RAQs: Recently Asked Questions

Topic: Name of Employee Personnel Policy - 11/03/2021
Should what we think of as the personnel policy be called Employee Handbook or Personnel Policy? ...
Posted: Wednesday, November 3, 2021 Permalink

MEMBER QUESTION

Should what we think of as the personnel policy be called Employee Handbook or Personnel Policy?

Sometime in the past, legal counsel advised a library system I was involved in, that the term "Employee Handbook" is correct. The document under now review at my library has what amounts to the rules of employment - typical sections about what the library provides, what we expect the employee to do etc. and does have a page acknowledging receipt of the document.

So what should it be called?

Thank you!

WNYLRC ATTORNEY'S RESPONSE

Ooh, an ontological question!

I am not sure about the basis of the past legal input mentioned in the question, differentiating a "policy" from a "handbook," but I (mostly) agree with it.

I (mostly) agree with it because, in both state and federal labor law, the term "policy" is generally used to refer to a stand-alone set of rules governing the terms of employment.[1]  Examples of policies required by law include:

  • Sexual Harassment Policy[2]
  • Prevention of Airborne Disease[3]
  • Whistleblower Policy[4]

In both common usage and in the law, when such policies are gathered together, they become a "Handbook."[5]  Many times, at the advice of lawyers,[6] employers then annually distribute a copy of this "Handbook," and (as in the member's question), require employees to acknowledge it.

The tricky thing is that once an employer has taken the step to pull the policies and create a "handbook" (again, with the name not being important...the important part being that there is some collection of policies, distributed to employees), the law may put additional obligations on the employer regarding the content.

For instance, Labor Law Section 203-e (6), which bars discrimination on the basis of an employee or their family member using reproductive services, states: " An employer that provides an employee handbook to its employees must include in the handbook notice of employee rights and remedies under this section" [emphasis added].  In other words: if the company has no handbook, there is no mandatory inclusion of the notice...but if there IS a "handbook," the notice must be part of it.

The term "handbook," used to mean a collection of employee policies, is also part of the recently passed HERO Act.[7]  It takes the same approach as Labor Law 203-e: if a handbook is handed out to employees, the required Airborne Infectious Disease Plan must be distributed with it (or at least, in the same manner as it is distributed).

Now, for the member's precise scenario: What about when a document that really is just one "personnel policy," but has different sections/rules and a section for the employee to acknowledge receipt?

Based on how the various employment laws in New York use "policy" and "handbook," I feel very comfortable saying that any document that aggregates an employer's rules on more than one topic (say, "progressive discipline," "appropriate attire" and "vacation") and is distributed to employees is--no matter what you call it--a "handbook." 

Or as I have put in this illustrative limerick:

One rule to another said: "Look,

Here's something that has me quite shook

We rules stand alone

In a "policy zone"

But together, we are a handbook!"

Thank you for a chance to do this research and to write this dubious verse about it.



[1] Of course, "policy" is also used in other ways in the employment context.  A big example: it is often used in the NY Civil Service Law, which frequently refers to the development of "policy" (meaning governmental positions).  Second, it is used in the context of different types of insurance required of employers (a workers' compensation insurance policy, a paid family leave act policy, a disability insurance policy...etc.). 

Huh.  I have never thought about it before now, but we should really develop some more refined terms for different "policies."

[2] New York Labor Law 201-g

[3] New York Labor Law 218-b, aka the "HERO Act" (for more on that, see Footnote #7.)

[4] New York Not-for-Profit Corporation Law Section 715-b requires this of every not-for-profit that has "twenty or more employees and in the prior fiscal year had annual revenue in excess of one million dollars." 

[5] Or an "Employee Manual" or a "Company Manual" or whatever the employer wants to call it.

[6] The legal bases for why this acknowledgement is advised will vary based on the Handbook/Manual's contents and the employer's industry.

[7] For more on the HERO Act, see "Ask the Lawyer" RAQ  here: https://www.wnylrc.org/ask-the-lawyer/raqs/226

Tags: Employment, Labor, Legal Poems, Management, NY Labor Law, Policy

Topic: Retroactive Background Checks - 11/03/2021
We have a school district public library board considering requiring background checks for new emp...
Posted: Wednesday, November 3, 2021 Permalink

MEMBER QUESTION

We have a school district public library board considering requiring background checks for new employees. They are concerned that they may be legally required to background check all current employees. Would there be any legal reason they would need to do so?

WNYLRC ATTORNEY'S RESPONSE

[NOTE: for background to this short answer, please see the much longer "Ask the Lawyer" https://www.wnylrc.org/ask-the-lawyer/raqs/205, that addresses the tightrope walk/legal minefields of employee background checks.]

So, does a school district public library[1] implementing a background check for new employees have to also check their current ones?

The answer is: no; barring an over-ruling requirement (such as a term in a union contract) a library board can implement a background check policy for all hires going forward, without imposing a "retroactive check" requirement for current employees. 

However, I would never advise that approach.  Here are three reasons why:

1.  Possible discrimination

A policy to only check the backgrounds of "new" employees could have a disproportionate impact on candidates on the basis of age, or gender, or race (to name a few).  By not checking everyone, an employer risks the appearance of (or actual occurrence of) illegal discrimination.

2.  Possible liability

Employee background check policies are implemented to reduce risk.  If an employer is using employee background checks to reduce risk, there should be a very good reason for not checking all employees (such as a union contract that bars it[2]), or the employer risks a claim of negligence.

3.  Worker relations

A work environment should be a place of high trust.  By subjecting one class of employees ("new" employees) to heightened scrutiny, in addition to the possible concern mentioned above in "1," it creates an unbalanced environment for trust.  This is bad for morale.

I appreciate that background checks can come with a cost, so minimizing their frequency is helpful.  I encourage any library implementing such a policy to check with their "Directors & Officers Insurance" carrier, since sometimes, carriers offer resources to defray and even pick up the costs of the check.

 

Thank you for a thoughtful question.

