Ver Suplemento Temático...

Seguridad Corporativa y Protección del Patrimonio.


John Jay Matchulat

Counsel of Baker Donalson, Bearman, Caldwell & Berkowitz, PC

Planning for terrorism: how far must (or should) an employer go?

Do today’s employers have a legal duty to prepare for terrorist activity? If so, which laws apply and how much preparation is required? If there is no duty,(1) is it legally prudent for an employer to make no plans to prevent or respond to acts of terrorism; and is it foolhardy for an employer to do too much in the way of preventive and responsive planning for terrorist activity?

Since September 11, 2001 (“9/11”), the overall parameters of workplace safety planning would seem to have broadened to include prevention of, and crisis response to, acts of terrorism. In the pre-9/11 era, safety plans were focused more on workplace violence and facility-specific emergencies such as fires and hazardous chemical spills. In the post-9/11 era, employers are left to speculate on the legal necessity for their taking additional safety measures to specifically address their facilities’ vulnerabilities to potential acts of terror. The employers’ dilemma has been frustrated, in part, by mixed signals from differing agencies and departments within the federal government. Do such legal obligations exist? How far must an employer go to meet them?

The following examines the extent to which employers are legally required to undertake planning and preparation to prevent and respond to terrorist activity.

Any uncertainty of employers as to their legal obligations concerning terrorist activity is understandable. On the one hand, employers have seen that the frequency of fatal international and domestic terrorist acts within the United States has been quite low from a historical perspective. Further, there appears to be a widespread tacit assumption that terrorism is a phenomenon associated with large cities, particularly on the coasts, and that the likelihood of terrorist activity in the hinterlands is highly improbable and remote.

The Occupational Health and Safety Act of 1970 (“OSHA”), under its “General Duty” clause, requires that employers provide a workplace free from serious recognized hazards that are causing or likely to cause death or serious physical harm to its employees.1 To qualify as a recognized hazard for which an employer bears responsibility, the condition or hazard at issue must meet three requirements. First, it must be reasonably foreseeable that the hazard is likely to affect employees in the workplace, since an employer is not responsible for hazards which cannot be foreseen. Second, the condition must be a “recognized hazard” on the basis of recognition by the industry, by the employer, or by application of common sense. Third, the hazard must cause or be likely to cause death or serious injury.

Past terrorists acts and the ongoing attempts of terrorists to effectuate horrific acts within our borders could arguably render the occurrence of terrorism here as sufficiently foreseeable as to impose legal obligations on employers to undertake enhanced security measures. Thus, employers have observed the enormity of death, injury and destruction caused by terrorist attacks within the United States in 1993, 1995 and on 9/11. They have heard the ongoing media reports of terrorist attacks not only in Iraq, but in European nations including Spain and Britain. They receive daily notification and the frequently changing colored alerts as to the severity of terrorist potential in this country given by the Office of Homeland Security. Moreover, there has been an alarming number of attacks and thwarted plots directed to targets within the U.S. since 9/11. Terrorist acts have in fact occurred in our homeland several times since that fateful day. These include mailings of anthrax-laced letters to various locations, Congressmen and others shortly after the 9/11 attacks. A shooting spree took place at Los Angeles International Airport at the el Al Israeli Airlines ticket counter in July 2004. Ricin-laced letters were sent to Senate Majority Leader Bill Frist’s office in February 2004. Grenades were detonated at the British Consulate in New York City in 2005.

In addition to these acts, a significant number of terrorist plots against targets within U.S. borders have been thwarted in the recent past. These include an al Qaeda plot to use an airliner to crash into the tallest building on the West Coast; a plot to bomb and flood Hudson River train tunnels in New York City in July 2006; the August 2006 arrest of twenty-four suspected terrorists in London conspiring to use liquid explosives to blow up at least ten airliners bound for the United States. Also, the FBI exposed a number of terrorist “sleeper cells” within the United States.

