Most people working in the legal industry remember the December 2007 shooting at the law offices of Wood, Phillips, Katz, Clark and Mortimer in Chicago that left four people dead at the hands of a disgruntled client.  This tragedy reminds us that law firms experience the same physical security issues as other businesses.  They are just as likely to witness or be victims of thefts, workplace violence, insider espionage, intellectual property theft, kidnappings, stalking incidents and other criminal acts.  They, too, are impacted by global security incidents that affect a company's ability to conduct business and generate revenue in unstable geographical regions of the world.  Law firms, being seen as the weak link in a corporation's security infrastructure, are also targeted for the information they hold on their clients. 

For the purpose of this article, we can define "physical security" as the protection of a physical space as well as any firm-facing and client-facing services.  Physical security activities can include access control, travel security, event security, security risk assessments, fraud/loss prevention, background investigations, security vendor management, workplace anti-violence programs and more. 

Unfortunately, today all businesses require some form of physical security, and depending on how you define it, there are laws that actually mandate it.  The rules set by government agencies - the Occupational Safety and Health Administration, the General Obligation Requirement in the United States and the Corporate Manslaughter and Corporate Homicide Act in the United Kingdom - are just such mandates.  These statutes require employers to provide a workplace free from recognized hazards that can cause death or serious physical harm, such as workplace violence.  The other goliaths of U.S. security regulations, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act, although not directly affecting the legal vertical, are passed down to firms by their clients who are in regulated industries.

All businesses make decisions about physical security; unfortunately the decisions are not always the result of an appropriate assessment of the firm's vulnerability.  Failing to properly manage your physical security exposes the firm to liability in the event of an incident.  There are several legal concepts that support the need to actively manage your physical security risks. Consider the following:

• Premises liability - Duty of a property owner to take responsible steps to guard against reasonably foreseeable violence
  
• Respondeat superior - Employer's indirect liability for the wrongful acts of an employee committed within the course and scope of employment
  
• Negligent supervision - Failure to supervise employees and to discipline violators
  
• Negligent retention - Failure to terminate employees who have engaged in behavior in violation of company policies

Security Administration
Law firms should look at the physical security processes for all aspects of their business. Trial sites, also known as "war rooms," are a classic example of a point of vulnerability, as they are leased temporary office spaces or hotel rooms - areas more vulnerable to security incidents.  Physical security professionals should be involved in assessing the risk and implementing compensating controls.

Most firms use a variety of security contractors for background investigations, technical surveillance, technical counter-surveillance and private investigations.  The quality of deliverables from these vendors varies widely, and internal expertise can better manage these contractors, help develop RFIs and RFPs for contracts and review deliverables.  This allows attorneys to focus on their core competency, better aligning security to the business and contributing to the bottom line.

Internal fraud investigations will be better served if they are managed by security professionals with a law enforcement background or experience in working with local, state and federal law enforcement officials.  These personnel tend to better understand the complexities and nuances of the criminal justice system, both in the United States and overseas, which allows attorneys to focus on their core competency. 

You don't necessarily need to employ security staff with core competencies in all areas of security, but they should know whom to call in an emergency or an event, and they should have pre-existing relationships with these people prior to an incident.  There are several organizations in this country and overseas that are designed to facilitate private-public partnerships, e.g., the United States Secret Service Electronic Crime Task Forces and the FBI's InfraGard. There are also private organizations designed specifically for physical security executives like the International Security Management Association (ISMA) and Asset Protection Executive (APEX).  The Overseas Advisory Council (OSAC), run by the State Department, is another example of a public-private organization designed to share security intelligence with the private sector.

Explore What Might Be a Risk
The amount and cost of security a firm should implement depends on several factors that should be determined through some from of risk assessment procedure.