 



[1] Of course, if a school district public library is in a school (not a common scenario; school district public libraries are largely autonomous and separate from school district property), and if the librarians are on the payroll of the district, then they are already being background checked and fingerprinted, per the chart here: http://www.nysed.gov/educator-integrity/who-must-be-fingerprinted-charts.  Of course, this question pre-supposes that the board is setting the hiring policy, which means the library is autonomous.

[2] Just to be clear, a contractual obligation to not conduct criminal background checks should never be in a collective bargaining agreement!  However, some reasonable restrictions on the scope of such a check would be consistent with NY law and policy.

 

Tags: Employee Rights, Employment, Ethics, Hiring Practices, Management, Policy, Privacy, Risk Management, Safety, School Districts, Background Checks

Topic: Name Tag Policies - 10/22/2021
Our library is considering a name tag policy as part of our focus on patron service.  What ar...
Posted: Friday, October 22, 2021 Permalink

MEMBER QUESTION

Our library is considering a name tag policy as part of our focus on patron service.  What are the legal "do's" and "don'ts" of an employee name tag policy?

WNYLRC ATTORNEY'S RESPONSE

When it comes to the legal considerations of employee name tags, there are quite a few "do's" and just as many "don’ts."  I'll set them out below, with the legal rationale behind the guidance.

DO pick a legible font.

Accessibility matters.  Consult an ADA guide and pick a font that is easy to read.

For this reason, employee name-tags should not be hand-written.

DON'T require employees to wear name tags without a "Name Tag Policy".

As we'll see, some of the details of name tag use can get tricky.  A well-thought-out, board-adopted policy is the best way to ensure the policy covers all the required bases and is enforceable.

DO have a good reason to adopt the policy.

A name tag policy should not stand alone; it should be part of an overall approach to patron service.

DON'T adopt a “Name Tag Policy” solely because of the request of one patron.

Of course, a patron request could kick off a board's consideration of adopting such a policy, but again, employee name tags should be part of the overall approach to library operations.

DO memorialize the reason for the policy in the board minutes.

For example: "WHEREAS the board has found that easily identifying library employees by their first name or nickname promotes a positive experience for patrons, visitors, and vendors, and enhances initiatives to promote confidentiality and security...."[1]

DON'T demand that employees put their full name on the name tag.

This has to do with safety and privacy.  Most definitely, a board can determine that name tags may be part of the patron experience, and request that employees wear a badge that includes their name.  However, unless the policy sets out a reason why a full name is needed, full disclosure should not be required.[2]  Further, if an employee wants to use a nickname,[3] to further avoid identification outside of the workplace, that option should be considered.

DO consider that the format for the name tag include an employee's pronouns

This is just a nice thing to do, but is also a good way to document a practice of honoring the identity of employees in a way that is consistent with state and federal civil rights laws.

DON'T pass such a policy without thinking about your union (if there is one)

If there's a union, before you pass such a policy, get some legal input on the contract.  And even if there isn't a union, think about the requirement from the perspective of the employee experience.

DO require volunteers to wear name tags, if employees in similar situations are so required.

This goes back to documenting the reason for the name tag policy.  If the practice is that every employee working in patron-facing areas wears a name tag, patron-facing volunteers should, too.

 



[1] This is just an example.  There are many other reasons that a board may base its decision on.  The point is that the reasons should be genuine, and be documented.

[2] This one pains me because I tend to be a stickler for formality; upon first meeting someone, I would rather they call me "Ms. Adams" rather than "Stephanie" (which only strangers and my mother call me, since my nickname is "Cole").  So, if there is a library out there that wants to go formal "Ms. Adams/Mr. Adams/RP Adams," that's fine, too.  The point is: full names should only be displayed if it is determined they are necessary.

[3] Nicknames are okay, but DON'T let them detract from the professionalism of the workplace.  In one sexual harassment case, the manager of a bar used the nickname "Big Daddy" on his name tag.  It was found that this (and other actions of debatable taste) were not a legal violation, but as the judge dismissed the case, he commented that the behavior was "obnoxious and puerile" (see Urban v Capital Fitness, 2010 [EDNY Nov. 23, 2010, No. CV08-3858(WDW)]).  But of course, this was found to not be a violation in a bar, not a library.  And remember, things have changed a lot since 2010.

 

Tags: Employment, Policy, Privacy

Topic: Presenters and vaccination requirements - 09/01/2021
In the RAQ you provided an answer about vaccine requirements for new hires. What about performers ...
Posted: Wednesday, September 1, 2021 Permalink

MEMBER QUESTION

In the RAQ you provided an answer about vaccine requirements for new hires. What about performers or presenters we hire to come into the library, especially to work with children? Are we allowed to ask/require proof of vaccination status before signing a contract?

WNYLRC ATTORNEY'S RESPONSE

A library needs two documents to address this issue:

1.  Its template contract or "rider"[1] for performers and presenters;[2]and

2.  Its current Safety Plan.

How does the contract/rider come into play?  One of the conditions it should list is a "behavior requirement," requiring that any person performing a service at or for the library "will abide by the library's policies, and the reasonable requests of library staff."[3]

How does the Safety Plan[4]  come into play?  This is the document that likely addresses vaccination, PPE, and other safety requirements for those visiting your library.

Now, see how the two work together: the Safety Plan is a library policy; the "behavior requirement" means visitors must follow it.

When the two documents are assessed together, if it isn't crystal-clear that the library requires proof of vaccination before performance, the Safety Plan or the contract/riders--or both--can be amended to require:

To maximize the safety of in-person events, the ABC library requires all providers of in-person events to provide current proof of vaccination against COVID-19 at least seven days prior to the event.

 The ABC library will consider remote options if a prospective performer or presenter requests such a change as a reasonable accommodation under the ADA due to a disability.

How can this be done so simply?

While there are many nuances that libraries must consider prior to flatly requiring vaccination for all employees,[5] WHEN IT COMES TO CONTRACTORS PROVIDING ONE-TIME OR PERIODIC PERFORMANCES,[6] unless there are grant requirements or other obligations specifically hemming a library in, a library can be more blunt in its requirements.

