Templates

Life is full of surprises.  When I was in third grade, I was surprised to learn that this strange country called “Canada” occupied the upper half of North America.  When I was in fifteen, I was surprised to learn that “brooch” rhymes with “roach.”[1]  And upon researching the answer to this question, I was surprised to learn that Zoom doesn’t have an “exclusive use” clause in their service agreement.[2]

Now, let me be clear, the Zoom “Terms of Use,” most certainly bar simply enabling a “third” party to use a library’s account.  Here is the clause that does that:

You may not offer or enable any third parties to use the Services purchased by You, display on any website or otherwise publish the Services or any Content obtained from a Service (other than Content created by You) or otherwise generate income from the Services or use the Services for the development, production or marketing of a service or product substantially similar to the Services.

In other words, Zoom doesn’t want you to “offer” your account out to another party (even if that party is a legit not-for-profit). 

But the member has asked if they can serve as the “host” of the meeting, mirroring the way their library opens its doors for certain groups and gatherings.  Both functionally and grammatically—and thus legally—this means the library is the one using the service.  It’s like my law firm using our Zoom to host a board meeting for a client, since I need to be there anyway.  Or, perhaps more closely, an educational institution letting a student group use its Zoom, so the student newspaper can soldier on. 

So the stark, simple answer to the member’s question (“Is the library legally allowed to use the library's Zoom subscription to host meetings for these groups as an Outreach Program?”) is “YES.”

That said, being a detail-oriented, pro-risk-management, and liability-averse kind of attorney, I can’t just leave it there.

Physical meetings at your library all must follow some rules.  Some libraries set these rules by policy, others confirm them with both a written policy and a facility use contract. 

These documents ensure that the particular rules at that library will be followed.[3] The same should apply when the library is hosting a Zoom meeting for your community. 

In addition, since the Zoom “Terms of Use”[4] and related agreements impose certain rules, and hold the licensee (your library) responsible for any violations, the conditions for library-hosted meetings should not only require adherence to your rules, but also to Zoom’s.

Zoom’s “Acceptable Use” Policy expressly bars numerous types of activity, including but not limited to:

• Promoting violence.
• Harming children.
• Displays of nudity, violence, pornography, sexually explicit material, or criminal activity.
• Human trafficking.
• Supporting or facilitating terrorism or terrorist organizations
• Any activity that is defamatory, harassing, threatening or abusive.[5]
• Copyright infringement.

I imagine most libraries can endorse these conditions, but some may be (rightly) wary to impose content restrictions on meetings.  While the limits your library has agreed to with Zoom is a contract the library has voluntarily accepted, I can see a (very) few instances where perhaps a first amendment concern could loom.  So any library considering hosting Zoom meetings for users should think that aspect through thoroughly, and be ready to address it just as you address such concerns for physical meetings.

To help a library navigate these straightforward but choppy legal waters—especially the Zoom Terms’ bar on letting a third party use your account—here is a template “Virtual Meeting” Agreement. 

NOTE: As always, template agreements should be reviewed by your library’s legal counsel to ensure they conform with your library’s charter, bylaws, unique identity, and other policies.

Videoconference Meeting Agreement—TEMPLATE ONLY

Person filling out this form [must be cardholder]
Group
Meeting date, time, duration
Target date to send out the invitation   Please note: for the orderly operation of the meeting, pre-registration should be required, OR attendees should be given only limited participation ability.
Purpose of meeting (must be a purpose consistent with library operations)
Estimated number of attendees
Record meeting?
Live stream meeting?  Please list where the livestream will be accessible
Please list your group’s Meeting Facilitator [see Meeting Facilitator Responsibilities below]	Name: Title: E-mail: Phone number: Address:
[To be filled in by library] Library Staff serving as “host” on the videoconference.	Name: Title: E-mail: Phone Number:
Facility Use Policy	[attach]
Additional terms of use	https://zoom.us/reasonableusepolicy

 

On the above date and time, the [NAME] library will host a meeting of the above-listed group for the above listed purpose.

It is understood that every attendee of the meaning will be expected to abide by both all the applicable rules of the library for meetings at our facility, and to observe any and all above-listed additional conditions. 

The above-listed “Meeting Facilitator” should be logged in to the meeting at least 10 minutes before so they can discuss the orderly conduct of the meeting with Library Staff. 

The Meeting Facilitator must discuss the functional aspects of the meeting with library staff before the start of the meeting; they should be prepared to discuss how attendees will be able to interact and how the relevant functions of the meeting will be used to meet the meeting's stated purpose.

The Meeting Facilitator should also be comfortable with using Zoom's capabilities to assist the Library Staff in hosting the meeting (monitoring the chat, moderating the discussion, muting or removing participants if needed).

When it is time for the meeting to begin, the library staff hosting the meeting will state:

“Welcome to [MEETING NAME].  Hosting an online meeting with your group is a service the library provides to our community groups without charge.  Just as with hosting meetings in our physical space, the library must enforce rules regarding respect, non-discrimination, and accessibility.  If you have concerns in that regard, please let me know by sending me a private message during the meeting.  And now I’ll turn it over to [NAME] to start the meeting.”

It is expressly understood on behalf of the group that:

• The library is hosting the meeting;
• An employee of the library will initiate the videocall;
• An employee of the library will co-facilitate the technical aspects of the meeting;
• An employee of the library will participate in the meeting as set forth above to ensure the applicable rules and the conditions of this Agreement are fulfilled;
• Participants who do not abide by the library’s rules will be muted or removed from the meeting, in the library’s sole discretion;
• The library can cancel or terminate the meeting, in its sole discretion, at any time.

Please alert the library to any ADA considerations for hosting this meeting.  For meetings with more than 50 participants, the Meeting Facilitator should be ready to discuss accessibility objectives with the Library Staff member.

We welcome your ideas for making our co-hosted meetings better.  Constructive feedback may be sent to [e-mail].

 

Signed: ___________________________________

                        [library representative]

 

Acknowledged: __________________________________ on DATE: ______________.

                                    [cardholder]

 

Unless there is a bylaw, policy, or contract barring staff serving as the meeting host, this is most definitely a service that can be offered even when your library cannot be physically open to the public.  However, at all times, it must be clear that this is the library’s meeting.  Account ID’s, passwords, and hosting capabilities should not be given away.  Co-hosting should never be converted into changing the host.  The meeting “intro-text” should be read every time; it is there to make sure that the library’s primary role is documented in every single meeting you host.  Just like a meeting room should never be used when the library is not staffed, the virtual meeting room must remain in the control of your institution—otherwise, there could be concerns with the license. 

And with that, I wish whoever at your library becomes the “virtual meeting staffer,” a stout heart, a quick finger on the mute button, and lots of community-oriented fun.

---

[1] I have since been informed that either pronunciation is acceptable.  Fortunately, with my spare fashion sense, it is not a word I use often.

[2] As found May 23, 2020 at https://zoom.us/reasonableusepolicy.

[3] The conditions in these documents will change from library to library.  Some libraries have to enforce the rules of a landlord.  Others will decide to charge a nominal fee (DO NOT do that for a Zoom meeting), or restrict use to a charitable use.

[4] As found on May 23, 2020 at https://zoom.us/terms.

[5] By the time I got to this part of the list, I was thinking “Jeez, it’s an ugly world out there, and Zoom has a front-row seat to it.”

 

A note from the author:

When I was the in-house attorney at Niagara University (2006-2017), I had the privilege to be trained in the National Incident Management System’s Incident Command System (ICS), the nation’s system for organizing crisis response.  At NU, I also co-authored the Pandemic Response Plan, and along with the IT Department, developed a system for not-for-profit “enterprise risk management” (addressing mission-threatening risks). 

Through that work, I gained familiarity with the mechanics of pandemic response and recovery, and managing related issues. 

Now, in collaboration with WNYLRC and other regional library councils, my law firm provides the “Ask the Lawyer” service to libraries.  On a regular basis, I answer questions from libraries about board operations, property issues, and employee issues.  Through that work, which I consider a great privilege, I have gained familiarity with New York’s libraries (although there is always more to learn), and the strong, diverse people who run them.

In addition, on a regular basis, I call upon the excellent resources from New York’s robust community of legal, regulatory, and career professionals, including the invaluable “Handbook for Library Trustees in New York State.”

This “Top Ten” guidance is the distillation of all that experience, combined with what I know about the COVID-19 situation as of April 7, 2020.  I hope it is helpful.  If you identify ways to make it better, or clearer, or easier to implement, please write me at adams@losapllc.com.

During a pandemic, all we can do it our best…on limited time.

I wish you strength as you lead your library through this crisis.

