Security

Dealing With Demands to Preserve Evidence

Submission Date

Thursday, November 20, 2025

Question

Recently a law firm from Albany sent us a memo claiming to represent the plaintiff in a civil suit and informing us of their intent to have a subpoena issued for access to our security footage on a particular day. The memo asked us to preserve the footage in question in expectation of the subpoena. They did not specify an area of the library or a time for the footage.

I would like to know what limitations and obligations we have in this civil matter with regard to patron privacy.

Answer

Before we dive into this, a word of caution: sometimes “law firms” are not always what they seem.

Because I am writing this in 2025, you might assume I am starting with the caution because “deep fakes” are out there pretending to be lawyers, politicians, and your grandchildren stranded on the road in Arkansas.[1]

But actually, this has been a problem for a long time, even before someone could use PageMaker[2] to cobble up a fake law firm letterhead.

So, before a library (or any cultural institution) leaps into response mode on a “lawyer letter,” it is wise to do what the member is doing: exercise a little healthy skepticism.

In this case, it is good to verify that the firm and lawyer are real, and that the firm you’ve verified actually sent this.

Now, if there is any chance that the legal matter in question could involve a claim against your institution, it is wise for your lawyer to do this. I am not saying that to drum up work for my siblings at the bar,[3] but because the initial outreach to the requesting firm could result in providing information they are not entitled to, and it could put your institution at risk. Using your attorney to make the contact will reduce this risk.

The attorney can, at the same time, assess if the demand has teeth (as in, can the requirement to preserve the footage be enforced?), and advise on next steps. As part of that exercise, the attorney will evaluate this from the perspective requested by the member: patron privacy.

The first part of that evaluation is standing under the transparent elephant in the room: FOIL.[4] If a record is available under FOIL, a person doesn’t have to get a subpoena to demand a copy; they can just request the record, and the library has 5 business days to get them an initial response to the request.

Of course, FOIL is not a magic wand that brings immediate access to all records; there are all sorts of exceptions to what must be disclosed under it, and those exceptions include library user records.

This brings us to the next consideration: what your library has defined as “library user records.” While the law in New York governing the confidentiality of library user records[5] does not mention security footage, it allows libraries to include such records in their own definition. If a library’s “Confidentiality of Library User Records Policy”[6] lists security footage—or security footage in certain areas—as a “user record,” the content cannot be disclosed without a written release from the relevant patron(s), a court order, or a subpoena.

The next thing to consider is your library’s practice of retaining security footage. In New York, security footage can be FOILed, but there is no obligation for an agency to retain such footage unless there is a “potential legal use.” This “0 after no longer needed” retention period is set by the LGS-1, which is the master list of record retention terms for government agencies in New York.

Here is the LGS-1’s listing for security footage:

846 CO2 912, MU1 781, ED1 352, MI1 787. Video or audio recordings maintained for security purposes. a. Recording containing incidents warranting retention for administrative or other potential legal uses: RETENTION: 3 years, but not until any minor has attained age 21. b. Recording not containing incidents warranting retention for administrative or potential legal uses: RETENTION: 0 after no longer needed.

When developing a security footage/library user record policy, it is important to keep this non-existent retention period for boring footage in mind.[7]

Why is that important? If a request has been received for footage that is already deleted (because your library did not identify a need to retain it), the library has no ability to fulfill the request and has no culpability for not having the footage.

If the library retains the footage for a set time (for instance, 30 days) and then routinely deletes it, but a legitimate demand to retain the footage is received prior to the footage being deleted, the footage must be retained as having a “potential legal use.”

For this reason, it is important for public libraries with security systems to set a retention period for security camera footage and to ensure they are deleting the recordings exactly as required by the policy. This is because if a public library gets a request for the footage, and the library has the footage, it must be preserved, even if it is past its retention period… and even if it is regarded as a library user record.

Note that I say it must be “preserved,” not that it must be “disclosed.” Disclosure is only required after a library user grants their written permission or the library receives a subpoena or court order. Assessing when the library is compelled to provide the record is another job for the library’s attorney.[8]

Returning to the member’s question (“I would like to know what limitations and obligations we have in this civil matter with regard to patron privacy”), the answer is: the library cannot go wrong by assuming that the record cannot be disclosed without a subpoena or court order and not releasing it until the library’s attorney has assessed the matter and provided written advice.

Here are just a few of the variables that make caution and taking your time wise:

The “litigation hold” demand might not be legitimate;[9]
The case could be settled in between the time the library gets the request and is ready to fill it;[10]
The person the footage pertains to could attempt to “quash” the subpoena;
A party could try to appeal the court order directing that the record be provided;
If the footage is needed by the library user it pertains to, that person could sign a release, but there is no obligation on the part of the library to provide the record;
The library may need to address footage that shows one or more other person(s) in the same frame as the person(s) to whom a subpoena pertains.