While they can be a very beloved part of a library's offerings, independent contractors have less rights than employees when it comes to a library imposing the conditions on performance. This is because, whether incorporated, or working "DBA", independent contractors are free to accept and reject the terms of any particular contract--and thus have more leverage and freedom than employees.[7]  And because of that, when it comes to requiring them to provide proof of vaccination, there are a few less legal hoops to jump through than with employees (new, or otherwise).

So, after all that, what were the questions? "What about performers or presenters we hire to come into the library, especially to work with children? Are we allowed to ask/require proof of vaccination status before signing a contract?"

 

The answer is: with the right policy and contract terms[8] in place: yes.



[1] A document you can attach to the performer's contract or proposal, setting the terms of the work.

[2] There are any number of forms a standard contract or "rider " for a library to engage performers and presenters can take. It can be in the form of a friendly letter that outlines the terms of the arrangement, or it can be a more formal document that sounds like it was written by a lawyer. Either option is OK, so long as it addresses the fundamental questions: what is being done, how much the person is being paid to do it, and what rules and expectations protect the library from any risks related to the performance. For comments on contracts for performers (both generally and in the COVID Times), dive back into history and review the "Ask the Lawyer" at https://www.wnylrc.org/ask-the-lawyer/raqs/125.

[3] Very standard stuff.

[4] Which at this point (August 2021) you have probably amended at least five times.

[6] Because contracts with providers of more essential/routine services such as delivery, cleaning, and security are likely to be more complex, this guidance does not apply to those types of services...although of course a library can explore amending a contract with such a provider to require maximum allowable safety measures.

[7] That's the theory, anyway.

[8] A library should work with a lawyer to have a stock performance contract tailored to that library's identity, insurance coverage, and other unique factors.

Tags: ADA, COVID-19, COVID-19 Vaccine, Employment, Library Programming and Events

Topic: New Hires and Vaccination - 08/20/2021
Can we require new hires at the library to be vaccinated, and if so, how should we word this on th...
Posted: Friday, August 20, 2021 Permalink

MEMBER QUESTION

Can we require new hires at the library to be vaccinated, and if so, how should we word this on the job application, and how are we allowed to ask for proof of vaccination? What if the new hire is not vaccinated because of religious reasons. If the library requires those who are not vaccinated to get COVID tested weekly, does the library have to pay for those tests?

WNYLRC ATTORNEY'S RESPONSE

Underlying all these highly specific questions is one Big Question: Can employers require vaccination? "Ask the Lawyer" addressed the Big Question on December 18, 2020, and that answer is perma-linked at: https://www.wnylrc.org/ask-the-lawyer/raqs/186.  For any reader who is new to this issue, or who needs a refresher, please read #186, because this answer uses that background to jump right into things.

And with that, let's jump right into things...

Question: Can we require new hires at a library to be vaccinated?

Answer: Only if the library's safety plan requires it, AND the job description of the specific position contains essential duties that cannot be performed without risk of transmission .[1]

Question: If so, how should we word this on the job application?

Answer: Here is one way:

"The essential duties of this position and the library's safety protocols require vaccination for COVID, therefore, an up-to-date COVID vaccination status is a requirement of this position."

Question: Are we allowed to ask for proof of vaccination?

Answer: Yes, but if you do, the library should have a written plan to maintain confidentially (this should be part of a Safety Plan).

Question: What if the new hire is not vaccinated because of religious reasons?

Answer: If being vaccinated is a "bona fide" occupational requirement of the position (which is what a library does by confirming that the essential duties of the position and the library's safety protocols require vaccination for COVID), a person who is not vaccinated will not become the new hire--regardless of medical or religious reasons.

As the question points out, this is a high-stakes game.  So, it is critical to work with the library's HR consultant or civil service liaison to update the job description so the front-facing work, or collaborative work, that require vaccination for that particular position is genuine.  If the "essential duties" of the position include numerous activities that could be done remotely, or in solitude, it may be that the job can be modified to accommodate either health or religious needs--both of which must be given maximum deference whenever the job requirements and the resources of the library make it possible.

Question: If the library requires those who are not vaccinated to get COVID tested weekly, does the library have to pay for those tests?

Answer:  I am not comfortable endorsing a Safety Plan or any type of procedure that includes a COVID testing requirement based solely on vaccination status.

Here is why:

The EEOC is currently the go-to agency for guidance on balancing privacy, disability, and employment needs when it comes to COVID.

Current EEOC guidance (posted at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws) as of August 16, 2021, states:

The ADA requires that any mandatory medical test of employees be “job related and consistent with business necessity.” Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take screening steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others. Therefore an employer may choose to administer COVID-19 testing to employees before initially permitting them to enter the workplace and/or periodically to determine if their presence in the workplace poses a direct threat to others. The ADA does not interfere with employers following recommendations by the CDC or other public health authorities regarding whether, when, and for whom testing or other screening is appropriate. Testing administered by employers consistent with current CDC guidance will meet the ADA’s “business necessity” standard. [Emphasis added]

Here's where the COVID daisy-chain begins: the EEOC is basing its notion of "basic necessity" on the guidance from the CDC.

Here is the "current CDC guidance" (posted at https://www.cdc.gov/coronavirus/2019-ncov/symptoms-testing/testing.html) as of August 16, 2021:

Who should get tested for current infection:

  • People who have symptoms of COVID-19.
  • Most people who have had close contact (within 6 feet for a total of 15 minutes or more over a 24-hour period) with someone with confirmed COVID-19.

-Fully vaccinated people should be tested 3-5 days following a known exposure to someone with suspected or confirmed COVID-19 and wear a mask in public indoor settings for 14 days or until they receive a negative test result.

-People who have tested positive for COVID-19 within the past 3 months and recovered do not need to get tested following an exposure as long as they do not develop new symptoms.