--Cole

 

So, what are the “Top Ten Actions” a library board can take to foster a library’s mission and ensure its viability during the Covid-19 pandemic crisis?  Here you go:

#1.  Commit for each member to perform board work no less than weekly

Why?  As you will see in the Remaining 9 items, even if your library is closed or operating at less than full capacity, there is a lot you can do.

 

#2.  Set a “Crisis Response Goal” defining how your library will handle the current emergency and eventual recovery period.

We all know the COVID-19 pandemic, and our communities’ recovery from it, will not be over in April… or May…or June.   It will affect us long beyond 2020.  The impact will be deep and far-ranging. 

Knowing this, we also know that a community library, open to all, will be a critical resource for every member of your community in the times ahead.  With that in mind, defining how to preserve, promote, and connect that resource to its area of service is this critical--even at this time of reduced operations. 

How do you do that?  It starts with a simple statement by your board's leadership, known as a “Crisis Response Goal.”

How does a board develop a Crisis Response Goal?  By envisioning and articulating what it wants to do and be throughout and after the crisis.

What does that look like?  A good Goal articulates and reinforces your library's unique role in the community, and sets forth broad ways it will fill that role during this unprecedented time (the Goal is not where you worry about minutiae).

An example Goal is:

“During and after the COVID-19 pandemic, The Library will serve the community, fulfill its mission, and meet the goals of its plan of service by meeting the public's need for reliable information, providing access to critical resources, and serving as a hub of community organization.”

The key is to focus on what you will do (not how you will do it).

The template to create your library’s Crisis Response Goal is:

During and after the COVID-19 pandemic, The [NAME] Library will serve the community, fulfill its mission, and meet the goals of its plan of service by __________________________, ______________________________, and .______________________________________.”

And that is your Goal…your library’s statement to the world about what it will be and do through this crisis. 

The remaining items on this list are how your Board will rally your resources to make the Goal a reality.

 

#3.  Use a “Crisis Response Team” approach

At this time, an effective board is concerned about numerous things: The safety of the library and the community it serves, the fiscal impact of the current crisis, the reduced or eliminated operations of the library, its relationship with its community, making appropriate decisions about employees, the stewardship of the library's physical assets, and how to meet its plan of service.

No board can meet as a single body and address all of these things effectively, even if they meet once a week. There would be too many voices at the table (or too many people being seen and not heard).  There would be no room for assessing facts and novel thinking.

How does a board handle this multi-faceted crisis situation? Create teams.  

What will those teams do?  Well, at least one person who can navigate the OSHA website should have primary and consistent responsibility for safety. At the same time, people with the fiscal skills and experience must gather to assess the immediate and long-term impact of the situation on the library's finances. Meanwhile, another group with business and HR skills and experience should focus on mission and plan of service (“operations”). And finally, a person or small group with communications skills should have primary responsibility for thinking about public relations and outreach to the library's primary stakeholders.

Finally, one or two people should play the role of team leader.  The Team Leader’s primary role will be connecting the work of each group, and the professional staff, to enable critical decision-making and developing a response plan.

The Team Leader will also ensure the library director is supported as they continue their duties under a time of duress, that the director is positioned to contribute to the work of the teams as needed, getting them vital information, and collaborating on the formation of the library’s strategic response.

The rest of this guide is about creating teams to use this approach.

 

#4.  Assess your board’s capacity, and reinforce it where needed

When considering a crisis response team approach, which organizes a board into small sections working towards the same Goal, it is important to be honest about your capacity.  As a group, you need to take stock of your board.

Many of the skills and attributes that make someone a valuable board member in non-pandemic times (fund-raising, deep knowledge of books and culture, ability to rally volunteers) might not be the only things needed during the initial phases of a pandemic response. 

Further, many boards, faced with this crisis, may be feeling overwhelmed. Unless a person has guided a not-for-profit organization through a crisis such as a fire, major PR event, or disaster such as 9/11, the experience of the average board member might be tested by the current situation.

That is OK. We are all feeling tested.

The good news is, if your board does not have the capacity to assemble teams with the experience listed in #3, your board is allowed to add non-board members to non-voting committees, or to invite them to meetings as guest advisors.  Now is the time to bring on a few “ringers.”

How can that be done?

If you don't have anyone on your board who feels up to the task of considering safety first at all times, invite someone on who has experience with OSHA regulations or standards from the New York Department of Labor.

If your fiscal team doesn't have access to a seasoned accountant or CPA who can assess the current budget, run fiscal projections, and help you develop models for your library's financial options, see if you can find one who will donate some time to your library.

If your board does not have someone experienced in business, employee relations or human resources, and you need to take action regarding contracts and employees, bring a new person on.

And if your board doesn't have someone with public outreach skills, perhaps you can find someone with appropriate experience from within your own community networks—or reach out to someone new.

As you assess your board’s capacity and look to shore up any needs during this time of pandemic response, remember this: this is a special time.  Some people may be working more than ever, and not able to help out more, or at all…while others are finding themselves under-occupied.  Small business owners on your board may not be able to help at all.  Others may be on unemployment and able to step into the gap.  ALL OF THAT IS OKAY.

If you identify a gap in your board's experience, it may be that you can fill it just by asking. The important thing is to be honest about what your board can do, and not fudge it.

 

#5. Form your board’s Safety Team

The COVID-19 pandemic is causing incalculable impact on business operations and the functions of day-to-day society. However, it remains first and foremost a public health crisis. That is why, if you choose to use a crisis response team approach, the first team your board should appoint is the team responsible for safety.

What is the “Safety Team’s” role?

When the full board is considering a team's recommendation, the safety team’s role is to ensure the board fully considers the safety implications of any one course of action.

For instance, if there is a decision to have one library employee check the mail every day, the safety team is asking: Is this safe? Is there a way it could be made safer?

If your Safety Team has the time, they should also be available to your other teams during the later phases of crafting a recommendation, so work is not wasted.  In addition, your library director should at least be a consulting member of this team, since they are in charge of the staff, and will be responsible for putting emergency procedures into effect.

Your Safety Team will spend time on public health resources such as the CDC website, the OSHA website, and will monitor your county health department's recommendations and advisories. In any action related to your library's response, they are only thinking about safety and the health of the community.  This includes the health and safety of employees, volunteers, and the board.

While other members of your board, on other teams, may be worried about fiscal viability, public relations, or operations, your Safety Team is always putting safety first. This includes planning for the safety and well-being of your community when your library is contributing to your community's recovery.

The Safety Team takes on this primary responsibility so the other teams can focus on their roles, while the full board knows it is set up to always put safety front and center.

 

#6. Form your board’s Fiscal Team

The current crisis is going to hit public libraries in a variety of ways, and for many, the fiscal hit will be especially hard.

While some communities will immediately rally around their library as a critical central resource, others may use the crisis as an opportunity to seek budget cuts and de-funding. Libraries that have relied on fines and hold fees as revenue sources will find those sources diminished. And always, there is the question of how to compensate and retain staff at this unprecedented time.

This is why appointing a Fiscal Team with the skills to assess the current situation, run projections, reach out to fiscal sponsors, and develop plans for the financial stability of your library is key. 

While this group can be small, consisting of perhaps two or three people, it must be mighty. As mentioned in #4, at least one member—who might perhaps be an invited advisor or non-board committee member—should have seen a not-for-profit institution through a fiscal crisis in the past.  You will need this person’s wisdom and perspective.

The immediate tasks of this group will be assessing the impact of the situation and developing a short-term plan for financial viability. That short-term plan shouldn't go much further than the end of April or mid-May. After that, the plans will need to consider various contingencies. For this reason, the group should include, or regularly invite, the library director.

Another immediate task is assessing the stimulus money your library may be able to rely on. For some libraries, this will include the Payroll Protection Plan, and other aid. For others, it may be collaborating with government funders to ensure some portion of government aid will be allotted through your government to your library.  Identifying these options is something that group should focus on throughout mid-April.

It is this last area—identifying options and contingency plans-- where the team approach becomes truly valuable. While your Fiscal Team will be assessing your library's needs and the possible ways to obtain those needs, the Team Leader and/or Outreach team will be forging connections with funders to coordinate identified assistance that is needed.   Between the team leader and the Fiscal Team, it is important to determine who will meet with municipal fiscal authorities on a regular basis (something I encourage, if your library is dependent on a tax levy from a sponsoring municipality). 

It is the job of the Fiscal Team to provide solid, reliable, and situationally-adjusted financial information and options for the other teams (especially Operations) to work with. 

 

#7. Form your board’s Operations Team

A bit of background on this one…

The state of New York has always encouraged local autonomy for libraries. This is a wonderful thing that means wherever you go in New York, there are unique and special libraries waiting to be discovered.

