Policy

Can a library sponsor an online class open to the public?  YES.

There are just a few details to attend to:

1.  The financial details

Libraries do not charge for programming, but can pay others to offer library programming for free, so as the member says, this online program should be open “to anyone.”[1]

The instructor can still be paid, but the payment should come from the library, while the on-line attendees tune into this library program for free. 

The trick in this is to avoid “fiscal hybridization,” (with the library hosting and promoting the event, and the instructor getting some payment from some attendees).

 

2.  The online content details

Once your library has confirmed the financial details,[2] there should be complete understanding about the following questions:

Can the library promote the class using the instructor’s name and likeness?

Will the session be recorded?

Who owns the recording?

Will the library be able to use the recording for as long as it wants?

What platforms will the session and recording be hosted on?

Will the recording be put in the collection of the library?

What social media will the session be promoted on?

Will the session use music (that could stop it from being posted some places, like YouTube)?

That’s it, nothing fancy, just have some things to have clarity about.

 

3.  The participant details

Once you have the details of the way the class will go “out there,” confirm:

Who is our target audience?

Do they have any particular vulnerabilities?

Do we need to consider ADA access such as captioning?

How will we collect feedback on the programs?

 

4.  The contract details

With all that minutia settled, here is a template agreement to organize the details. 

Of course, as with all template contracts, if you can,[3] have this template customized for your library by your local lawyer or insurance carrier.

ONLINE INSTRUCTION AGREEMENT

 

The [LIBRARY] (“Library”)and [NAME] (“Instructor”), with an address of [ADDRESS], to provide critical health programming at a time of state-wide pandemic emergency, agree as follows:

Instructor will offer classes in ____________ (“__________ Classes”) from [PHYSICAL LOCATION] to Library’s patrons and others via:

[INSERT HOSTING METHOD AND STREAMING SITE(S)]

Classes will be live streamed at [INSERT TIMES, DATES].

The ___________ Classes will be a target audience of those who can benefit from online social gatherings to participate in ___________________. 

[in case of activity involving a professional license] Instructor’s professional license was granted by [LICENSING AUTHORITY] and is current; if the license expires or is revoked during the term of this agreement, Instructor will notify Library immediately.

[in case of instruction involving physical activity] To promote safe participation, at the start and end of every class, the screen will read, or the Instructor will say:

[INSERT Instructor’s preferred safety and wellness message; here is a sample that is customized for the times:

[ACTIVITY] is intended as a gentle but serious exercise.  Please consult your physician prior to any physical activity that could impact your health, and only participate within your know abilities.  Please stay safe during this time of social distancing and enjoy our class.]

___________ Classes will be promoted as a free program of the library and Instructor shall not charge individual attendees for these sessions.

Library will pay Instructor _____ per session. 

[OR]

Instructor has agreed to provide this programming on a volunteer basis.

Instructor agrees that no music or other copyrighted work other than content owned or properly licensed to Instructor and Library shall be used during recorded or live-streamed __________ Classes.

Instructor agrees that Library may use their name, likeness, and image when promoting ____________ Classes. Library agrees that Instructor may use its name, likeness, and image when promoting _____________ Classes.

All sessions of __________ will be recorded by [INSERT] and the recording will be jointly owned by Instructor and Library.  This means both parties shall have the right to make copies, distribute in any way, or otherwise use the copyrights to the recordings.

Instructor hereby agrees to hold harmless and indemnify Library for any claim, cause of action, or injury arising from the creation, promotion, and participation in ________ Classes.

Instructor is an independent contractor and no partnership, joint venture, or relationship other than what is in this Agreement is created or implied by this Agreement.

The Parties both understand that this is an agreement during a time of emergency and this contract may be terminated without notice.  Any changes to this contract shall be confirmed via e-mail reflecting clear mutual agreement by the parties.

This agreement is governed by the laws of the State of New York.

 

Signed for Library on _________:_______________________

                                                                        [NAME]

 

Signed for Instructor on _________:_______________________

                                                                        [NAME]

                                                                                               

5.  The assessment details

As with any library program, a live-streamed event is one for the staff to watch, monitor, and assess on a continual basis.  This will allow you to assess if the promotion, the session, and the recordings comply with the Agreement, and to make enhancements based on participant feedback.  It is also another way to limit the risks inherent in the activity. 

