put in place by the Clery Act.

Human Costs

Consider the case of Liberty University. On Feb. 20, 2005, a female student reported to the Liberty University Police Department (LUPD) that she had been sexually assaulted on February 12 and 13. On March 28, Liberty issued trespassing papers to one of the assailants, indicating that the University believed that there was a possible threat to the campus community; however, Liberty University did not issue a warning to the campus community about that danger. On April 13, a female student was attacked by three males in the same general area as the assault in February. She reported the attack to LUPD on April 13 and provided a written statement on April 18. Still, no campus warning was issued. In May 2005, a student reported to the LUPD that she had been gang-raped. As part of the review, Liberty did not provide any evidence that a timely warning was considered or issued with regard to the alleged May 2005 sexual assault.

According to the fine letter issued by the Department of Education, “it is essential to students, employees, and the public that institutions provide timely warnings as frequently and systematically as needed to ensure the safety and well-being of the campus community.”

Another example is Notre Dame College of Ohio. On Oct. 10, 2005, a female student sent a letter to the Dean of Student Development stating that she had been sexually assaulted in her dorm room four weeks earlier. The Dean met with the student a few days later, and the student stated that she was reluctant to have the incident reported to her parents, the police, or other school officials. Less than a month later on October 31, a second female student reported to the Dean that she had been sexually assaulted in her dorm room three days earlier. She also requested that no legal or judicial action should be taken and her parents should not be informed.

At the time, Notre Dame did not have a policy for deciding whether to issue a timely warning or standards for when a timely warning should be issued. As a campus security authority, the Dean determined that no timely campus warning was required because the incidents did not represent a threat. On November 23, the Dean verbally notified the Police/Security Department about the two reported sexual assaults and followed up with a written notification on November 28. On December 12 and December 14, the two students separately contacted the Police/Security Department and identified their assailants. A warning was issued on December 13, nine weeks after the first incident was reported to campus authorities. After the warning, four additional complaints against the suspect were brought forward.

The assessment by the Department of Education found that “the occurrence of two similar crimes within a short period of time was certainly evidence that the crimes were a threat to students and employees. It was very clear that members of the campus community needed to take precaution and protect themselves.”

Could additional incidents have been prevented if a timely warning had been issued and if the information had been made public? What was the cost of not providing a timely warning?

Financial Costs

In the past five years (2008-2012), the following colleges and universities were fined for noncompliance with the Clery Act.

  • Dominican College of Blauvelt (2012) $262,500
  • University of Texas at Arlington (2011) $82,500
  • University of North Dakota (2011) $115,000
  • Yale University (2011) $155,000
  • University of Vermont (2011) $65,000
  • University of Northern Iowa (2011) $110,000
  • Washington State University (2011) $82,500
  • Virginia Tech (2010) $55,000
  • Liberty University (2010) $165,000
  • Notre Dame College of Ohio (2010) $165,000
  • Wesley College (2010) $60,000
  • Schreiner University (2009) $55,000
  • Tarleton State University (2009) $137,500
  • Paul Smith’s College of Arts & Sciences (2008) $260,000

Fines were imposed for:

  • Failure to have a timely warning policy
  • Failure to issue a timely warning
  • Failure to include in the ASR a statement of current policies encouraging pastoral and professional counselors about procedures for reporting crimes confidentially
  • Failure to include in the ASR a statement advising the campus community where information concerning registered sex offenders may be obtained
  • Failure to include in the ASR a statement of current campus policies for reporting criminal actions or emergencies on campus
  • Failure to include in the ASR a statement of policy regarding sexual assault programs
  • Failure to include in the ASR a statement that the accuser and the accused are entitled to have others present during a disciplinary proceeding
  • Failure to include in the ASR complete and adequate policy statements
  • Failure to maintain an accurate and complete crime log
  • Failure to open the crime log to a student journalist
  • Failure to properly classify, compile, and disclose crime statistics
  • Failure to properly classify and report an incident
  • Failure to properly define the geographic boundaries for non-campus property
  • Failure to properly distribute the Annual Security Report
  • Failure to report disciplinary actions
  • Failure to report accurate crime statistics
  • Failure to report incidents
  • Lack of administrative capacity


In closing, it is important to understand that the Jeanne Clery Act is here to stay. Over the next twelve to twenty-four months, we expect to see additional legislation and requirements added to it. One area that we will see this legislation focus will be Title IX compliance that will focus on the athletic programs within the colleges and universities. DOE is also expected to raise the level of scrutiny at colleges who rely on internal audits and investigations with regards to their compliance programs because of the self-serving aspect of self-compliance and may require that colleges seek outside consultants to perform the administrative investigations. In addition, colleges and universities are being held to a higher standard of care due to past events that have put us all on notice that the threats are real and if the past is the best predictor of the future will occur again. This requires that colleges and universities have in place – or can show that they are putting in place – a comprehensive security program. By complying with the requirements of the Clery Act, colleges and universities are putting in place many of the elements of a comprehensive security plan that is necessary to protect their human and reputational assets which are the foundations of any institution of education. Failure to do so exposes the institution to substantial monetary penalties as well as the loss of critical assets including the trust of their stakeholders.

Continue reading

RMA Completes Security Assessment of RTP

Posted on 18, Sep | Posted by RMA

Risk Management Associates, Inc. has completed a security assessment of Research Triangle Park. The Research Triangle Foundation has developed and is in the process of implementing a new master development plan for the Research Triangle Park (RTP) community. As a critical component of that plan, the foundation decided to conduct a security assessment to provide stakeholders with the current security posture of RTP. A security assessment is one of the most cost effective means to assess the current security people, processes, and technology that are in place today and plan for the security needs of the community moving forward.

The Research Triangle Park is home to more than 170 global companies – including IBM, GSK, Syngenta, RTI International, Credit Suisse, and Cisco – that foster a culture of scientific advancement and competitive excellence. RTP is located between three major universities: Duke University in Durham, North Carolina State University in Raleigh, and the University of North Carolina at Chapel Hill.

Through five decades, the Park still holds to its founders’ aspirations: to generate economic activity, engage the talents of local graduates and citizens and carry North Carolina forward to ever-greater prominence and prosperity.

Continue reading