This also means that every library in our state is facing a slightly different situation when it comes to pandemic response. Rural libraries are facing different challenges than urban libraries. Suburban libraries in one county will face different challenges than suburban libraries in the next county over. And this isn’t just about location—it’s about service.  While one library might be a beloved source of donated food, another may be the community's lifeline to certain key services.   Another library may be a vital source of senior programming, while in another community, it’s the toddlers that will be missing out.

Considering this diversity, there is no one-size-fits-all package for developing a team that considers a library’s operations…you are all just too darn unique. 

So with that background, what is the role of an Operations Team during the crisis response? It considers the critical operations of the library, and develops plans to adopt or carry on those operations during a time of crisis response and—critically--recovery.

This starts with an inventory of operations. 

For instance, it is the responsibility of the Operations Team to consider the impact of the situation on and develop solutions for staff at this time.  And while this work must be informed by both the Safety Team and the Fiscal Team, the Operations Team is the one that should have the human resources or labor law experience to consider how to continue or adjust the employment terms of the staff at this time period. 

Another task will be to review the routine activities of the library, and determine which ones will be suspended and which ones will be adapted and carried forward into the present situation, and how that will be rolled out.

It is important to emphasize that the Operations Team will not make these decisions, but rather, informed by the Goal, and with the input of the director (just as with any operations planning process), will bring forward well-developed recommendations for the consideration of the full board.

Many of the items the Operations Team will consider will have implications for safety. The operations team should do their best to build consideration of safe practices into their recommendations, and only then have things reviewed with a fresh eye by the Safety Team.

Operations, because its span will be large, might be the largest team, and for reasons of efficiency, may wish to divide into sub-teams, and will require the most input from the director, who may also bring in further input from the staff. One way would be for some members to take the lead on operations during the emergency, while the rest develop ideas about how the library can help during recovery.  

 

#8.  Designate your board’s Crisis Response “Team Leader”

The purpose of breaking the responsibilities for a crisis response into teams is to allow work to happen with deep focus and great frequency. It is also to ensure that quick, decisive and well-informed action is not bogged down in the inefficiencies of a large group.

That said, a library's board must continue to function as a board, and per the bylaws that govern it.

Pulling all of these considerations together—effective use of teams, adherence to bylaws and policies—is the job of the Team Leader.

A natural fit for the Team Leader might be your library's board chair.  However, if your board chair is a CPA and is best suited to doing the work of leading up the fiscal team, or will be spending the bulk of their time coordinating necessary aid with representatives from municipal government, it is appropriate to consider designating another board member as Team Leader.

What does the Team Leader do? The Team Leader pays attention to what is happening with each and every team, and connects and pulls their work together as needed. They also identify when matters are ready to be presented before the full board for discussion and a resolution, and ensure the work of the teams is done in healthy cross-collaboration with the work of the director.

This role does not have to be played by the board chair.  This role should be played by someone who has the capacity to connect regularly and meaningfully with each team, who understands the proper dynamic between a board and paid staff, and who has the skills to identify when a matter is ripe for full board consideration.  They should know the bylaws and library policies, and make sure the use of the team structure does not depart from them.

A good team leader, at this time, also needs to be accessible through phone, e-mail, and video conferencing.  If a person can’t reach out in multiple ways, they might not be the best person to lead the teams.  As with everything else, THIS IS OKAY.  Regardless of the role a person plays, it is all part of your fiduciary duty to support the best interests of the library.

(P.S. on that last part: there is nothing wrong with a Team Leader designating an out-of-school child or grandchild as the “Library Crisis Response Team Leader Tech Support,” something that would look good on a future college or job application!  Just make sure they can take the role of setting up calls and meetings seriously.  My 15-year-old has been pressganged into helping with many a meeting.).

 

#9. Designate your board’s Public Relations Team

The impact of this crisis on your library will also have a huge impact on your community. The energy of those who support and are supported by your library (the “stakeholders”) need to be channeled to mitigate that impact as much as possible.

How do you harness that energy?  Just like your Operations Team, the role of your PR Team is going to change depending on the unique situation of your library. However, the overall goal of any PR Team is to ensure that the “Goal” of the library, and the things it is doing to achieve that Goal, are articulated to the stakeholders in an accessible, regular and reliable way. 

For example, if your Goal is:

“During and after the COVID-19 pandemic, The Library will serve the community, fulfill its mission, and meet the goals of its plan of service by meeting the public's need for reliable information, providing access to critical resources, and serving as a hub of community organization.”

It is the job of the PR Team to get that message out to stakeholders in a way that will be heard. This doesn't mean just repeating the goal everywhere verbatim (a good Goal never sounds very sexy).   Rather, it means getting the message out in a way that will be actively observed.

For example, a plain-language way to promote the Goal above would be putting a poster on the front of the library that says “Our doors are closed but our librarians are here for you!  Find us at @@@ or call ######!” Things like this are the job of the PR team (unless your library is so vast you have in-house PR, in which case, I doubt your library needs this “Top Ten” list in the first place).

It is also the job of the PR team to harvest all the information about how the library is reaching out to the public at this time.  That way, when the time comes for budget review and fund-raising, your library will have a solid archive of examples about how it is invaluable. For this reason, consider having a staff member as an advisory member of this team—or even have a staffer perform this function as part of their adjusted job duties.

Because it must be nimble in its messaging, the PR Team is the one team that should be empowered to take action without a board vote. The “Crisis Response Team Formation Resolution” presented below takes that into consideration.

 

#10. Be Just Good Enough—and form a Crisis Response Team

Here are some hard truths:

• There is no perfect way to handle a pandemic response.
• No board will be totally up to this challenge. 
• There are things you will fail at.

But by using a Crisis Response Team-informed model, you will set your board up to succeed more than you fail.

If you choose to use this approach, my advice is to not just recycle the formations of your standing committees of the board. Consider the value of shaking things up, inviting “advisory” members, involving the director as needed, and organizing your teams to spur new and novel thinking.  Consider carefully who is reaching out to your library system, your council, and your elected leaders.

For a small board, there will by necessity be some overlap in teams. That is fine. Just be careful to not overload any one person. This situation will be a marathon, not a sprint.

In the event you determine a crisis response model will be helpful to your library in the coming months and even year ahead, here is a resolution to enact it:

Crisis Response Team Formation Resolution

WHEREAS the current state of emergency due to the COVID-19 pandemic is still in effect as of [DATE OF MEETING]; and

WHEREAS the [NAME] library has already had to consider the impact of the state of emergency on the library; and

WHEREAS the board anticipates the state of emergency and following recovery period will impact library operations for the remainder of 2020; and

WHEREAS the board has determined that the emergency and recovery period will require and enhanced model of leadership to ensure the library emerges from the emergency and recovery period in a manner that best prepares it to serve the needs of the community and fulfill its mission and plan of service;

BE IT RESOLVED, that during and after the COVID-19 pandemic, the Goal of the [NAME] Library will serve the community, fulfill its mission, and meet the goals of its plan of service by __________________________, ______________________________, and .

______________________________________;”and

BE IT FURTHER RESOLVED, that the board shall use a “crisis response team” model until it votes that the period of recovery is concluded and such structure is no longer needed; and

BE IT FURTHER RESOLVED that the board’s Crisis Response Team Leader, responsible for coordinating the work of the different teams and identifying when solutions are ready for board consideration and resolution, shall be NAME, and the designated back-up Team Leader shall be NAME; and

BE IT FURTHER resolved that a Safety Team consisting of NAME and NAME shall be responsible for maintaining awareness and raising the issue of safety in all actions related to the board's response to the pandemic emergency and recovery , including the safety and well-being of the community we serve and those the library employs, and shall comment on each recommendation brought to the full board for implementation per the bylaws, prior to any vote; and 

BE IT FURTHER RESOLVED that a Fiscal Team consisting of NAME, NAME and NAME, responsible for assessing the financial impact of and financial options available to the library during this time of pandemic emergency and recovery such fiscal response team shall bring recommendations to the full board for implementation per the bylaws; and

BE IT FURTHER RESOLVED that an Operations Team consisting of NAME, NAME and NAME, responsible for assessing the impact on operations and options available to the library, including but not limited to operations related to mission, plan of service, employees, and the role of the library in the community's response to the pandemic, shall bring recommendations to the full board for implementation per the bylaws; and

BE IT FURTHER RESOLVED that a Public Relations Team consisting of NAME and NAME, responsible for creating and effecting accessible, regular, and reliable communications of how the library is meeting the Goal is empowered to send out messages as needed, in the medium deemed appropriate by that Team; and

BE IT FURTHER RESOLVED that the [board or other] may add participants to these groups as authorized by the bylaws; and

BE IT FURTHER RESOLVED that no team created by this Resolution may take any action or vote that binds the board, and are purely advisory; and

BE IT FURTHER RESOLVED that in no event is any action of this Crisis Response Team Plan to interfere with the ability of the public to have access to meetings and actions of the board; and

BE IT FURTHER RESOLVED that each team shall meet no less than weekly; that the Team Leader shall ensure the full board is advised to meet as needed to implement team recommendations when they are ready; and that all notifications and conduct of such board meetings shall be consistent with the bylaws and the requirements of any current or modified operations of the Open Meetings Law.

