The Duty to Prepare
THE RHA REVIEW
Volume 12, No. 3, Second Quarter 2006
By Christa Meyer Hinckley
Regrettably, to date in the first decade of the 21st century, unimaginable catastrophes, both man-made and natural, are becoming almost commonplace. The first six years of this century have seen the terrorist attacks of 9/11 in 2001; bombings in Bali, Madrid, London, Israel, Iraq and Egypt; the South Asian tsunami in 2004; the seemingly endless stream of hurricanes coming ashore in 2004 and 2005, including Katrina, Wilma and Rita; and the devastating earthquake in Pakistan. On a much smaller scale, but equally devastating to those affected, are the almost daily disasters caused by industrial accidents and workplace violence. We have also now heard the dire predictions of the next “big one” to hit San Francisco, published in connection with the memorials marking the centennial anniversary of the earthquake of 1906, and we continue to receive threats of more terrorist actions by Al Qaeda and other groups.
In addition, most Americans witnessed firsthand, via their televisions and computers, the devastation that can be caused not only by a catastrophic event itself, but also by the lack of an adequate, competent emergency response by governmental agencies at all levels — local, state and federal. Emergency response has long been viewed as the responsibility of government, and failure to have an emergency response plan or to follow an existing plan has led to liability for government agencies.1 However, what is increasingly emerging is that private business entities may also have a legal duty, in addition to a moral and ethical one, to have in place assessments of their exposure to these risks and a plan to respond. In fact, it can be argued that a minimum preparedness and response standard for private enterprises already exists at the federal level.
From where is this duty emerging? Just as the right to privacy was found to exist in a “penumbra” of different constitutional rights by Justice Douglas, it is arguable that this duty is emerging from a penumbra of different sources. The concept that employers and business owners have the obligation to provide a safe operating environment is not new in the United States. It has long been embodied in such things as the following:
- The Federal Occupational Safety and Health Act (OSHA)
- Department of Labor standards
- Building and fire codes
- Workers’ compensation statutes
- Standard tort liability concepts
The obligation to provide employees, tenants and business invitees with a safe working environment has its roots in tort law. In society every person has the obligation or duty to act in a reasonable manner at all times and to employ a reasonable standard of care to prevent damage or injury to others whose injury is, again, reasonably foreseeable and proximately caused by the failure to exercise such a standard of care. Failure to adhere to this standard exposes the negligent party to liability for damages. See e.g. Restatement (Second) of Torts §282. As it is increasingly apparent that the occurrence of a catastrophic event is within the scope of the “reasonably foreseeable risks” that an employer or landlord will have to face, then it is not so big a leap to conclude that having a plan in place to respond to such an event (and to minimize or mitigate its effects) is equally reasonable to expect. Failure to have such a plan could therefore lead to damages independent of the event that caused the catastrophe in the first place. In fact, in his excellent article, “Emergency Action Plans: a Legal and Practical Blueprint ‘Failing to Plan Is Planning to Fail,’” Chapman University law professor Dennis Binder observed:
Negligence analysis often revolves around the exercise of reasonable care that will either prevent or minimize the risk of an accident or the injuries suffered therefrom. Emergency action plans are just a reasonable, logical extension of existing negligence analysis. Plans to respond to a disaster are just as integral in negligence analysis as exercising reasonable care to prevent an accident. Emergency-action plans are just as critical in minimizing losses as design, construction, maintenance, operations and inspection.2
The necessity of emergency-response planning has also long been recognized by various entities, such as airlines, coal mines, hydroelectric plants, refineries and others.3 But as a result of the 9/11 attacks, the federal government, Congress in particular, has come to realize that private-sector preparedness is a fundamental component of crisis response and planning.
The Emerging Federal Standard
Thomas Kean, chairman of the 9/11 Commission, observed that “one of the lessons learned from 9/11 is that private-sector preparedness remains critical to our national security.” The 9/11 Commission found, during its examination of the emergency response to 9/11, that “[w]itness after witness told us that despite 9/11, the private sector remains largely unprepared for a terrorist attack. We were also advised that the lack of a widely embraced private-sector preparedness standard was a principal contributing factor to this lack of preparedness.”4 The Commission responded by asking the American National Standards Institute (ANSI) to develop a consensus on a “National Standard for Preparedness” for the private sector. In 2004, ANSI recommended to the 9/11 Commission that its Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600) be adopted as a voluntary national-preparedness standard. The Commission endorsed this recommendation and cited NFPA 1600 as establishing a common set of criteria and terminology for preparedness, disaster management, emergency management and business continuity programs.5 Importantly, the Commission concluded its recommendation with the following words:
We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private-sector preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is ignored at a tremendous potential cost in lives, money and national security.6
Consistent with the 9/11 Commission Report, Congress, in Section 7305 of the Intelligence Reform & Terrorism Prevention Act of 2004, reported the following findings and made one recommendation:
First: The private-sector organizations own 85% of the Nation’s critical infrastructure and employ the vast majority of the Nation's workers;
Second: Preparedness in the private sector and public sector for rescue, restart and recovery of operations should include:
- A plan for evacuation
- Adequate communication capabilities
- A plan for continuity of operations
Third: The American National Standards Institute recommends a voluntary national preparedness standard for the private sector based on the existing American National Standard on Disaster/Emergency Management and Business Continuity Programs (NPFA 1600) with appropriate modification. The standard establishes a common set of criteria and terminology for preparedness, disaster management and business continuity programs.
Fourth: The mandate of the Department of Homeland Security extends to working with the private sector as well as government institutions.