Just as critical, though, will be feedback that the class felt accessible, gave good instruction, and had a positive impact.

I wish you many valuable and rewarding online programs.

---

[1] I also would not have a concern with it being restricted to card-holders within a system, or card-holders registering in advance to participate for free.

[2] The instructor could also do this as a volunteer, but if they do good work, it is nice for them to get paid.

[3] If you can, this template should be reviewed by the lawyer who knows your library best.  But given the current crises and the need to reach people quickly, and the strain on budgets, I appreciate that you might laugh at this footnote.

 

The member is right: New York State has taken the huge step of requiring ALL employers—whether  they employ one, or one thousand—to train their people to recognize and report sexual harassment and illegal retaliation.

But this training requirement does not stand alone.  Also as part of the amped-up law:

• All employers must have a sexual harassment policy meeting new content requirements.
• All employers must have a sexual harassment reporting form meeting new content requirements.
• All new employees must be trained about the sexual harassment policy within 30 days.
• Liability now extends to complaints by independent contractors and “gig” workers[1].
• Sexual Harassment claims cannot be resolved via mandatory arbitration and non-disclosure clauses (with some exceptions).

The resulting need to revise policies, adopt reporting forms, and organize trainings has hit many strategic plans and budgets hard.[2]  Libraries, who always feel budget pressure, are among the not-for-profits feeling the pinch.

Since this law passed along with the budget this spring, I have been counselling clients that this training requirement should not be viewed as simply another unfunded mandate (although it is), but an opportunity.  What kind of opportunity? An opportunity for library leadership to gather and train their valued people to recognize and reject discriminatory behavior right from the start.

But at the end of the day, no matter how worthy the topic, convening personnel and hiring a qualified trainer costs money.  Which brings us to the member’s great questions (underlined below).

First Question: Can we provide training centrally for the employees of member libraries, as long as the training itself meets the minimum training standards?

My answer to this is…Hold on.  Before we talk about resource-sharing, let’s talk about scope:

Trustees, interns, and volunteers should be part of this training.  [3]

Why trustees? When a small institution has a concern related to sexual harassment, trustees become front-line decision-makers.  Further, trustees are generally the “supervisors” of directors—and the new law specifically requires that supervisors be trained.  And finally—but most critically—library trustees set the tone for mission and leadership at the library.  You cannot change or evolve a library’s culture without trustee involvement.

Why interns and volunteers?  This new law comes with liability for harassment directed even at “gig” workers.  This liability can be caused by any person acting on behalf of the library—even a volunteer.  So every person[4] who works at the direction of your institution should know this law, and how to work within it, together.

With that scope of attendance in mind, based on the guidance from the state thus far[5], if the policy and reporting form track the model policies provided by the state: my answer is YES.

Second Question: Do different levels of employees need to be provided with different training sessions, for instance do library staff persons need to be provided a training space free of the library director?
NO! In fact, I believe a library would lose much of the value of the sessions if it did so.

Why is that?  While the stark requirement of the policy is to review the law, a side benefit of such a training is creating an esprit de corps for combatting bad behavior together.   That can best happen if each level of authority—from trustee, to supervisor, to employee to intern or volunteer—hears and honors the obligations of the other.[6]

If the different authority levels are balkanized into different trainings, a valuable opportunity to build trust and accountability in service to the library’s mission of equal access is lost.

 

Third Question: Do trustees serving on a library (or any non-profit) board need to participate in this training and if so, do they need their own session?

The new law does not mention training trustees or directors specifically[7].  But since boards generally supervise the Director or Executive Director, and are responsible for a library’s legal compliance in all matters, it is my conclusion that library trustees must be trained. 

And—although my comments above recommend against it—they can be trained separately.[8]

There is a related area, however, where separate training might be appropriate and warranted.  In this day and age, governing boards should know: 1) the library’s insurance coverage for sexual harassment/discrimination claims, 2) the procedure for notifying the insurance carrier of a claim, and 3) how and when to call in third-party investigator to look into a complaint.  Having trustees aware of these things, before a mandatory training under the new law, would be optimal.