 

That’s it.  It’s a lot, I know. But your library has probably weathered other storms: depressions, wars, local crises.  Now is your time to add to that history.  In that task, I wish you strength, health, and persistence.

Can a library sponsor an online class open to the public?  YES.

There are just a few details to attend to:

1.  The financial details

Libraries do not charge for programming, but can pay others to offer library programming for free, so as the member says, this online program should be open “to anyone.”[1]

The instructor can still be paid, but the payment should come from the library, while the on-line attendees tune into this library program for free. 

The trick in this is to avoid “fiscal hybridization,” (with the library hosting and promoting the event, and the instructor getting some payment from some attendees).

 

2.  The online content details

Once your library has confirmed the financial details,[2] there should be complete understanding about the following questions:

Can the library promote the class using the instructor’s name and likeness?

Will the session be recorded?

Who owns the recording?

Will the library be able to use the recording for as long as it wants?

What platforms will the session and recording be hosted on?

Will the recording be put in the collection of the library?

What social media will the session be promoted on?

Will the session use music (that could stop it from being posted some places, like YouTube)?

That’s it, nothing fancy, just have some things to have clarity about.

 

3.  The participant details

Once you have the details of the way the class will go “out there,” confirm:

Who is our target audience?

Do they have any particular vulnerabilities?

Do we need to consider ADA access such as captioning?

How will we collect feedback on the programs?

 

4.  The contract details

With all that minutia settled, here is a template agreement to organize the details. 

Of course, as with all template contracts, if you can,[3] have this template customized for your library by your local lawyer or insurance carrier.

ONLINE INSTRUCTION AGREEMENT

 

The [LIBRARY] (“Library”)and [NAME] (“Instructor”), with an address of [ADDRESS], to provide critical health programming at a time of state-wide pandemic emergency, agree as follows:

Instructor will offer classes in ____________ (“__________ Classes”) from [PHYSICAL LOCATION] to Library’s patrons and others via:

[INSERT HOSTING METHOD AND STREAMING SITE(S)]

Classes will be live streamed at [INSERT TIMES, DATES].

The ___________ Classes will be a target audience of those who can benefit from online social gatherings to participate in ___________________. 

[in case of activity involving a professional license] Instructor’s professional license was granted by [LICENSING AUTHORITY] and is current; if the license expires or is revoked during the term of this agreement, Instructor will notify Library immediately.

[in case of instruction involving physical activity] To promote safe participation, at the start and end of every class, the screen will read, or the Instructor will say:

[INSERT Instructor’s preferred safety and wellness message; here is a sample that is customized for the times:

[ACTIVITY] is intended as a gentle but serious exercise.  Please consult your physician prior to any physical activity that could impact your health, and only participate within your know abilities.  Please stay safe during this time of social distancing and enjoy our class.]

___________ Classes will be promoted as a free program of the library and Instructor shall not charge individual attendees for these sessions.

Library will pay Instructor _____ per session. 

[OR]

Instructor has agreed to provide this programming on a volunteer basis.

Instructor agrees that no music or other copyrighted work other than content owned or properly licensed to Instructor and Library shall be used during recorded or live-streamed __________ Classes.

Instructor agrees that Library may use their name, likeness, and image when promoting ____________ Classes. Library agrees that Instructor may use its name, likeness, and image when promoting _____________ Classes.

All sessions of __________ will be recorded by [INSERT] and the recording will be jointly owned by Instructor and Library.  This means both parties shall have the right to make copies, distribute in any way, or otherwise use the copyrights to the recordings.

Instructor hereby agrees to hold harmless and indemnify Library for any claim, cause of action, or injury arising from the creation, promotion, and participation in ________ Classes.

Instructor is an independent contractor and no partnership, joint venture, or relationship other than what is in this Agreement is created or implied by this Agreement.

The Parties both understand that this is an agreement during a time of emergency and this contract may be terminated without notice.  Any changes to this contract shall be confirmed via e-mail reflecting clear mutual agreement by the parties.

This agreement is governed by the laws of the State of New York.

 

Signed for Library on _________:_______________________

                                                                        [NAME]

 

Signed for Instructor on _________:_______________________

                                                                        [NAME]

                                                                                               

5.  The assessment details

As with any library program, a live-streamed event is one for the staff to watch, monitor, and assess on a continual basis.  This will allow you to assess if the promotion, the session, and the recordings comply with the Agreement, and to make enhancements based on participant feedback.  It is also another way to limit the risks inherent in the activity. 

Just as critical, though, will be feedback that the class felt accessible, gave good instruction, and had a positive impact.

I wish you many valuable and rewarding online programs.

---

[1] I also would not have a concern with it being restricted to card-holders within a system, or card-holders registering in advance to participate for free.

[2] The instructor could also do this as a volunteer, but if they do good work, it is nice for them to get paid.

[3] If you can, this template should be reviewed by the lawyer who knows your library best.  But given the current crises and the need to reach people quickly, and the strain on budgets, I appreciate that you might laugh at this footnote.

 

This question seems simple, but it actually involves some high-end concepts of business law and liability.[1]

Most libraries, museums, theaters, and other units within large institutions are actually part of the same entity.  In other words, although they may have a distinct identity within their institution (“The Michael  Library” “The Peter Museum” or “the Catherine Gym”), there is only one actual legal entity (“Romanov College”).

Many people find these niceties hard to grasp, but here is why it is important: in this scenario, the single entity (the college) includes the on-campus copy shop.  This means that what the shop does, the entity does…including alleged infringement.[2]

This same unity generally applies to employees, too.  In a body of law called “Master and Servant,”[3] if an employee is performing a task related to their job, and not deliberately violating employer policy or the law,  for purposes of the legal system, the employee’s actions will generally[4] be imputed to the institution. 

This is why institutions are best served in this area by educating their employees about copyright, and documenting the employees good-faith efforts[5] to abide by the law (it is also why many HR manuals have warnings about the consequences of not following policy: it limits the institution’s ability to protect you).

This puts lot of pressure on the employees who staffing the in-house copy shop. What are their responsibilities?  Do they need to educate their co-workers on copyright risk?  Are they expected to protect the entire college?  Each institution has different policies and job descriptions that answer those questions differently.

That said, is there a simple approach that can help with this?  Yes.  For the in-house copy shop (NOT for an on-campus contractor), below is a framework to address copyright priorities with diplomacy, tact, and helpfulness.  It is designed to be used with an institution’s “Fair Use Assessment” form, and to route people to the person responsible for permissions at your institution[6]. 

NOTE:  All that said, any copyright-related form not custom-designed for your organization should be reviewed for cohesion and consistency with other institutional policies, including those in the employee manual.  Never use any copyright-related form without considering your institution’s unique needs and approach to copyright and liability!  If your institution has an in-house lawyer, compliance officer, risk manager, or insurance carrier, make sure they are part of finalizing any such form or solution. 

[INSTITUTION NAME] COPY SHOP COPYRIGHT HELPER

Hello!  Thank you for coming to the [INSTITUTION NAME] copy shop to arrange duplication of your class materials.

As an instructor who generates your own copyright-protected material, you know the value of copyrights to others, and you know there are penalties for improper, unauthorized duplication.

Please follow the process below.  When you check “yes” to 1 or 3, we are happy to assist you with your copies!

1. Do you have written permission from the copyright holder or their agent to make copies?

• Yes
• No

If “yes,” attach the permission, and let’s get copying!

If “no,” please move to question 2.

2.  Do you have verbal permission from the copyright holder or their agent to make copies?

• Yes
• No

If “yes,” please confirm the permission in writing, return to us and check “yes,” above, and we’ll get right on this for you!

If “no,” please move to question 3.

3.  Do you regard this copy as a fair use?

• Yes
• No

If “yes,” please fill out the attached [INSTITUTION NAME] fair use assessment form, and we’ll get your copies made!

If “no,” or “I don’t know,” please move to question #4.

4.  Do you find this process frustrating and need help arranging permission to use this material, or more input on fair use?

• Yes
• No

If “yes,” please see XXXX at OFFICE LOCATION, who assists with permissions at INSTITUTION NAME.  You can also call them at NUMBER or reach them at EMAIL.  We hope to see you again soon!