In addition, the FBI recently expressed substantial concern over the rise of “homegrown” terrorists.(2) These are typically U.S. citizens within our midst who are drawn to terrorist ideology, become radicalized, adopt terrorist views, receive inspiration from other terrorists and radical websites, and participate in development of terrorist plots – without the intervention, participation, funding or oversight of formal terrorist groups such as al Qaeda. In June 2006, seven Muslim-American homegrown terrorists were arrested in Miami for conspiring to bomb the Sears Tower in Chicago as well as several government buildings in South Florida. Another homegrown terrorist plot was uncovered in 2005, originating from Folsom Prison in California by incarcerated homegrown terrorist Kevin Jones. Other facts giving rise to security concerns within the U.S. are the FBI’s having over 200,000 known or suspected terrorists in its database, at least 260 persons have pleaded guilty or been convicted of terrorism or terrorist-related crimes since 9/11, and the existence of 5,000 to 6,000 extremist websites on the Internet.

Is a terrorist act within the United States “foreseeable?” One can draw his or her own conclusions.

There is currently no federal or national legislation that specifically addresses regulation of potential terrorist activity in the workplace. OSHA considers the risk of terrorist acts as too remote to justify the promulgation of standards or regulations. As stated by OSHA’s Director of Enforcement Programs in a November 24, 2003, memorandum:

Terrorist acts are not considered foreseeable emergencies that OSHA expects an employer to responsibly anticipate in the workplace. However, if an employer chooses to develop an emergency plan to safeguard their employees from the possibility of a terrorist event, OSHA recommends that they (1) contact  the local emergency planning committee (LEPC) and (2) possibly plan exercises with those involved so that they understand their capabilities and limitations. (emphasis supplied)(3)

Conversely, another federal agency, the Office of Homeland Security (OHS) advises us of the daily risk potential for terrorist activity within our borders by one of five color-coded warnings. Does this not suggest that terrorist acts here are not only foreseeable, but an eventuality? Since the major and deadliest terrorist attacks on this country in the last fifteen years have been directed toward workplaces, this duality in governmental views appears puzzling.

In the absence of any federally-imposed duty, should an employer, nonetheless, undertake and/or implement plans to deal with terrorist activity? Two divergent points of view have emerged. On the one hand, it is argued that there are substantial risks if an employer goes beyond minimal requirements of OSHA’s “General Duty” clause. Under this view, an employer who takes the initiative to conduct a risk analysis would likely uncover many conditions potentially inviting to terrorists that are costly to revise. If that employer thereafter takes no action, or insufficient action, to eliminate any or all such conditions, it could be viewed as negligent in the event deaths and injuries later resulted from terrorist acts at the facility.

On the other hand, it is argued that the employer’s better course is to disregard the absence of any specific OSHA requirements, undertake a full risk analysis and evaluation of the facility’s vulnerabilities to terrorist acts, and then implement some reasonable and cost-effective preventive actions to limit the most likely means of terrorists’ access. This course provides substantial advantages. In the event an unthinkable act later occurred, resulting in loss of life and injuries, the employer would be better able to defend itself. It could demonstrate that prior to the attack it had been “ahead of the curve” by going above and beyond any federal requirements, by having taken reasonable measures to increase the odds of thwarting injury and death due to terrorist acts. Such willingness to plan and implement preventive measures would likely mitigate an employer’s exposure to claims of negligence. Planning to prevent and respond to crises, despite the absence of both legal necessity or foreseeable terrorist events should go far to negate liability in the eyes and minds of jurors. To juries, excuses seldom equate to defenses. An employer’s attempt to persuade jurors that it should “get off the hook” solely because there was no federal statutory duty is likely to be unavailing, unpersuasive, and not well received. Equally, if not more important than these legal considerations, is the prospect that implementing measures to protect employees could result in lives being saved should the unthinkable occur.

There are at least two other compelling reasons for employers to plan for terrorist activity. The first deals with recommendations and suggestions of the “9/11 Commission.” The second deals with the potential unavailability of worthwhile and affordable terrorism insurance.