Recommendation: It is the sense of Congress that the Secretary of Homeland Security should promote, where appropriate, the adoption of voluntary national preparedness standards such as the private-sector preparedness standard developed by the American National Standards Institute and based on the National Fire Protection Association 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.7
The NFPA 1600 is an approximately 40-page document which sets forth the criteria to assess current programs or to develop, implement and maintain a program to mitigate, prepare for, respond to and recover from disasters and emergencies. While it is too long to address here in detail, some of its more salient sections provide as follows:
- The entity (whether it be public or private) shall identify:
- Hazards (which include both natural and human-caused events)
- the likelihood of their occurrence
- the vulnerability of people, property, the
environment and the entity itself to those hazards8
- The entity shall also:
- develop and implement a strategy to eliminate hazards or
- mitigate the effects of hazards that cannot be eliminated; and
- develop, coordinate and implement operational procedures to support the emergency management program which shall address the safety, health and welfare of people, the protection of property and the environment9
- The emergency management program developed shall include, but shall not be limited to:
- a strategic plan
- an emergency operations/response plan
- a mitigation plan
- a recovery plan
- a continuity plan10
- The entity shall also
- assess training needs and shall develop and implement a training/educational curriculum to support the program11
- shall evaluate its program plans, procedures and capabilities through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations and exercises12
- The entity shall develop financial and administrative procedures to support the program before, during and after an emergency or disaster13
In addition, in December 2004, the Department of Homeland Security issued, in response to Homeland Security Presidential Directive (HSPD)-5, the almost-3-inch-thick National Response Plan, which sets forth the “Master Plan” by which the United States government was to respond to domestic disasters, both man-made and natural. The National Response Plan did address, although somewhat briefly, the private sector’s obligations with respect to disaster management planning:
- Responsibilities: Private-sector organizations support the National Response Plan … by sharing information with the Government, identifying risks, performing vulnerability assessments, developing emergency response plans and business continuity plans …[emphasis added]14
- Response Resources: [P]rivate- sector organizations are encouraged to develop and maintain capabilities to respond to and to manage a complete spectrum of incidents and emergencies …15
The government has continued its emphasis on the need for the private sector to “be prepared” with such web sites as the Department of Homeland Security’s www.Ready.gov and the Small Business Association’s web site found at www/sba.gov/bewareandprepare/business.html.
There are other reasons why private companies should have disaster-mitigation plans in place. First, there is empirical evidence that the way a company responds to a disaster (in particular a mass-fatality disaster) is a much stronger determinant of recovery than are the direct financial consequences of a loss. See “Protecting Value in the Face of Mass Fatality Events” (2005) by Rory F. Knight and Deborah J. Pretty (Oxford Metrica) and their previous work, The Impact of Catastrophes on Shareholder Value (1996) (Templeton College, University of Oxford, commissioned by Sedgwick). In addition, even before Hurricane Katrina, it was established that property and casualty insurance (including business-interruption insurance) would not cover all of the losses a business suffers in the event of a catastrophic loss, and recovery of insurance proceeds could be a lengthy, time-consuming process.16 Studies of this nature, combined with the financial risk analysis now required by Sarbanes-Oxley, should make chief financial officers at companies throughout the U.S. require immediate review and assessment of how their companies plan to respond to a catastrophe, and the financial resources in place to make certain that such plans can be carried out. Loss of shareholder value as a result of a failure to plan could also lead to director and officer liability exposure. Finally, other liability causes of action could be asserted as the result of poor planning. The failure to warn and the negligent infliction of emotional distress come to mind.
Although to date there appears to be no judicial codification of the “duty to prepare,” it will be interesting to see if, in the legal maelstrom that is occurring in the aftermath of Hurricane Katrina, this duty is legally recognized or at least expanded upon. In any event, I must concur with the conclusion of the 9/11 Commission — private sector preparedness is not a luxury any longer; it is a cost of doing business.
1See e.g. Commerce and Indus. Ins. Co. v. Grinnell Corp. 280 F.3d 566 (5th Cir 2002) and Coates v. United States, 612 F. Supp. 592 (C.D.Ill. 1985).
2See Dennis Binder, Emergency Action Plans: A Legal and Practical Blueprint “Failing to Plan Is Planning to Fail,” 63. U. Pitt. Law Rev. 791, 813 (2002).
3See e.g. Aviation Disaster Family Assistance Act of 1996, Public Law 104-264, Title VII (1996). For a review of some of the statutory and regulatory requirements for the establishment of emergency action plans, see Emergency Action Plans: A Legal and Practical Blueprint “Failing to Plan Is Planning to Fail,” supra.
4The 9/11 Report, Chapter 12, Section 12.4 Protect Against and Prepare for Terrorist Attacks—Private Sector Preparedness. (2004).
7Intelligence Reform and Terrorism Prevention Act of 2004, 108 P.L. 458, §7305.
8Standard on Disaster Management and Business Continuity Programs (NFPA1600) (2004) Sections 5.3.1 and 5.3.2.
9Id., at Sections 5.4.1 and 5.10.2.
10Id., at Section 5.7.1.
11Id., at Section 5.12.1.
12Id., at Sections 5.13.1 and 5.13.2.
13Id., at Section 5.15.1.
14National Response Plan, Base Plan, Section III. Roles and Responsibilities, p. 13.
15National Response Plan Support Annexes, Private-Sector Coordination, p. 2.
16See e.g. Andrew Miles Business Continuity: Best Practices (2nd Edition) Section 2.19, p. 30 (2004).