DATE:___________________________

SIGNATURE:___________________________

PRINT NAME:______________________________

MATERIALS (Title, number of pages):_______________________________

 

---

[1] Fun!

[2] This is one of the reasons many institutions opt to host a separate company for on-campus duplication services.

[3] I know!  The law needs to move on.  Perhaps “Captain” and “team member” can replace this.

[4] That said, never assume that is the case!  Every allegation of liability must be carefully reviewed by a lawyer, as there are many exceptions and precise formulas that control such things.

[5] Demonstrable, good-faith effort to abide by the law can actually limit damages when copyright infringement is attributable to a not-for-profit education institution.

[6] If you don’t have either or one of these, share this RAQ with the decision-maker at your institution who could make that happen.  Both the form, and a person who can facilitate permissions, are worthwhile risk management investments.

 

“Ask The Lawyer” has touched on this topic a bit before.  In our 9/19/17 RAQ post “Skating the Line Between Helpful Information and Legal Advice,” we discussed the risks posed when patrons and co-workers confuse the helpful attitude and boundless information provided by librarians with legal services. 

The bottom line from that guidance was:

When [asked for legal advice], librarians must emphasize the boundary between good service and legal advice.  Here is a formula for that:

I [the librarian] provide access to library materials based on the law and policy of my profession and institution; you [the user] should consult your own attorney regarding any legal concerns about your use of the materials being provided. 

The current question takes this issue one step further: what if, when asked to play this front-lines role, the librarian is alerted to a potential claim of infringement against their institution?

Here are a few examples of how this can emerge:

Coach to librarian:  “I thought I would check with you…this guy called us and said we used his photo of the volleyball team on fliers without his permission.  But we’re not-for-profit, so copyright doesn’t apply, right?”

Curator to librarian: “We used a photo of the artist to promote the current installation on Facebook and some photographer is claiming we need a license?  But the artist said it was okay!”

HR Director to librarian: “You are our go-to on copyright.  This person says they generated it on their own time, but we own everything our employees create on our computers, right?”

Sound familiar?[1]

Before anything else, it is important to say: many institutions have an established protocol for handling ANY threat of litigation, be it copyright infringement, slip-and-fall, or breach of contract.  So first and foremost, librarians at larger institutions should know their institution’s policy or procedure for when a lawsuit is threatened.[2]  The risk manager, business manager, in-house legal counsel, or the employee who coordinates insurance coverage is often the point person for this. 

When your institution has such a protocol, the reply to questions that reveal a threatened claim of infringement should be “That sounds like it could be a claim of copyright infringement.  You should refer that the XXX, who handles claims.”  And whether or not the inquirer follows through, to protect both the librarian and the institution, the librarian should then e-mail XXX to say “Today I referred Coach/Curator/HR Director to you, as they were contacted by someone who might have a legal claim.”  This makes sure the legal hot potato doesn’t stop at the library, even if the other employee doesn’t follow through.

Of course, not every place will have an XXX, and not every person will seek advice the moment the threat of a claim arises.  Here are some alternate versions of our three scenarios:

Coach to librarian:  “This guy called us about three months ago and said we used his photo of the volleyball team on fliers without his permission.  We also put it on t-shirts.  Can you look at this “cease and desist” letter?”

Curator to librarian: “Remember that awesome installation?  Well, I’m forwarding you some emails between me, the artist, and his photographer.  They say we owe like $2,000.00 in licensing fees, but it’s fair use, right?”

HR Director to librarian: “I need to send this letter about work-for-hire, can you review?”[3]

In these scenarios, institutional debate or engagement with the claimant is well under way.  Even though things might be further along, and tempers hotter, the priority is still to end the engagement and get the matter in the right hands as soon as possible.  So, even if your institution doesn’t have an XXX, and the situation arrives at your door a little more “hot,” the best thing to say to your co-worker is: “This sounds like a legal matter.  We need to connect you with our attorney.”

If your co-worker has been so kind as to refer the (often angry) claimant to you without warning, and you are now on the phone with them, it is generally wise to:

1.  Listen, and make notes of what the claimant is saying.

2.  DO NOT ARGUE, DEBATE, or SUPPLY INFORMATION.

3.  Use your customer service skills to simply say “This sounds very important.  I have made a note, and will make sure someone gets back to you by [date].”

4.  When arranging appropriate follow-up, minimize internal e-mail discussion, which could become discoverable evidence.  Remember, the back-and-forth the employees engage in, unless it involves an attorney providing legal advice, is not subject to attorney-client privilege.

5.  Get that legal hot potato to your attorney or insurance carrier and get out!

I realize that budgets are tight in the not-for-profit world, and not everyone has an attorney in-house or on call.  This is where your insurance carrier could be a key player.  Most bigger institutions have some form of coverage that addresses copyright.  Your carrier does not want you to spend time arguing with a claimant, generating potentially damaging evidence!  So in the absence of a lawyer, your insurance liaison and carrier (who will use a lawyer) might give your institution a place to send the “hot potato.”

The bottom line: every institution has a slightly different way it approaches litigation risk[4], but every institution should have an established way.  Making sure library staff are aware of and comfortable with their institution’s protocols, and are supported in those protocols by trustees, officers and key personnel[5], are the keys to this issue.  The statutory damages and mandatory attorneys’ fees often involved in copyright litigation make this a high risk management priority.

Librarians should be on the front lines of information access and fair use, but not the first line of defense for copyright litigation.  Hopefully your institution appreciates this critical distinction, and supports it.

Or there’s always law school….

---

[1] I am sorry if any of these fictional scenarios have triggered stressful memories.

[2] If there isn’t one, I pose an alternative in a few paragraphs, but in most instances, there is.

[3] See the helpful script in paragraph two to remind people you are not a lawyer.

[4] Some alert carriers right away, others are wary of having a high claim number.  Some carriers want to know the moment there is even HINT of a claim.  This is something the person responsible for insurance will know.

[5] I am writing this guidance to be shared with such stakeholders, if it can be helpful.

 

This is a great question, since it shows how libraries not only provide access to information, but serve as patrons for the arts.  This nurtures local culture, spurs community creativity, and brings special attention to a library.

As the member points out, though, this role also comes with its own set of legal issues, including copyright concerns.

“Ask the Lawyer” was created to provide practical guidance and tips to libraries, museums and archives on the front lines of culture.  So, while there are many excellent treatises out there on copyright, fair use, contributory infringement, estate law, and contract law—all of which are showcased in this question—rather than wax philosophical, this answer will try, above all, to be useful to a librarian as they work with their community to nurture new art. 

With that in mind, here is a checklist flowchart of “red flag” issues, and potential solutions, to help you find the smoothest legal road for bringing custom art to your library.

Bringing Custom Art to Your Library

Contract Development Flow Chart

Step 1: Establish the vision and shared goals for the projectWork with the artist[1] to develop a carefully description of the project.

• What media is it in? 
• What is the title?
• Is the artist ready to provide contract assurances about copyright, image rights, or trademark?

NOTE:  In other words, is the artist considering any permission they might need, or fair use they need to make?  In this exercise, they should rely on their own lawyer (sometimes provided pro bono by an arts organization), and never on input from the library.

• What is the location of the display?
• Will the library promote the work through a special event?
• Will there be special conditions to prevent wear and tear?
• Are any library employees assisting with the production and/or installation?
• Is this project wholly or partially funded by a grant?  If so, does the grant have any special requirements?
• Confirm the artist’s name, address, and if relevant, get their 1099 form.
• Every project is unique; what special considerations does this one have?

NOTE:  All discussions should make it clear that until a formal written agreement is reached, discussions are just speculative, and not a contract for services.

Step 2: Establish how it is being paid for

• Make sure all the financial details are clear.
• Who is paying for supplies?
• Is the artist being compensated?
  • If so, how much?
  •  When are the payments to be?  Are they tied to project progress or completion?

NOTE:  if the artist is being paid (and they should be), or is selling anything based on the end result, and the materials are not becoming part of the library (like a mural or a custom Narnia-inspired wardrobe that is actually a built-in bookcase), the library should not purchase the materials…but the artist can factor the cost into the final price.[2]

Step 3: Establish ownership

This step controls a lot of the latter considerations.

• Is the library to be a co-author or co-owner of the work?

NOTE:  If the answer is “yes,” a plan for jointly managing the asset should be developed.  Generally, to avoid this complication, you want the answer to be “no.”

• Who will own the physical object?
• Who will own the copyright(s)?
• If the library won’t own the copyrights, what permission does it have to duplicate or use the work?  (examples include: put a copy on the website, make fund-raising t-shirts, display it in a window, digitization and inclusion in online archive, or any use the library wants).
• Will the author be using an alternative form of copyright licensing (like Creative Commons) to ensure community access to the work?