  • Unvaccinated people who have taken part in activities that put them at higher risk for COVID-19 because they cannot physically distance as needed to avoid exposure, such as travel, attending large social or mass gatherings, or being in crowded or poorly-ventilated indoor settings.
  • People who have been asked or referred to get tested by their healthcare provider, or statetribal, local or territorial health department.

Nowhere on this list is "unvaccinated employees who report to work as usual." [2] A dilemma, right?

Not as I see it.

As I see it, while we can all find something to complain about in the lurching, evolving guidance from the alphabet soup of EEOC, NYSDOL, OSHA, NYSDOH, WHO and CDC, this current configuration makes perfect sense.

Why? Because this approach achieves balance.  Within these confines, libraries (along with other employers) are positioned to structure job requirements to be as safe as possible--not just for employees, but for the communities they serve.  The structure and requirements, however, must be "bona fide," meaning that personal safety, privacy, freedom of association, and respect for conscience are positioned to be honored, while ensuring they do not gain primacy to the detriment of public safety as a whole.

For these reasons, I will not answer the question as posed.  However, I will answer:

Question: If the library requires employees who trip a current CDC risk factor (showing symptoms, close contact, etc.) to get COVID tested, does the library have to pay for those tests?

Answer: I have found no requirement that an employer pay for a COVID test that is used as a pre-requisite for returning to work.  Of course, for employees who are sick, or on mandatory quarantine, or have been sent home by their employer for tripping a COVID factor, the protections for paid sick leave[3] that were set up earlier in the pandemic still apply.

And I will add this bonus question:

Question: If the library decides to use routine random COVID testing of all on-site employees as part of a Safety Plan, does the library have to pay for those tests?

Answer:  An employer cannot require an employee to pay for a COVID test,[4] and cannot deduct the cost of such a test from a paycheck, so if the employer sets up random testing as part of a Safety Plan, the employer must pay for it.



[1] Bearing in mind all the caveats set forth in https://www.wnylrc.org/ask-the-lawyer/raqs/186.

[2] I suppose an employer could categorize an unvaccinated employee as having "taken part in activities that put them at a higher risk for COVID-19" simply by reporting to work.  But would an employer want to admit to allowing such risk to take place?

[4] Remember, an employee who is out due to symptoms, exposure, or ordered quarantine can "wait it out" and doesn't have to take a test.

Tags: ADA, COVID-19, COVID-19 Vaccine, Employment

Topic: Keeping an Employee Job Open - 08/20/2021
How long can an association library (or other private museum or archive) hold open a job while an ...
Posted: Friday, August 20, 2021 Permalink

MEMBER QUESTION

How long can an association library (or other private museum or archive) hold open a job while an employee is out on disability due to a work-related injury?

WNYLRC ATTORNEY'S RESPONSE

Before answering this question, I have one over-arching comment: the member who sent this inquiry was wise to submit the question when they did; it is not the type of question to be handled without the input of a pro.[1]

Why is that?  This type of situation is, of course, riddled with legal pitfalls.  ADA, FMLA, paid sick leave law, workers' comp law, OSHA, union contract (if relevant), NY Civil Rights law, personal injury law, employee manual compliance...the list of legal considerations is lengthy.

But just as, if not more critical--and often buried in all the legal--is the fact that a place that "fires" a worker after they were injured in the line of duty risks seeming...heartless.  Mean.  Cruel...or at least, unfeeling.

Fortunately, focusing on the human sides of this type of issue (how is the employee doing?  Are they getting everything they need from the library's comp carrier?  Might their doctor clear them for light duty? How has the injury impacted their family? How are co-workers handling the loss of their co-worker's contributions?) will actually build the best framework for taking care of all the details that are "legal."

How can that happen?  With the pro helping them do things like: drafting a leave letter, developing an interim staffing plan, and planning for the employee's return to work, the Board has time to focus on the human factors.

So, how long can a library hold open a job while an employee is out on disability due to a work-related injury?  There are too many factors to give a numerical answer.  This is one where a library, museum, archive, historical society, etc. should seek a professional[2] to get a custom response--enabling leadership to focus their energies on concern for the employee, the workforce, the community, and the library.

 



[1] The "pro" I refer to does not have to be an attorney.  They can be an experienced HR professional or administrator. 

[2] This is one where your System or your regional council's "Ask the HR Expert" service can be an invaluable resource.

Tags: ADA, Employee Rights, Employment, Workers Comp

Topic: Minor Employees and Obscenity in the Library - 08/06/2021
I appreciate your thorough treatment of the topic of pornography in libraries, especially couching...
Posted: Friday, August 6, 2021 Permalink

MEMBER QUESTION

I appreciate your thorough treatment of the topic of pornography in libraries, especially couching it in the larger context of objectionable content. Our library's policies and staff training take a similar approach.

In reviewing our Employee Handbook, our fairly standard Sexual Harassment Policy, and my staff training & orientation on the topic, one trustee raised the question of the library's liability in the case of minors -- specifically, minor employees -- being subjected to viewing pornography in their workplace. The trustee thinks that minors viewing pornography is flat-out illegal, and I don't understand the subject well enough to explain whether it's a civil or criminal liability, or who would be liable in the case of a child glimpsing an adult's perusal of graphic sexual content; or whether we, as employers, should have some kind of parental consent form for minor employees, as we employ Library Pages as young as 14 years old.

Assuming a set of library policies structured as you have previously advised, what, if any, liability does a library have for minors inadvertently viewing adult pornography? And what, if any, modifications to hiring, training, and workplace procedures do you recommend for minor employees?

WNYLRC ATTORNEY'S RESPONSE

This submission stands at the complicated crossroads of First Amendment, employment law, library ethics, and equal protection.[1]

As such, I could write on this topic endlessly.  But "Ask the Lawyer" is not here to provide endless commentary, but rather, helpful guidance inspired by real-world questions. 

So here is some (hopefully) helpful guidance, centered on a real-world example (culled from my summer reading):

I recently read a powerful graphic novel called "I Know What I Am"[2] about the life and times of artist Artemisia Gentileschi.