The goal of the risk assessment is to identify risks and cost-effective compensating controls.  This information is then communicated to management to allow them to make educated decisions on how to address the risk.  The risk assessment process can be an informal one or a full-blown exercise with established protocols.  The assessment will explore risks, vulnerabilities, likelihood of occurrence and impact.  This process will also require some form of asset valuation, which can be difficult when you are talking about your human capital.

A formalized risk assessment involves the following processes:

• Define the assessment - List the possible at-risk points, for example, an attorney traveling overseas.
  
• Analyze the risk - Categorize by vulnerability, probability, impact and value; what would you do if an attorney is kidnapped and held for ransom?
  
• Perform a cost/benefit analysis - Decide whether to accept the risk, mitigate the risk, transfer the risk or avoid the risk; you might decide to implement a travel security program that involves a travel security service.

The previous example gave a cursory analysis of travel security, but there is also the liability risk; if you choose not to implement reasonable controls, especially for foreseeable risk, the firm could be held liable to its employees or their surviving family members.  The risk assessment process will allow you to better get a handle on your enterprise risk as it relates to physical security, giving management the information they need when it comes to allocating resources.

The key to getting a handle on physical security is to break it down into manageable chunks.  Physical security can be broken down into three layers: process, technology and function.  There are several core activities that can fall within these layers.  Depending on the size and complexity of your firm, and the level of control you want to maintain, some of these activities can be outsourced to key strategic vendors, and in today's economic uncertainty, that may be your only option. 

Process Layer
At the process layer, your initial efforts should be in identifying your risks - what is it that you are trying to protect, and from which threats?

Risk identification, key to the assessment process, includes identifying risks that the firm faces.  These risks should include the crime indexes for the areas your office reside in, perhaps utilizing crime-risk mapping services that base their data on FBI crime statistics.  This can show areas of high crime risk, allowing you to more accurately focus resources.  Travel security intelligence vendors can provide intelligence on locations your attorneys will be traveling to, the kidnap and ransom risk rating, terrorism risk, political risk, etc.  These services can also be used to conduct risk assessments on new overseas offices, providing intelligence on local conditions and risks.  You should also review what threats your firm, and others that practice the same type of law, have dealt with in the past.

Technology Layer
At the technology layer, the critical activity is architecting and managing a physical security system (PSS). The PSS is broken down into subsystems, with goals to deter, detect, delay and respond to an intruder or threat.  The subsystems of a PSS includes access control, which is the process of limiting access of your facilities to only employees and visitors, having an audit trail of who is coming in and out and being alerted when person(s) attempt to gain unauthorized access.  It also applies to special events like partner meetings, offsite trial sites and war rooms.   

Access control can be a very complex process, especially when you have multiple office buildings in leased office space with incompatible systems.  Add to that the complexity of international law firms with lawyers and staff traveling within offices requiring granular access controls.  The smaller the firm, the easier it is to outsource your access control entirely.  The larger firms will likely find this process best managed by internal security resources, for the complexities previously mentioned.
 
Closed caption television is a subset of access control, and without proper administration and oversight, it can be an expensive undertaking that may not deliver as promised.  Cameras need constant attention and tuning, and as more and more are put on the network, both physical and IT security teams need to be working together to ensure these devices are configured and secured properly so that new risk is not introduced to the firm.
 
A physical intrusion detection (PID) subsystem is part of the larger access control system and is designed to deter and detect an intrusion.  A PID will provide deterrence to external intruders and provide the "detect" capability when persons attempt to breach your security system.  Onsite staff, with onsite response capabilities, should manage a PID; this can either be the building management company or your staff (which can be either a proprietary or contract guard force).
 
Functional Layer
Firms should also enact some system for incident reporting.  Smaller firms with low volumes of incidents can get away with basic reporting systems, e.g., paper case files and reports.  Larger, international firms with complex internal investigations should develop clear policy, procedure and guidelines in handling internal and external (client) investigations.  They should also utilize relatively inexpensive databases or report management systems as used by law enforcement and major corporations.  It is very difficult to manage investigations with multiple investigators, possibly in different geographic locations, without utilizing information technology.  These systems will show a true ROI based on the resources and time they will save in the overall management of an investigation.
 