Step 4: Establish clear boundaries

This can help avoid confusion and stress later.

• Whose workspace is being used to create the work?
• What support is the library providing during creation?

NOTE:  “Nothing except moral support” is a great answer.

• Who is transporting the work to the library?
• If it requires installation or hanging, who is doing that?
• What are the mutually-agreed methods of promoting the work, and what methods (if any) are forbidden?  For example, some libraries might encourage promotion via Facebook, while others might regard that as less than desirable.

Step 5: Confirm critical responsibilities

• When is the work to be completed by?
• When is payment due?
• Who is responsible for securing any necessary copyright permission or image rights?

NOTE:  Unless you are co-authors on an exciting joint venture with a very well-developed contract and express insurance provisions, clearance and permissions should never be done by your library.  Further, when you develop a final agreement for the work, it should contain a clause stating that the artist is the sole author of the work, the artist is responsible for obtaining necessary permissions, that all necessary permissions have been secured, and that the artist will hold harmless, indemnify, and defend the library (and its trustees, employees and volunteers) in the event a third party claims the work is infringing any copyright, trade mark, image right, or right to privacy.

• Who is responsible for organizing any promotional events?
• Who is responsible for damage to the work during display at the library?
• Who is removing the work from the library when complete?

Step 6: Protect the library!

You can tell by the questions on the worksheet that my final guidance on is this: when developing a public art project, be picky about the details, and turn them into a good contract.

Because there are too many variables amongst the libraries (public libraries, college/university libraries, hospital and prison libraries, museums, private archives), I cannot offer a standard template for this.  A public library is in a different place than a library within a college or museum; they all live in different regulatory universes, have different vulnerabilities, and have different rules and obligations.  This is why simply “borrowing” a template from another institution is often a bad idea.

However, I can say that any good contract will address the above-raised issues, and if you have used this worksheet in advance, assembling such a contract will be easier.

Step 7: Promote Culture, Enjoy Art

I know: nothing kills inspiration faster than the word “indemnification.”  This worksheet brings up a lot of messy details that, if brought up at the wrong time, can hamper creativity. 

But I have found that addressing these details early actually helps a project move forward.  It gives the library and the artist clarity about their roles.  It gives the security of assurance about vital details.  Most importantly, by inspiring forethought about possible impediments, it makes challenging projects possible.

So revel in the details, make room on the walls, and let the art flow!

---

[1] You’ll see that throughout this checklist I also refer to the artist as the “author.”  The copyright law uses “author” as a catch-all term for the creator, whether they are a writer, photographer, sculptor, etc…

[2] I know, if the library can buy the materials, they’re tax free!  But both the state of NY and the IRS are pretty clear on this.

 

From tools, to bikes, to digital printers, an increasing number of libraries are providing access to more than information. 

I imagine someone has named this phenomenon, but I got a J.D., not an MLS, so I couldn’t find its overall name.  Therefore, I call it “The Library of Things.”  [1]

Joining “The Library of Things,” signals a sea change in the identity of a library.  It expands its lending model beyond information (books, media, data) to capability (printers, kayaks, cameras). It converts a community asset from a place of intellectual access to a source of physical action and production. 

This combined role  is re-framing community awareness of libraries.  But whether it’s called a “makerspace,” or a “tool library” or simply a “3D printer,” these resources are challenging traditional library laws and ethics governing access, liability, and patron privacy.[2]  The member’s question is a perfect example of the complications that brings.

What complications?  The “Library of Things” is not simply about accessing assets, but using them, applying them, and sometimes, riding them.  Most library law (parts of the education law, CPLR 4509, a robust array of civil rights jurisprudence, and a body of case law regarding library operations) is built around that premise that a library’s mission to provide access to information must be safeguarded at all costs.  But that jurisprudence is largely silent on the issues posed by using equipment to take action or produce something.  That function, while important, is not enshrined in the law.  Prediction: the Library of Things will soon start testing the conventions of libraries’ legal status quo. 

But let’s get down to the brass tacks (or the greased chains).  What about the bikes?

Regarding the member’s precise question (“…as long as you have a policy in place, and the borrower signs the agreement, are all injuries waived once off your property? Is it really as simple as that?”), the answer is “no.”  The liability for lending equipment is a varied as the disclaimers and warrantees that equipment comes with, and in general, a simple policy and waiver are not the only things needed to anticipate risk and reduce liability.  So how does a library do it?

First (and I cannot say this enough): no library should contemplate the loan of functional equipment without thoroughly considering the risks and conditions of that equipment’s use.  The member’s question says it all: Please help me identify any worst case scenario possibilities that I should be prepared for.

When it comes to lending bikes, here an initial laundry list or “worst case scenario” thinking:

• Will the library require helmets?
• Will the library then provide helmets?
• Can minors under 18 borrow them?
• Can children under 14 borrow them?
• Will the library provide information about the rules of the road?
• Will the library require a safety demo before the first ride?
• Has the library picked a demonstrably safe model of bike?  Is that model safe for all sizes?
• Does it have all the required reflectors and bell?
• Who will verify ridable condition before lending?
• Who will deal with flats, rusty chains, and brakes?
• How will the library respond to notice of an injury?
• How will the library deter theft?
• Who will own the bikes?
• Who is providing insurance for every worst-case scenario?

Don’t worry…there are many ways to address the risks these questions highlight.  One solution, which can greatly ease the burden on a library, is to have the liability assumed (and insurance provided) by a third party through a rental contract.  With that approach, rather than accession the bikes, the library picks up the fee (rather like paying for access to a database), and the patrons, following an established policy, check the bikes out on their card.  In such an arrangement, the library’s contract, the underlying policies, and the agreement signed by the patron, could be drafted to promote safety and to shift the liabilities away from the library…an arrangement that must be confirmed by the right combination of contract provisions and proof of insurance.[3]

Second: no library should contemplate the loan of functional equipment without thoroughly considering the unique nature of their library.  Is the library a public institution?  Is it affiliated with a larger organization?  What are the limits of its insurance?[4]  Are there physical hazards near it that warrant enhanced care?  If your public library is at the top of a steep hill with a railroad crossing at the bottom, it should not use the same bike loan policy as the college library in the flat town with no CXS line.

Third (but in many ways, first): Is the contemplated asset critical to the mission of the library?  Is fulfilling the patron need for this equipment consistent with the library’s strategic plan and goals?  If the answers are “yes,” then addressing the first two questions should be easier, since clearly the identified risks and complications will be worth it.  If bikes with baskets help fulfill the mission to deliver books to the senior center, then bikes with baskets it is.

And finally, there are ancillary considerations.  Is the loan of equipment a “circulation record” subject to privacy laws?  Is the service as accessible as possible per ADA?  Do you need to follow a procurement policy when seeking a third-party bike provider or a purchase source? 

When developing a bike loan program, it’s essential to consider:

• New York Vehicle and Traffic Law (“VTL”) 1236 requires that a bike have a bell (and expressly NOT a siren or whistle);
• If ridden from dusk to dawn, a bike must have reflectors meeting the specs in 16 CFR 1512.16 (by law, all new bikes in the U.S.A. meet this standard);
• Children under 14 must wear a helmet (NYS VTL 1238) (your insurance carrier might require ALL riders to wear a helmet);
• It is a violation-level offense for a person over 18 to leave the scene of a bike crash causing MINOR injury to another without calling law enforcement (VTL 1240);
• It is a B misdemeanor for a person over 18 to leave the scene of a bike crash causing MAJOR injury to another without calling law enforcement (VTL 1241);
• Your insurance carrier will probably want to know about any injuries;
• VTL 374 bars riding while listening to more than one earphone (no books on tape while riding); 
• VTL 1235 bars carrying something that prevents keeping at least one arm on the handlebars (limit how many books your patrons are carrying home!).

That’s a lot, but there are resources to help you.  The library’s insurance carrier should be consulted at the outset.  The NY Department of Transportation maintains a list of current bike laws.  There are an array of groups that offer free safety training, and many civic organizations offer free helmets.  If possible, a third party vendor is the way to go, since it can help limit the library’s liability. Liability waivers should be custom-drafted to fit your library and the precise arrangements it has made for the bikes, but drafting your waiver should be the last step, after you’ve made your decisions about safety and conditions.

With a little coordination, you can address all the bells (but by law, leave off the whistles).

There’s a lot to wade through, but one thing is clear: libraries are evolving.  This means that with a few fits and starts, the law will evolve with them.  So once your organization decides to join the Library of Things, know the assets, know your library, stick to your mission, and roll with it. 

With the right planning, it’s as easy as riding a—

(Couldn’t resist).