NFPA 1600 and The 9/11 Commission’s Commentary and Observations. The National Fire Protection Association Standard 1600 (NFPA 1600) is a voluntary code that provides for a comprehensive process to develop and implement a crisis management plan. In summary, NFPA 1600 calls for development of an executive policy on workplace emergencies; appointment of a program coordinator; creation of an advisory committee; conduct of a risk assessment; development of a plan; plus continuous evaluation and modification of the plan in response to new and changing risk factors. The NFPA framework under Standard 1600 can be adapted to develop policies and protocols for pandemics, as well as unforeseen emergencies.

The National Commission on Terrorist Attacks on the United States, also known as the 9/11 Commission, in a preliminary report concluded that private and public employers should develop plans for catastrophic events such as terrorist activities, as well as natural catastrophes and pandemics. The 9/11 Commission then called upon the American National Standards Institute (“ANSI”) to develop a national standard for private sector preparedness to be regulated by the Department of Homeland Security (“DHS”). ANSI thereafter recommended to the Commission that NFPA 1600 be adopted as that standard. The 9/11 Commission in its final report embraced that standard when “. . . witness after witness told us that despite 9/11, the private sector remains largely unprepared for a terrorist attack. We were also advised that the lack of widely-embraced private-sector preparedness standard was a principal contributing factor to this lack of preparedness.”(4) In endorsing NFPA 1600, the 9/11 Commission urged the DHS to promote adoption of this standard.

The Commission’s recommendations should also serve as a wakeup call to the private sector since, in its recommendations to adopt NFPA 1600, it stated, “We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purpose. Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at tremendous potential cost in lives, money, and national security.”

It will be up to Congress to consider whether NFPA 1600 becomes the legislated standard of care required of employers regarding terrorism preparedness. Whether or not NFPA 1600 becomes law, courts may nonetheless look to and adopt NFPA 1600 in negligence suits where the employer’s standard of care is at issue. Thus, should the standard be adopted, an employer will be deemed to be operating in a negligent manner by not having complied with NFPA 1600. As further pressure on employers, the Commission stated, We also encourage the insurance and credit rating industries to look closely at a company’s compliance with the ANSI standard in assessing its insurability and credit-worthiness.”(5)

Given these developments, the implementation of a plan compliant with NFPA 1600 is strongly recommended.(6)

Continued Terrorism Insurance?
There currently is a murky issue concerning the continued availability of worthwhile affordable terrorism insurance coverage for employers. Losses from the 9/11 attacks are estimated to have cost insurance companies $40 billion in claims, causing many insurers thereafter to exclude terrorism from coverage.

In November 2002, Congress passed the Terrorism Risk Insurance Act (TRIA)(7) to reimburse insurance companies up to $100 billion should terrorists strike again. TRIA has been extended through 2007, but the Government will not step in on any claims less than $50 million in 2006 and $100 million in 2007. Insurance companies claim that without continued federal help, they cannot promise full coverage from a terrorist attack – and the continuation of TRIA after 2007 is in doubt. Moreover, many employers who have purchased terrorism insurance find that their policy has exclusions for nuclear, biological and chemical events.(8) These uncertainties underscore the need for employers to take all reasonable steps to take action to secure their premises, enact programs, and adopt procedures to insulate themselves, to the extent possible, from liability for deaths and injuries.

What specific actions should an employer take to cope with the ongoing threat of terrorism? In reality, no security program can provide complete and absolute protection from internal or external terrorist threats. Yet, in conformance with the view expressed above, the employer should undertake reasonable measures to help ensure the safety of employees and third parties within its facilities in the event of terrorist incidents. Apart from the measures set forth in NFPA 1600, this should start with imbuing a culture of sincere concern with security, at all levels of the corporation. It should include taking a number of reasonable steps to secure the facilities in order to provide a substantial degree of protection from terrorist acts, which will in turn minimize legal risks. Such steps, plus implementation of relevant policies and procedures, have an additional beneficial effect by allowing employees to observe their employer’s concern and commitment to their safety in an era of threatened terrorist activity.