Gentileschi was a powerhouse painter in the 17th century.  She was also a survivor of sexual assault, a businesswoman, and a mother who, as portrayed in the comic book, channeled her experiences into her painting.

"I Know What I Am" pulls no punches depicting Gentileschi's life.  The artwork--which re-creates many of Gentileschi's own works, including her different versions of "Judith Slaying Holifernes"[3]--is stark, bloody, and riveting.[4]  The portrayals of sex and sexual abuse do not leave much blood in the gutters.[5]

Of course, as a literary work, "I know What I Am" checks all the boxes for not triggering a charge of "obscenity" as defined in New York (including having literary merit).  But that said, select panels from the book could very easily be regarded as inappropriate for some audiences--and not just for "minors."  The content is very raw, and for those sensitive to certain topics, could exacerbate or evoke trauma.

None of that, of course, creates a legal violation caused by the content itself--even if it is in a library being shelved by a 14-year-old--but it does show why there is a need to consider questions such as those raised by the member. 

Which, using "I Know What I Am" as a focal point,[6] I will now do.

First question:  [Is] minors viewing pornography ... flat-out illegal?

Answer:  The word "pornography" does not appear in the New York State Penal (criminal) Law.  Rather, New York uses numerous defined legal terms (such as "harmful to minors,"[7] "obscenity,"[8] "indecent material"[9] and "offensive sexual material"[10]) to describe criminal acts that can lead to a charges based on providing access to certain content under certain circumstances (including to people of a certain age). 

However, because of the defenses very carefully built into these laws, none of these concepts can be accurately applied to a properly cataloged item being accessed by a minor who is doing their defined job per library policy.

That said, both internet porn and content with undisputed literary merit such as "I Know What I am" could be handled or displayed in a way considered harassing (a civil rights violation), damaging (a personal injury claim), or criminal if the access is gained or forced on/by a minor without adherence to collection and library policies, and job descriptions.

Here are some examples as to how that could happen:

  • A library employee retrieves books with suggestive titles or sexual content and repeatedly leaves them in another page's locker as a prank, and even when it is reported, the library does nothing to prevent it from recurring (sexual harassment);
  • A clerk knowingly and with intent to harm directs a page who is a recent sexual assault survivor to create a book display of "I Know What I Am" [11] (risking a charge of sexual harassment; possible personal injury); worker's comp claim);
  • A community member donates a stack of old "adult" books for the annual book sale and the director knowingly assigns a 14-year-old to inventory them (risking a charge of material harmful to minors, which requires a "sale" element to be actionable);
  • A patron repeatedly violates the library's policy about viewing sexual content on publicly viewable computers, and no one corrects the serial policy violation (risking a charge of display of sexual material, as well as sexual harassment).

Aside from the legal concerns caused by these types of extreme examples, of course, there is the very real and practical concern that parents of a minor employed by a library could take issue with some of the content their child has to work with...even if it is entirely legal.

In that regard, I can only say that inviting concerned parents to review the library's well-thought-out accession, cataloging, and appeal policies is a pro-active way to ensure parents know that the library takes both its role as an employer of their child, and as a champion of a community's intellectual freedom, seriously.[12]  Parents or guardians of minors working in New York will have already had to sign working papers; no waiver or disclaimer should be further required.[18]

Which brings us back to the point the member raised in the beginning of their question: the importance of having--and enforcing--policies that govern accession, appeal, cataloging, display, and sexual harassment/discrimination (careful adherence to job descriptions and good training on how to enforce policy in the moment are essential, too).[13]

In New York, both the criminal and civil law contain robust protections for libraries working with material some may find inappropriate, offensive, or challenging, but those protections do rest on proof of operating in harmony with the law.  By having clear policies and documenting adherence to them, a library can be ready to weather accusations of illegal conduct. 

Which brings us to the member's last questions:

Assuming a set of library policies structured as you have previously advised, what, if any, liability does a library have for minors inadvertently viewing adult pornography?

If the viewing was truly "inadvertent," and any policy violation that allowed it to occur is quickly corrected, nothing further is needed.[14]

And what, if any, modifications to hiring, training, and workplace procedures do you recommend for minor employees?

Speaking as a former "minor employee" of a public library,[15] a good employee orientation, and regular reinforcement, on the fundamentals of library ethics and the policies that protect employees is a very valuable thing. 

This is already something most libraries are doing, but here are some helpful points to reinforce:

  • Prior to hire, a minor employee should review the job description with their supervisor, and have a chance to ask questions;
  • All employees must be trained to respect patron confidentiality and be trained on how to deftly demur requests by third parties for patron information;[16]
  • All employees are entitled to respectful treatment from patrons and co-workers, and should know to whom they can direct questions and concerns about their employee experience;
  • The library has a suite of policies for selecting, challenging, cataloging, and weeding books, and minor employees who might not have direct responsibility under those policies should know they exist, and how to direct questions about them;
  • Minor employees, in particular, should be trained on how to immediately report observed or reported policy violations (including those related to pornography and harassment);
  • Library employees who are not legal adults (18) should feel free to ask questions, should know to whom those questions and concerns can be directed, and should get meaningful and timely answers so they feel respected.

All of this should be reflected in a hire letter or orientation packet, so parents, if they choose to ask their child to view the terms of their work,[17] can do so.

Not too much to remember in your day-to-day life keeping the library up and running, right???

Thank you for an excellent question.

 



[1] And even a bit on the law defining what a "minor" is--a status that can shift based on which law is being applied, where.

[4] Being a businesswoman myself, I found the "business" parts just as compelling as the violent parts, although much of the drama in that part is subtext.

[5] "Blood in the gutter" is a phrase from comics book publishing, meaning the violence happens between panels.

[6] I could also have picked something a bit more salacious to use as an example (something that only barely makes the "literary value...for minors" test) but why waste the opportunity to tout a great book?

[7] NY Penal Law 235.20

[8] NY Penal Law 235

[9] NY Penal Law 235.21

[10] NY Penal 245.11

[11] I know, this is a very far-fetched example.  At least, I hope it is, since it illustrates truly sociopathic behavior.