---

[1] I invented this term as I wrote.  During editing, my husband (who does have a library degree) checked “Library of Things,” and found that it’s been in use for quite a while.  So I got to think I was clever for about 2 hours.

[2] I’m not a historian, either, but I really do think this change is significant.  Think about it: Ben Franklin, who founded this continent’s first formal lending library, was a printer.  But did that library give members free access to a printing press?  Or a candle mold? Lending things has not been baked into the model. 

[3] These documents should be reviewed by the library’s lawyer.  It doesn’t hurt to have them reviewed by the library’s liability insurance carrier, too.

[4] For instance, Camrose, AB, the library in the member’s question, is in Canada, a country with a markedly different approach to risk and health issues.

To address this very serious array of questions, we’ll take them one at a time.

To what extent is it the responsibility of the library to notify participants who attended the library program the person now diagnosed with COVID-19 attended?

The library is not obligated to notify individual members of the public regarding possible exposure; the county health department is obligated to notify the New York State Department of Health, and will coordinate the necessary level of response.[1]

If the library bears no responsibility, would you recommend the library, as a courtesy, notify attendees?

In a time of pandemic, information is power.  If the library has the capacity to notify attendees in a way that connects them to meaningful next steps, AND the County Health Department agrees that such notification will be helpful, then: yes, that would be a good thing to do.

However, because the slightest bit of mis-information in this step could potentially cause harm, such a courtesy should only be done in collaboration with the County Health Department.

What of others who may have been in the library at the time of the program - in many cases, the names of these individuals are not known...are we placing the library in a liability situation if we notify some, but not others?

An effort to empower people, through information, to take care of themselves and minimize the spread of disease will not expose the library to liability in the event only known attendees can be alerted.  As stressed above, the greater risk would be mis-informing the public, which is why coordination with the county health department is key.

If you suggest a courtesy call, can you please provide suggested language?

For reasons of confidentiality and accessibility, the notice should not be a verbal phone call, but rather (and only if confirmed as helpful by the County Health Department), a written notice sent to the library’s user’s email address.

Suggested text for your library to review with the health department is:

Dear Library Member:

As you know, the [INSERT] [County Department of Health] is monitoring the development of COVID-19 in our county.

As you can see at the listing [here], the Department has determined that on DATE, a person with COVID-19 attended the [INSERT PROGRAM NAME] program at our library, which ran from TIME to TIME on DATE.

Because the [NAME] Library values every member, and because we believe knowledge is power, we are working with the county to notify individuals who we know were present at the event.  As advised by the County’s guidance [here], encourage you to monitor yourself daily for symptoms of COVID-19.

Further information on what to do in the event of a health concern is on the Health Department’s website at [link].

Your library information is confidential and your participation in the [NAME] event will not be released unless upon your request.

Given that this is a situation related to the health and well-being of our community…[if] the Health Department request the names of program participants does CPLR [4509] apply? If so, can you recommend a response to such a question.

Yes, the confidentiality requirement of CPLR 4509 absolutely still applies.  Here is the language of that law:

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.

Because CPLR 4509 is so clear in its protection of patron information, I am not comfortable concluding that disclosure to a County Health Department is allowed for the “proper operation” of the library, or even in the case of a declared emergency.  Even during times of trouble, we need to follow the law.

However, if the library has the capacity to do so, upon request of the Health Department, the library can write to the impacted patron, and see if the patron will request the disclosure.

Sample outreach to see if the patron wants their information released is:

As a result of a person who visited the [NAME] library testing positive for COVID-19, the county health department has the name and contact information of other patrons who visited during the [EVENT].

By law, your library information is confidential.  Therefore, the [NAME] Library will only disclose your information if you request that we do so. 

Please let us know if you would like us to release your name, address, and phone number on file with the library to the [COUNTY] County Health Department.

You may also directly call the County Health Department about this at [NUMBER]; if you do, tell this it is regarding the COVID-19 case as the [NAME] Library.

In the alternative, the County Health Department may obtain the information via a subpoena or court order.

Those are my answers to the member’s questions.  Here are some additional thoughts:

Legal compliance and ethics are strong supports during tough times. Thank you to the member for thinking this situation through so thoroughly.

---

[1] 10 NYCRR 2.16v

 

Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.

Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters.  But what if someone in a position of trust simply abuses their access?  What if a scenario like the member's question should arise?

There is a process to address this type of scenario.  In order to ease an adrenalized mind,[1] it is presented below in grid form.

Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:

Action	Why you do this	Results
1.  Upon suspicion that files have been removed, if possible, do not take further steps alone. Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper. If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.[2] Organizing a time-line and take photos or screenshots of information showing the potential problem.	The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer. At this stage, however, you'll just be documenting what appears to be missing.  No deep-dive investigation.   It should only take an hour or two.[3]	Initial Response Team formed and responsibilities of team members made clear. Note-taker assembling information.
2.  Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were.  This will be your "Initial Inventory."	You need to have a foundation for your next steps, so you're creating a quick description of the possible situation.	An Initial Inventory you will use in the next few steps. Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.
3.  Look over the Initial Inventory.  Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records?	If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory.	This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality  implications of the situation.
4.  Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee." If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information." If your initial contact is by phone, confirm the notice via a letter or e-mail.	Depending on your library's insurance type, you may be covered for this type of event. Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event.	Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event. NOTE:  If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier.
5.  With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter.  This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board. In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days.	Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information. This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement.	Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery.
6.  Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.	It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies.	Attorney-client privileged input to help assess response options in the best interests of the library.
7.  The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered.	This should be done within 3 days of discovery and before there are any changes to the system.   Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer.	A contract with a qualified firm; A certificate of insurance from the professional firm; A written Incident Report from the firm.
8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach.	Depending on what went missing, the library could have concerns under any number of laws.	The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed).
9.  Based on the complete Incident Report's assessment of what is  missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action.	For more on this aspect, see the rest of this RAQ.	Recourse.

What happens as part of number "9," is the actual answer to the member's question.  But until a library follows steps "1" through "8," it can't fully know its options under "9."

And what can happen as part of "9"?  The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies.  And if considered with solutions for how a library can recover from the loss, there are further possibilities.

If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:

• Know if the files were simply removed, or if they were removed and accessed/disclosed beyond the library;
• If they were disclosed beyond the library, what the library must do to address that (including special considerations if personal or confidential information was accessed);
• If the files were only removed, know if they can easily be replaced, or if they were the library's only copy;
• If they can't be easily replaced, how much it will cost to replace them, and any negative impacts we'll experience until we do;
• How we have concluded the files were removed by the former employee, if they were an employee when they did it, and what the due process is for addressing that;
• If (based on all the information gathered, and more that will be specific to the situation), the board should contact the police, or consider a civil claim against the former employee.

By demanding solid, well-documented and qualified answer to these questions (What happened?  how does it impact the library?  What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.

Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information).  Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:"  How to organize the courier manifest.  The templates for the volunteer letters and community meeting notices.  The budget template and calendar for strategic planning.  Their own emails on their library account.  Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.

This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is.  First, only a professional can say when data is truly "lost" (especially emails).  And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.

The budget for such response, if planned carefully, can be very modest (under $1500).[4]  Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).

Why am I adamant about this follow-through, even for a "small" incident?  Because sometimes a "small" incident is only the tip of a much larger iceberg.  Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office.  But it might not be.  The right response, and the fair response, can only be formulated through careful documentation and analysis.

This is what positions the board to know what recourse it can take, when presented with such a serious situation.

Thank you for trusting "Ask the Lawyer" with this sensitive question.

 

 

---

[1] If you are reading this while working on this type of issue, take a deep breath.  You've got this.

[2] There are too many types of IT supply/support arrangements out there for me to be more precise than this.  Some systems are essentially the IT department for their member libraries. Others are not.  This aspect will be governed by the System's member contract…but generally, a good place to start is on the phone!

[3] In keeping with the question, this chart addresses what to do if the person involved is former employee.  If the person is a current employee, the Response Team should include someone qualified to assess an appropriate response that ensures 1) due process for the employee; 2) security for the investigation; and 3) stability for ongoing operations of the library.

[4] Is this a low-ball figure?  Could it be much bigger?  Yes. But if it gets much bigger, that should be because it's actually a big problem that needs to be solved.

 

There are many technical aspects to this question, and this answer will explore many of them.  But first, I invite each reader to sit back, close their eyes, and envision the types of information their library takes in, maintains, or manages digitally.

Name…address…phone number…e-mail…library card number and account information.  Perhaps a driver’s license, or other photo ID.  Credit card information? Job applicant information, payroll, and employee data….  Donor information.  Survey responses.  Licensed lists.  Content related to digitization.   And (of course) every digital record related to a library’s core function: providing information access.