Among the more specific steps to consider when planning for and responding to terrorist attacks are the following:(9)

1. Combat complacency at the highest levels. Executives and managers must assume a highly visible and active role to ensure that their company’s security needs are met, and that apathetic and complacent attitudes are eliminated. This requires top management’s thorough understanding and evaluation of the security program; meetings with the appropriate security personnel; recommendations made in light of heightened threats facing the nation; identifying obstacles to the mission of security, such as turf wars; nurturing a culture of mutual concern for security; creating a corporate-wide environment conducive to cooperation and the search for facts and knowledge about war, terrorist threats, and the employer’s overall security mission.

2. Assess risks. A realistic appraisal of the facility’s vulnerabilities should be undertaken. Areas and conditions that could be utilized by terrorists for a devastating attack must be identified. There should be a thorough multi-faceted risk assessment. Consideration should be given to retaining an experienced and well-regarded independent risk assessment firm to conduct an independent audit to ensure full, accurate and objective analysis.

3. Implement emergency preparedness plans which are also geared to terrorist attacks. If an employer does not have a disaster plan encompassing various types of disasters, it should consider development and implementation of an emergency response plan that addresses acts of terror as well as natural disasters and violence. NFPA 1600 provides an exemplary format. Those employers already having plans in place for violence and natural disasters should update those plans and revise them to respond to warnings and/or the occurrence of an imminent terrorist attack.

Existing plans for natural disasters such as tornadoes and earthquakes involve different considerations than plans for terrorist attacks. For example, in view of the events occurring before the fall of the Twin Towers on 9/11, would it be prudent to send employees into the building’s basement or stairwells in the event of a terrorist attack? While such plans could be sufficient for a tornado, the same plan could prove deadly for an attack such as 9/11. Should employees be sent home? Should they be sent to restricted areas of the workplace thought to be safe? The amount of notice prior to an attack must also be factored into the plans. The moments before an attack should not be the first time thought is given to such scenarios.

Plans also need to be made to prepare backup paper and electronic files at a pre arranged secure offsite location or locations. Responsibilities and identification of successor personnel for essential tasks must be assigned. Basic supplies should be maintained and stored in the event an evacuation is not possible. Emergency evacuation plans should ensure that special needs of disabled employees are met. Employees who travel frequently as part of their job must be educated as to safety measures and company policies involving dangerous circumstances. Certainly not to be overlooked in any way is development of a business recovery and continuity plan.

4. Prepare to respond to chemical, biological and radiological (CBR) threats. Several  agencies have issued post-9/11 guidance on responding to biological, chemical and radiological threats to the workplace. These include the Center for Disease Control (CDC) which has issued a number of guidelines and advisory materials that can be accessed through its internet site at As to biological threats, OSHA has also issued guidance on workplace exposures, which includes a “Risk Matrix” that assigns risk levels to workplaces and offers preventive steps for each zone. These risk levels were jointly determined by the CDC, FBI, and U.S. Postal Service, and are available on the website named above. As to airborne, chemical, biological or radiological threats, the Department of Health and Human Services, through NIOSH, has published an excellent resource, “Guidance for Protecting Building Environments from Airborne, Chemical, Biological or Radiological Attacks.” This may be accessed at Publication 2002-19.