When a library director (or another lucky employee) receives a request like this, the best response is to draw a deep breath, call your board leadership and/or library system to develop a response plan,[11] or reach out to the library’s attorney.[12] If the footage that was requested still exists but is scheduled for deletion, it should be preserved immediately.[13] Other than that, nothing should happen quickly.

The good thing to remember is that no matter what, libraries in New York[14] are well-positioned to go to the mat for library user privacy—a notion that in 2025 may seem quaint but grows more important with every passing day.

Thank you for a great question.

[1]^ They need money to give the tow truck guy, and he only takes Venmo! Send $1,000.00 or they have to spend the night on the road! This is the stuff that is happening now. Aaargh, sometimes I just want to go full Luddite.

[2]^ Or, as we used to call it back in the day, “RageMaker,” as it defied instructions to properly kern the alignment of a college newspaper heading. Take that, outdated 90’s software! No wonder you are being replaced with AI.

[3]^ No lawyer is paying the bills by simply verifying that a letter from a law firm is legit.

[4]^ FOIL stands for the “Freedom of Information Law,” of course. FOIL what obligates government agencies in New York to share most records with the public.

[5]^ See CPLR Section 4509 here: https://www.nysenate.gov/legislation/laws/CVP/4509

[6]^ Or whatever you call the policy governing user confidentiality. I like “Assurance of Patron Privacy and Non-disclosure of Library Records,” but I know that sounds stuffy.

[7]^ “Boring” as in it does not have content the library knows is relevant to a potential legal issue, like an injury, harassment claim, property damage, etc.

[8]^ For library leaders concerned about the bill, this shouldn’t take too much time. Unless there are complications, it should be about an hour or so, and the library should get the answer in writing.

[9]^ Letters like the once described by the member are often, but not always, called “litigation hold” or “duty to preserve” letters.

[10]^ I had this happen once. All that caution, and then the case was dropped. It was good that things ended before library records had to be disclosed, but also kind of anti-climactic.

[11]^ DO NOT EMAIL in substance just yet, as you could be adding to the written trove of evidence an attorney is seeking.

[12]^ You can write to your attorney under assurance of attorney-client privilege, so writing to them is A-okay.

[13]^ If the request is insufficient to identify which footage or area of the library is needed, save everything from the date(s) listed until the request can be narrowed or disregarded.

[14]^ That includes public libraries, association libraries, school libraries, and libraries at colleges and universities.

Tag

Litigation

Litgation hold

Privacy

Record Retention

Recording devices

Security

← Back to RAQ Database

Browse the Database

Webinar Recordings

Submit an Inquiry

Resources and Templates

About the Service

Database Downloads and Confidentiality

Submission Date

Thursday, November 18, 2021

Question

Recently a question has come up at our academic library concerning patron privacy and the notification to a patron (usually a student) concerning excessive downloading of content from databases in our collection. Our current practice has been to receive notification from the vendor about perceived illegal downloading. We then ask a member of our library IT team to investigate the situation, based on the information from the vendor. The contact information acquired by that IT staff member is then provided to the e-resource librarian. That librarian then contacts the individual via email, explaining the situation and indicating that such behavior must cease. Once that is done, the librarian notifies the vendor that the situation has been addressed, and there is no need to withhold access to the product from the campus. No personal identification of the user or student is provided to the vendor, nor distributed to anyone else. The question now: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Answer

Questions that combine higher education, data access, and "terms of use" enforcement always give me a moment of sad reflection, as I remember Internet pioneer and activist Aaron Schwartz. It was an alleged overuse of an academic database at MIT in 2012 that lead up to his demise.[1]

While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.

What's "at stake" here? The member's question combines concerns about:

Confidential use of library resources
Academic freedom
Intellectual freedom
Honoring the exclusion of certain academic and library actions from liability for copyright infringement
FERPA

Let's do a quick run-down of these critical areas:

In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.

In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom"[2]: "Teachers are entitled to full freedom in research..."

In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."

In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.

And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).

Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement. In short: since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.[3]

Sitting astride of all of this is whatever notification commitments (and other responses) a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender). This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.[4]

With all of these very important considerations now laid before us, let's review what the member is doing: 1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled[5] process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue. As asked by the member: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so. BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.

What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.[6]

This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.

This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.

The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.

Thank you very much to the member for submitting such a careful question.

RIP, Aaron Schwartz.

[1] I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.

[2] Found as of November 14, 2021, here: https://www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure.

[3] I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.

[4] And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.

[5] By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.

[6] Unless the student has signed a waiver. Then it can go to whoever has permission.