[12] If a library wants to go even further and have minors only work in the Children's Room, where they will by policy only work with materials cataloged for youth, that could be an extra precaution, although it is not personally one I endorse.  Library work, like legal work, is for people who can approach all of life's variety with maturity and aplomb.

[13] As referenced by the member, past discussion of how policy plays into managing concerns about pornography is here: https://www.wnylrc.org/ask-the-lawyer/raqs/60.

[14] From the legal perspective.  I can't say if counseling, getting ready for picketing, or bracing employees for an angry phone call from parents is in the future. 

[15] New Hartford Town Library, when I was 16 and 17.

[16] I know this isn't quite on point, but the balance between respecting patron confidentiality, and enforcing respect for employees, can be tricky if people don't grasp the fundamentals.  Just because you have to keep mum on what a patron is checking out doesn't mean you keep mum about inappropriate comments!

[17] The topic of a guardian or parent viewing or interceding with the employment relationship of their child is too big for this reply.

[18] Update 11/05/2021: We received a request for clarification about when to use this tactic.  As posted in the clarification here [https://www.wnylrc.org/ask-the-lawyer/raqs/241] I intended this guidance to convey that the information about accession, cataloguing and appeal policies be supplied only after a parent expresses concern.

 

Tags: First Amendment, Management, Policy, Employment, Obscenity

Topic: School Closures and Teachers Pay Teachers - 3/26/2020
With the recent closing of schools I and my membership have been asked a great deal about Teachers...
Posted: Thursday, March 26, 2020 Permalink

MEMBER QUESTION

With the recent closing of schools I and my membership have been asked a great deal about Teachers Pay Teachers. Is it responsible for teachers and districts to provide students with materials purchased through this service?

WNYLRC ATTORNEY'S RESPONSE

[NOTE: This answer is part of our ongoing response to institutions moving to online instruction as part of the world’s response to COVID-19.  For additional Q&A on that, search “COVID-19” in the Ask the Lawyer search utility.]

“Teachers Pay Teachers” (“TPT”) is an interesting service that allows teachers to license (sell rights to) others who need customized lesson plans and educational material.[1]

The member’s question relates to the TPT license, which governs what individuals and organizations can do with the content.

If the member’s question is asking: does the TPT license allow us to print and distribute the materials in hard copy for packets sent out by the District?  The answer is generally: yes.

If the member’s question is asking: does the TPT license allow us to distribute the materials electronically using e-mail or a website or a Learning Management System? The answer is generally: it depends.

I spent some time on TPT’s website reviewing their “Terms of Service”[2] and I believe teachers and organizations will need to examine the license for each separate purchase to confirm that electronic distribution is allowed.

Why? TPT’s “Terms of Service” largely allow for the creation of hard copies,[3] but their default conditions bar online distribution.  HOWEVER, TPT also allows the teachers supplying the content to loosen those default restrictions[4] (including allowing distribution on the web[5], e-mail, etc.)…so while one lesson purchased from TPT might not allow a web or e-mail distribution, another might. 

This can change not only from author to author, but content to content, so it is important to read the fine print.[6]

I would add: these are early days in the pandemic response.  As of March 26, 2020, TPT did not have any expressly Covid-19 policies on its website.  Nevertheless, like other online and tech providers, they may realize their hour has come, and take action. 

What will that action be?  I can’t say; a crisis brings out the best and the worst in businesses.  Some businesses will try and simply profit from the current situation; others will dig deep, conclude we are all in this together….and try to find at least middle ground. 

Looking at their Terms, Teachers Pay Teachers has made commitments to individual content providers it cannot easily change on a dime.  But remember, TPT empowers its individual content providers to set their own terms—so long as those terms are more liberal that the TPT baseline.  So keep your eyes on those product-specific, unique terms of use.  I imagine many teachers will feel compassion for the teachers and students impacts by this public health emergency, and liberalize their restrictions.

Thank you for this important question.

USING LICENSED CONTENT TIP: If you or your institution conclude that TPT or another license does give you permission for electronic distribution, it is a good idea to take a screen shot of that license and save it (just e-mail it to yourself in a place where you know you’ll have it for 3 years after you’re done use the content).  Online content providers can change the terms they post, without warning—and you want to be able to show that on the day you made the call to share the content electronically, the licensor allowed you to do so.

 



[1] Because some educational institutions own the rights to teacher-generated materials, and some do not, the Teachers Pay Teachers model is a fascinating study in copyright issues—but a global pandemic is not the time to muse over that.

[3] The Terms of Service allow you to: “Print and make copies of downloadable Resources as necessary for Personal Use. Copies may be made and provided to your students, classroom aides, and substitute teachers as necessary. Copies may also be made for students’ parents, classroom observers, supervisors, or school administrators for review purposes only. Hard goods and video resources may not be copied, shared, or otherwise reproduced.” [emphasis added]

[4] But not further tighten them.  Like I said, a really interesting model.

[5] For instance, one license I looked at, for a chemistry class, said: “These resources may not be uploaded to the internet in any form (including classroom websites, personal web sites, Weebly sites, network sites) unless the site is password protected and can only be accessed by the students of the licensed teacher.”  In other words: yes, you can distribute them electronically, if you use a restricted system!

[6] The diversity of author-specific permissions I saw on TPT was really interesting. Some folks just want credit.  Others want you to not send the content, but drive people to their own personal listings (so their analytics show the hits).  I bet some, in the coming days, will even change their permissions to respond to the pandemic with compassion.

Tags: COVID-19, Emergency Response, Licensing, School Libraries, Teachers Pay Teachers, Employment

Topic: Previous Employer re-assigned authorship of LibGuides - 3/12/2020
Many librarians create and post LibGuides through Springshare.  Right now, when an employee l...
Posted: Thursday, March 12, 2020 Permalink

MEMBER QUESTION

Many librarians create and post LibGuides through Springshare.  Right now, when an employee leaves a library, the LibGuides they created can be attributed to another library employee after they leave.  Does this create a legal concern?