Now envision what someone with less-than-ethical intentions could do if they accessed or appropriated that digital information:

Disclose confidential library records…sell active credit card information on the dark web...use the information to design a very convincing phishing[1] scheme….

And I bet you can easily think of more. 

Scary?  You bet it is.  This is the type of risk-management New York’s lawmakers had in mind when they enacted the SHIELD Act[2], a far-reaching amendment to the state’s laws governing data security.

And as the member points out, the changes will impact your library.

So, what does this law require?

A lot. 

And here is where we get technical.  Because the law will hit different types of institutions differently, this “Ask the Lawyer” can’t give you a word-by-word recital of the precise obligations the SHIELD Act will impose on your institution.   But it can give you a plain-language DIAGNOSTIC FORM to help your board, your director, and your (internal or external) IT team a tool to start assessing your obligations.

So here, without further ado, is the ‘ASK THE LAWYER’ SHIELD ACT DIAGNOSTIC FORM.  If you have a buddy to fill this in with, I suggest you invite them to help, this is not the type of exercise to do alone.[3]

 

	Diagnostic question   [NOTE: Any member of a library council in the State of NY is licensed to make a copy of this form for diagnostic purposes. However, THIS IS NOT INDIVIDUALIZED LEGAL ADVICE and no legal conclusion about the obligations of your institution should be made without the input of a lawyer.   That said, filling this out will help that lawyer help you a lot faster.]	Your Answer	Significance
1.	Does your library collect electronic versions of “personal information” as defined by SHIELD?   Here is the definition of “personal information”: "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.		If your library collects “Personal information” as defined by SHIELD, it may be subject to SHIELD’s requirements.    So, if you marked “yes,” keep going!
2.	Does your library’s network or equipment collect electronic versions of “private information” as defined by SHIELD?   Here is the type of data that, when combined with “personal information” becomes “private information” protected under SHIELD: (1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.		If your library collects “private information” as defined by SHIELD, it may be subject to SHIELD’s requirements.    So if you marked “yes,” keep going!                       (NOTE: if any libraries out there are using biometric records like retina scans in place of library cards, please let me know, because that is Bladerunner-level cool).
3.	Does the “private information” your library collects include information from residents of New York?[4]		If your library collects “private information” relating to New Yorkers, it may be subject to SHIELD’s requirements.    So if you marked “yes,” keep going!
4.	Is your library part of a larger institution such as a school, college, university, museum, religious institution, or hospital?		If the answer is “yes,” then STOP.   Your work on SHIELD ACT compliance should be coordinated with your full entity, who should be sensitive to not only your library’s obligations under CPLR 4509, but your institution’s obligations under SHIELD and other data security laws like FERPA and HIPAA.[5]   Don’t go rogue!
5.	Does your institution contract with another entity, like a library system, to maintain private information?    EXAMPLE: When a person applies for a library card, does the personal information supplied stay on the local library’s network, or does it simply flow through a terminal at the local library to a system’s network? This is a very common arrangement in NY.	If “yes” list and attach the contracts, along with the information maintained by the contractor.	This question applies to both parties.   If the answer is “yes,” gather the contract(s) governing the arrangement(s), and be ready to check the contracts for assurance of SHIELD compliance. This includes assurance of “reasonable security requirements,” and a clause governing data breach notification.
6.	Now, aside from information maintained on another entity’s network as listed in #5 above, (library system, payroll service, credit card service provider, etc.) does your institution maintain any computer system with private information?	If yes, list the information gathered and where it is maintained:	If the answer is “no,” you only have to follow step #7, below.   If the answer is “yes,” make an appointment with your IT team, and be ready to do steps #7 through #15, too.
7.	Contract compliance check:   If you answered “yes” to #5, above, the contracts governing that relationship would be clear about SHIELD Act compliance, including the notification procedures for data breach.	Who is the person at your institution who will do this work with your contractors?	This is a smart step because contract vendors must meet this standard: Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
8.	Okay, so it looks like my institution has to comply with the SHIELD Act.  What does that mean?   Well, firstly: Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.   So, does your institution have a policy for data breach notification?		Your institution may already have one! If so, it should be updated to reflect the changes in the law.    If it doesn’t have one, now is a good time to get a policy in motion.   The law lists the steps and requirements for notification.  Among other things, those requirements  can depend on the size and nature of the breach.   NOTE: a data breach response is something a library should respond to with a qualified IT team and, if there are concerns about liability and compliance, a lawyer and your insurance carrier.
9.	Secondly:  Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.   Does your institution have a policy to implement these “reasonable security requirements?”		Your institution may already have one.    If so, it should be updated to reflect the changes in the law.    If it doesn’t have one, now is a good time to get a policy in motion!   NOTE:  ***I have put the SHIELD Act’s criteria for a data security program next to three asterisks in the text following this form.
10.	Thirdly, are you a small library and feeling panicked about your security requirements?   Don’t worry, if you’re a “small business,” the law has a provision related to your obligations.   Here is the SHIELD Act’s definition of a “small business”: "Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.   So (deep breath) are you a “small business?”		If the answer is “yes,” then your “reasonable security requirements” are tempered: …if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.   This analysis is why having an inventory of the private information maintained by your library (or for your library) is critical; depending on the “sensitivity” (or use) of what you maintain, your plan can adjusted for what is “appropriate.”
11.	Just to reiterate: if you have gotten this far into the assessment diagnosis, you should probably have a “data breach” plan—even if it is just for coordinating with the entity who holds most of your data.   So: do you have a “Data Security and Data Breach Notification Policy and Procedure?”		As can be seen in the factors cited in the sections above, policy and procedures related to data security and data breach notification cannot be a cookie-cutter based simply on what other libraries do.  Your policy and practices will be governed by many factors.
12.	Are you insured for data breach and recovery?		This is a great question to ask your insurance carrier!  You should also be familiar with their notice requirements in the event of a hack or breach.
13.	Who at your institution is responsible for coordinating your data security program?		This responsibility should be confirmed in a job description and reinforced with regular training.  Working with your system or other larger supporting entity may be important, too.
14.	Who are your outside contractors assisting with emergency response in the event of data breach?		This is a good standing contract to have, and one that systems and councils might consider jointly negotiating for on behalf of members (and hopefully it is a service you never need to invoke!).
15.	Did you ever think, when you chose a library career, you’d get to moonlight in IT?		IT and libraries: two great tastes that go great together….with enough planning.

 

And that’s the SHIELD Act.[6]

How does a small not-for-profit tackle this expansion of data security laws?  Like anything else: inventory your status under the law, establish a goal for compliance, develop a budget and a plan, make sure the responsibility is appropriately allocated, confirm insurance coverage alignment, use all the resources at your disposal (your system, council, insurance carrier, and board members who have lived through data breach compliance) and get it done. 

In practical terms, this is also means:

• If your library makes a practice of getting a copy of every member’s photo ID, and stores it on an Excel spreadsheet on an unsecured computer, now is a great time to stop doing that.
• If your library maintains a list of users, credit card numbers, CCV numbers and expiration dates on your network, now is a great time for a network security assessment.
• If your library uses an outside IT contractor, now is a great time to review their contract and make sure it provides assurance that services will be SHIELD Act-compliant.
• If you have no idea if your institution’s insurance covers data breach (and recovery), now is a great time to ask your agent, broker, or carrier.  They might even have some resources to help you with SHIELD Act compliance.

The penalties for violation of the SHIELD Act are $5,000 per violation, in an action brought by the New York Attorney General (the law doesn’t create a private right to sue).  Other changes to the law make it easier for the AG to learn of data breaches, and to coordinate with other law enforcement agencies trying to combat them.  As we envisioned at the beginning of this article, the states for a breach are high.

But don’t worry.  No matter where your diagnosis falls, remember: libraries have been operating under heightened privacy obligations since before there were computers.  That mindset—awareness of an ethical duty to protect privacy--is the most important part of a program to minimize the risk of breaches. 

You’ve got this.

Thanks for a great question.

 

***A data security program includes the following:

 (A) reasonable administrative safeguards such as the following, in which the person or business:

(1) designates one or more employees to coordinate the security program;

(2) identifies reasonably foreseeable internal and external risks;

(3) assesses the sufficiency of safeguards in place to control the identified risks;

(4) trains and manages employees in the security program practices and procedures;

(5) selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and

(6) adjusts the security program in light of business changes or new circumstances; and

 

(B) reasonable technical safeguards such as the following, in which the person or business:

(1) assesses risks in network and software design;

(2) assesses risks in information processing, transmission and storage;

(3) detects, prevents and responds to attacks or system failures; and

(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and

 

(C) reasonable physical safeguards such as the following, in which the person or business:

(1) assesses risks of information storage and disposal;

(2) detects, prevents and responds to intrusions;

(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.