Workplace violence is one of the most frequently overlooked risks to law firms and other businesses today.  Firms have a legal obligation under OSHA to furnish employees with a workspace free from recognized hazards that can cause death or serious physical harm, such as workplace violence.  Workplace violence is the number one cause of death in the workplace for women and number four for men, and it costs businesses billions of dollars each year.  With the downturn in the economy, the workplace is becoming a more stressed environment - ripe for an increase in workplace violence incidents.  And even if you don't have any internal problems, one of your staff or attorneys will likely face some form of domestic abuse at home that will spill over into the workplace. 
 
Domestic abuse spillover is a substantial, often overlooked risk to the workforce, as well.  The workplace, second only to the home, is the most likely place for a domestic incident to take place.  A workplace anti-violence program should focus on assisting the victims, even to the extent of going to court with them, and verifying restraining orders include the victim's place of employment.  Victims need to feel safe in bringing these issues to their employer.  Managers also need to be trained to look for signs of domestic abuse and brewing workplace violence incidents.  Security should maintain active case files on all domestic abuse incidents; file all orders with building security providing as much information as legally possible on the abusing person.  These cases require sensitivity and privacy, and the victims need to see their employer as an asset and not an additional threat, but the safety of the workplace and their coworkers should always be of greater concern.
 
This program shouldn't sit exclusively with security personnel.  They should take the lead in implementing a workplace anti-violence program.  An integral part of reducing workplace violence is the workplace response team, which should consist of representatives from the security, legal, human resources and benefits departments.  The team may also include contracted forensic psychologists, outside psychological treatment providers and other professionals as required.
 
Travel security, as mentioned above, should also be an integral part of a risk plan.  For some firms, lawyers travel frequently to client sites in overseas location.  The security risk for these locations should be evaluated, and the lawyers should be properly briefed.  In some locations, security should get involved in evaluating the hotels in which they will be staying and evaluating and possibly arranging for local transportation once in the country.  There are numerous risks when traveling overseas, with the majority of corporations monitoring their employees' travel.  Law firms should be following their best practice to avoid injury to staff and reputational damage that could affect existing business and new client development.
 
A larger obstacle in building a physical security team, especially in our current economic conditions, is how to do this when the firm's revenue may be flat or decreasing and there is no chance of adding additional headcount.  In an organization with existing IT security staffing, it may be an ideal time to explore convergence and cross-train IT security personnel.  This can be an ideal time for IT security to expand its role in the firm and increase its value.  However, this can't be done without leadership and direction from a manager with the proper physical security experience.  Gartner, an IT research think-tank, recommends caution when placing both IT and physical security under the same management structure unless that manager has clearly demonstrated the skill set necessary to deal with both, and it is compatible with corporate culture to do so.
 
Physical security is a core business function that law firms cannot afford to overlook.  From the basic function of managing a PSS to protect client data to complying with legal statutes ensuring a safe workplace free from foreseeable harm, security is a key strategic partner to the business.  Physical security aligned to the business allows the firm to concentrate on its core competency while supporting the attorneys with technical expertise and competency in the field of physical security.  On the strategic side, it also allows firms to seek new business in higher risk markets while maintaining their individual risk comfort level.

About our author :: :: ::

Rick Patterson is director of security for Sidley Austin LLP.  He oversees the IT security, physical security, life safety, business continuity and disaster recovery programs.  Rick's previous work experience includes five years with the U.S. Army Criminal Investigative Division where he managed the financial crimes squad for the Fort Lee Resident Agency. After the Army, Rick spent eight years as a special agent with the U.S. Secret Service working in physical security, technical security, and electronic crimes investigations.  Rick has a bachelor's degree in criminal justice from California State University, Fullerton, and a master's of science degree from DePaul University in computer, network and information security.  He can be reached at rpatterson@sidley.com.