WNYLRC ATTORNEY'S RESPONSE

 I am a hands-on kind of lawyer.  When I do a real estate deal, I visit the property.  When I advise a historic preservation group, I drag my kids to see old houses.  When I represent a bakery, I try not to pack on an extra five pounds, but it’s always touch-and-go.

So, when this question came in, I hopped on SpringShare and checked out their product description for LibGuides, and pretended I was going to write one.  I delved into the license terms and the mechanics of the utility.  I observed how their various products work together, or a la carte.

On the SpringShare website, LibGuides is summarized this way:

LibGuides is an easy-to-use content management system deployed at thousands of libraries worldwide. Librarians use it to curate knowledge and share information, organize class and subject specific resources, and to create and manage websites.”

I checked in with a few librarians I know (one of whom works in my office), and they reported that yes, the product is widely used and popular.  While mine was a very unscientific survey,[1] the  day I hopped on, SpringShare’s web page boasted participation by “6,100 libraries” and “82 countries” and “130,300” librarians.

I noticed a lot of legally interesting things when I was down the SpringShare rabbit hole, but I what I focused on was the member’s question: is there a legal concern related to attributions of LibGuides content?

I started with the LibGuides License,[2] which states:

OWNERSHIP OF DATA: Licensor does not own any data, information or material that you submit to the Software ("Customer Data").

In other words, SpringShare (the licensor) confirms that the subscriber (the licensee) owns the content they put on LibGuides.

The License then goes on:

You, not Licensor [remember, Springshare is the “Licensor”], shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Customer Data, and Licensor shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Customer Data.

This means that while the licensee (the subscribing librarian or library) owns the content, they are also responsible for the consequences created by any content they don’t have the rights to (infringement claim, violation of privacy claim, etc.).

This is a very typical approach for content-sharing platforms.

The License then states:

In the event this Agreement is terminated, Licensor will make available to you a file of the Customer Data in XML format within 30 days of termination if you so request at the time of termination.

Isn’t that generous?  If you remember to ask nicely at the time you terminate the contract, you (the Licensee) have thirty whole days retrieve your property.[3]

This property arrangement is at the heart of the member’s question.  SpringShare claims no ownership of the content placed on LibGuides.  That content, unless licensed from another, is supposed to be owned by the licensee (the person or entity contracting with SpringShare for the service).

But is the “licensed LibGuides user” the content owner?

That depends.

In the member’s question, the “licensed LibGuides user” was probably the library (it would be very unusual, and not business-appropriate, for an account for an institution to be in an individual person’s name).  So, the library is the one getting assured they own the content put up through the account, and the library is the entity responsible in the event the content causes a problem (infringes copyright, invades someone’s privacy, etc.).

Now this is where the issue gets sensitive.  Under copyright law, content generated by employees, AS PART OF THEIR REGULAR DUTIES, is owned by their employer—unless a contract, policy, or hire letter says otherwise.  This “default rule” is spelled out in section 201(b) of the Copyright Act.[4]

How does this play out in the work environment? It varies.  Many librarians are part of a union, which means the written work they generate as part of their job might not be subject to the above-described “default rule” (a collective bargaining agreement can change the terms of employment related to copyright).  Still others work in environments where this “default rule” has been changed through a policy, or a hire letter.

This lack of uniformity means that any librarian composing LibGuides, who wants to use their compositions after they move to another job, should make sure they know where they stand when it comes to “employee-generated intellectual property.”  Does their workplace follow the “default rule?”  Does a union contract, policy, or hire letter change the “default rule?”  And is writing a LibGuide even part of their duties?

This is critical, because depending on who owns the content, they are free to do as they like with it: keep it up, remove it, change it, update it, etc. (of course, what they do on LibGuides is limited by the License and the technology).  And it is also critical because the current configuration[5] of LibGuides seems, to me, to create a potential problem.

Now, that addressed the legal part of the question; the answer is: yes, there are some legal concerns.  But the “legal” concerns might not be the full scope of the concerns presented by the question’s scenario.  Attribution of authorship is different from ownership, but it can be a critical issue of integrity.

My understanding of how LibGuides functions is that the account holder can change the roles, authority, and people admitted to create, modify, or access the content.  Within LibGuides, subscribers have the ability to assign users (Admin users, Regular users, Editor users, Contributor users, and Patron users) with different levels of access and authority.[6]

Within this structure, “Admin users” (who have the highest level of authority over an account), manage the Licensee’s use of the service.  The settings are changeable, and different LibGuides can be assigned to different users.

But what was WILD to me is that when a librarian leaves a library, to maintain the LibGuide, the library has to assign another staffer to the Guide.  That’s fine and makes sense, but because of LibGuide’s interface, that new person is then listed as the librarian in charge of the guide, and the way the screen looks (to me) the implication is that they are the author.

I believe that is the genesis of this question; people who took pride in their creation of a LibGuide first attributed to them are now seeing (implied) authorship (seemingly) attributed to another.  I have to admit, whether I owned it or not, that would sting a little.  Writing, even if it’s for your job, can be a very personal endeavor.

This seems entirely due to the design of the interface.  Between you, me, and the Internet,[7] it seems like a needless and utterly solvable problem.  And while not necessarily a legal issue (although if the former employee owns their work, it could be) it strikes me as a serious ethics/integrity/relationships issue.

Authorship is something people take seriously, especially in the arenas of academia and publishing—worlds in which librarians play an essential role.

How can this be solved?

First, LibGuides might want to think this through and develop a solution.[8]  But until then, libraries using LibGuides should assess their legal position (do they own their employees’ work under the “default rule”?  Or does a contract or policy say otherwise?) and, think how this phenomenon rests with their values.  On the flip side, librarians who create a great LibGuide and then want to move on in their professional careers should pay attention to who is the LibGuide’s “owner” and be mindful that a LibGuide owned by their employer will not always be in their name.  Further, the mutable nature of LibGuides (they are designed to be updated, altered and changed) means you might not always want to be associated with what the Guide turns into!