5. “Harden the target.” This is military jargon for steps to strengthen buildings and other structures against potential attacks. If a workplace is under construction, protection from terrorist acts could be built in by use of stronger steel, concrete, safe-rooms, laminated glass, and thicker layers of fireproofing materials. For existing workplaces, however, refurbishing and retrofitting structures to ensure that they could withstand terrorist attacks could be enormously expensive. However, a number of relatively simple and inexpensive steps are available to improve the protective capabilities of existing structures. Some of these are as simple as requiring trucks and vehicles of third parties to be parked in areas much further away from the worksite where employees are housed; hanging heavy curtains above windows, rather than replacing them with expensive laminated safety glass, to minimize injury from flying glass; placing signs in stairwells to be posted at floor level so that they can be seen by persons crawling on the floors to avoid smoke; rearrange seating so that workers are moved away from exterior areas and placed toward more sheltered internal spaces; use of “safe rooms” inside multi-storied buildings as a means to protect employees during an attack; steps to acquire strict access control; installation of durable locks and hardware; use of closed-circuit TV; maintenance of a log of all visitors by name, date, and time; protection of areas that are susceptible to biological or chemical attacks such as water supplies, food preparation areas and HVAC systems; and inspection of all incoming mail at a secure location where guidelines preclude unexpected deliveries and require adherence to strict times for delivery and receipt.

6. Implement protocols to minimize risks. Among other things, there should be an established chain of command of those charged with making necessary decisions in the event of an emergency. Protocols established must be carefully followed and communicated to employees and other individuals who are frequently on the employer’s property.

7. Carefully screen applicants and note suspicious employees and outsiders. Men and women inside an organization, because of their unique access, can pose an even greater threat than external forces. To reduce internal threats, organizations must conduct a thorough screening of all applicants which includes verification of the following: legal work status as provided by law; prior work history and references; educational institutions and degrees earned; professional accreditation; if applicable, driving and criminal conviction records; credit history in accordance with procedures prescribed by the Federal Credit Reporting Act (“FCRA); personal references; and military discharge status, when applicable.

8. Maintain open communications. An employer must commit to a program of effective communication to generate trust and cooperation between management and employees. In so doing, employee awareness of potential risks must be raised along with an understanding that the dangers are real and compelling.

By these and other related steps, an employer can enhance the safety of its human capital, and enhance the odds of the business to withstand the otherwise debilitating aspects of terrorism. Accordingly, even in the absence of a specific obligation under federal law, it simply makes good sense to plan for the unthinkable.

While there is no current federal obligation requiring employers to do so, implementation of plans along the lines of NFPA 1600 at this time are highly recommended. As set forth above, in the event the unthinkable occurs, planning now puts the employer ahead of the curve if injuries and/or deaths occur. Further, the impetus to plan for terrorism is heightened both by potential adoption of NFPA standards as recommended by the 9/11 Commission, plus the present uncertainty as to the continued availability of adequate, meaningful and affordable terrorism insurance. Private sector employers are well advised to implement plans for terrorist activity in order to protect both employees and the successful continuation of their enterprise.



1) 29 USC § 654 (a)(1) and (2).
FBI, Major Executive Speeches, “Remarks Prepared for Delivery by Director Robert S. Mueller, III, The City Club
of Cleveland, Ohio, June 23, 2006.”
Richard E. Fairfax, Director of Enforcement Programs, OSHA, Letter to John D. Turley, President, Education andConsulting Resources, Inc. (Nov. 24, 2003)
9/11 Commission Report, page 398.
Lindsey, Kevin, “Crisis Alert! Plan for Emergencies to Avoid Losses of Life, Property and Profits – and Liability Under a Heightened Duty of Care.” HR Magazine, August 2006, pages 121-125.
The standard is accessible on the internet at
Terrorism Risk Insurance Act of 2002, Public Law 107-297; H.R. 3210.
“Terrorism Insurance: Implementation of the Terrorism Insurance Risk Act of 2002,” report of the united States General Accounting Office to the Chairman of the Committee on Financial Services, House of Representatives, April 2004 (GAO-04-307) available online at
9) More detail and comprehensive discussion of each of these steps is set forth in the author’s publication, Workplace Catastrophes: An Employer’s Guide to Workplace Violence, Terrorism and Natural Disasters, published by M. Lee Smith Publishers.

Suplemento Temático: Los nuevos retos del Director de Seguridad


Fecha: 12/12/06

   Mas artículos de John Jay Matchulat        Otros Expertos   

Este experto ha sido visto por 2404 personas.