Thanks for a great question.



[1] “Unalytics.”

[2] “Terms of Use” and licensing agreements can be treacherous!  Services change them from time to time.  This was posted as of 3/6/2020, but always get your contract answers straight from the source.

[3] As a rule, I try to avoid snark and sarcasm in the “Ask the Lawyer” service.  Such rhetoric doesn’t age well, and there are defter ways to be funny.  That said, this one deserves some snark.  Thirty days, and then potentially thousands of dollars of your assets are lost?  Not so great.

[4] The law reads: “In the case of a work made for hire [which includes “a work prepared by an employee within the scope [their] employment”] the employer or other person for whom the work was prepared is considered the author for purposes of this title, and, unless the parties have expressly agreed otherwise in a written instrument signed by them, owns all of the rights comprised in the copyright.”

[5] As of March 6, 2020.

[6] On March 6, 2020, I found these categories on the LibGuides FAQ at ask.springshare.com/libguides/faq/1119#general.

[7] Hi, SpringShare!  I am confident you can fix this!

[8] For instance, I would create a “Legacy Content and History” option for customers, where the evolving work and chain of authors could be tracked.  Of course, that would still put the ultimate fate of the content in the hands of the employer, but it would empower them to maintain good feelings between librarians.

Tags: Copyright, LibGuides, Licensing, Ownership, Employment

Topic: Library Files - 1/24/2020
What recourse may a library board take, if a former director removes all library files from a libr...
Posted: Friday, January 24, 2020 Permalink

MEMBER QUESTION

What recourse may a library board take, if a former director removes all library files from a library owned computer that relate to the running of the public library?

WNYLRC ATTORNEY'S RESPONSE

Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.

Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters.  But what if someone in a position of trust simply abuses their access?  What if a scenario like the member's question should arise?

There is a process to address this type of scenario.  In order to ease an adrenalized mind,[1] it is presented below in grid form.

Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:

Action

Why you do this

Results

1.  Upon suspicion that files have been removed, if possible, do not take further steps alone.

Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper.

If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.[2]

Organizing a time-line and take photos or screenshots of information showing the potential problem.

The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer.

At this stage, however, you'll just be documenting what appears to be missing.  No deep-dive investigation.   It should only take an hour or two.[3]

Initial Response Team formed and responsibilities of team members made clear.

Note-taker assembling information.

2.  Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were.  This will be your "Initial Inventory."

You need to have a foundation for your next steps, so you're creating a quick description of the possible situation.

An Initial Inventory you will use in the next few steps.

Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.

 

3.  Look over the Initial Inventory.  Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records?

If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory.

This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality  implications of the situation.

4.  Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee."

If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information."

If your initial contact is by phone, confirm the notice via a letter or e-mail.

Depending on your library's insurance type, you may be covered for this type of event.

Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event.

Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event.

NOTE:  If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier.

5.  With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter. 

This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board.

In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days.

Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information.

This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement.

Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery.

6.  Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.

 

It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies.

Attorney-client privileged input to help assess response options in the best interests of the library.

7.  The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered.

This should be done within 3 days of discovery and before there are any changes to the system.   Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer.

A contract with a qualified firm;

A certificate of insurance from the professional firm;

A written Incident Report from the firm.

8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach.

Depending on what went missing, the library could have concerns under any number of laws. 

The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed).

9.  Based on the complete Incident Report's assessment of what is  missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action.

For more on this aspect, see the rest of this RAQ.

Recourse.

What happens as part of number "9," is the actual answer to the member's question.  But until a library follows steps "1" through "8," it can't fully know its options under "9."

And what can happen as part of "9"?  The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies.  And if considered with solutions for how a library can recover from the loss, there are further possibilities.

If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:

  • Know if the files were simply removed, or if they were removed and accessed/disclosed beyond the library;
  • If they were disclosed beyond the library, what the library must do to address that (including special considerations if personal or confidential information was accessed);
  • If the files were only removed, know if they can easily be replaced, or if they were the library's only copy;
  • If they can't be easily replaced, how much it will cost to replace them, and any negative impacts we'll experience until we do;
  • How we have concluded the files were removed by the former employee, if they were an employee when they did it, and what the due process is for addressing that;
  • If (based on all the information gathered, and more that will be specific to the situation), the board should contact the police, or consider a civil claim against the former employee.

By demanding solid, well-documented and qualified answer to these questions (What happened?  how does it impact the library?  What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.

Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information).  Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:"  How to organize the courier manifest.  The templates for the volunteer letters and community meeting notices.  The budget template and calendar for strategic planning.  Their own emails on their library account.  Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.

This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is.  First, only a professional can say when data is truly "lost" (especially emails).  And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.

The budget for such response, if planned carefully, can be very modest (under $1500).[4]  Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).

Why am I adamant about this follow-through, even for a "small" incident?  Because sometimes a "small" incident is only the tip of a much larger iceberg.  Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office.  But it might not be.  The right response, and the fair response, can only be formulated through careful documentation and analysis.

This is what positions the board to know what recourse it can take, when presented with such a serious situation.

Thank you for trusting "Ask the Lawyer" with this sensitive question.

 



[1] If you are reading this while working on this type of issue, take a deep breath.  You've got this.

[2] There are too many types of IT supply/support arrangements out there for me to be more precise than this.  Some systems are essentially the IT department for their member libraries. Others are not.  This aspect will be governed by the System's member contract…but generally, a good place to start is on the phone!

[3] In keeping with the question, this chart addresses what to do if the person involved is former employee.  If the person is a current employee, the Response Team should include someone qualified to assess an appropriate response that ensures 1) due process for the employee; 2) security for the investigation; and 3) stability for ongoing operations of the library.

[4] Is this a low-ball figure?  Could it be much bigger?  Yes. But if it gets much bigger, that should be because it's actually a big problem that needs to be solved.

Tags: Data, Ethics, Management, Security Breach, Employment, Templates

The WNYLRC's "Ask the Lawyer" service is available to members of the Western New York Library Resources Council. It is not legal representation of individual members.