 

Fourth Question: It is my understanding that training can only be shared if all the institutions have agreed to the state version of the policy AND been given the state-created training module. Is that true?

Let’s start this answer with what a library is looking for when arranging the required training—a required element of which is a live, in-person trainer that attendees can ask questions of.

What does the library need from this trainer?  At bare minimum, the trainer needs to provide a session that meets the requirements of the law.  Therefore, my guidance to those arranging trainings for a single entity is that the contract or hire letter contain assurance such as:

On [DATE/S], [PROVIDER] will provide [SINGLE INSTITUTION] with an interactive session based on the State of New York’s “Model Sexual Harassment Prevention Training” guidance and [Institution’s] Sexual Harassment Policy and Reporting Form.  When the training is complete, trainer will certify that all elements for sexual harassment trainings required by applicable NYDOL and NYDHR guidance, and the laws of New York, have been met.

For a multi-institution training organized by a membership alliance or network, I suggest that the contract or hire letter contain some extra details, such as:

On [DATE], [Provider] will provide [Institution]’s members with an interactive session based on the State of New York’s “Model Sexual Harassment Prevention Training” guidance and [Institution’s] Sexual Harassment Policy and Reporting Form.  When the training is complete, trainer will certify to each institution that all elements required by applicable NYDOL and NYDHR guidance, and the laws of New York, have been met.

As this is a multi-institutional training, to enable certification for each attending institution, the following practices will be observed:

• Registration must be complete no more than [one week] before the session.
• [Institution] must provide trainer with a copy of each participating institution’s sexual harassment policy and reporting forms, no later than [one week] before the session.
• Each attendee shall register and sign in on a form that notes if they have a supervisory role.
• When signing in, each attendee shall be given a copy of their institution’s sexual harassment policy and reporting form, and shall sign to acknowledge receipt.
• When signing in, each attendee shall be given a name tag that notes their institution, and if they are a supervisor.
• During the training, each attendee shall be addressed by name and given at least one opportunity to role-play or rehearse recognizing or reporting harassment or retaliation.

Attendance is limited to 5 institutions, 60 attendees.[9]

I based this guidance on what will no doubt be the next chapter in this legal saga: allegations of liability due to failure to properly update policies and train personnel. 

The “certification” approach I am suggesting above is not required by the new law.  Rather, it is designed to help your members, or your institution, create a record that will easily demonstrate that they endeavored to follow that law.  It is designed to show that, even if a system or group had to share resources and do a mass training, a truly interactive and meaningful experience was intended.  This is a key element of limiting liability.[10]

 

Conclusion

Of course, in a perfect world, people attend sexual harassment trainings not only to limit liability and because they are compelled to, but to learn how to ensure such behavior is rare, quickly called out, and immediately corrected.

The importance of such training cannot be over-stated.  When I was a 16-year-old page at a public library in the 1990’s, I was harassed by a patron.  I was too young and inexperienced to know my rights, or what to do.  Fortunately, I had the good luck to be on shift with an amazing assistant director[11].   When the bad behavior started, this graceful woman walked over to the patron, and simply said, “This has to stop now.”  And despite his displeasure, it did.[12]

Many decades later, her unambiguous, dignified, and immediate action inspires me, as I hope it does you.

Done right, these mandatory trainings are an opportunity for your library’s team to practice this type of skillful handling.  It is also a chance for supervising staff--who now have the term “mandatory reporter” in their job descriptions—to be assured that they are supported and backed up by informed and committed trustees. 

Finding ways to collaborate and share resources to make such training and practice as accessible and rewarding as possible is a great initiative.  Thank you for this excellent array of questions.

---

[1] Uber drivers who transport your interlibrary loans, for example.

[2] The State’s late issuance of required guidance—released less than 2 months before the effective date—didn’t help, either.

[3] I know, that’s not really the question.  But this is very, very important.

[4] Yes, some of those volunteers might be very young!  It will be the job of your trainer to train your employees both well, and appropriately.

[5] September 26, 2018. A I write this, they are assessing thousands of public comments—including some submitted by me—and that may change the basis of my advice.  So if you are reading this in 2019, please check for updates.

[6] Just so you know, “my firm belief” is based on years of conducting anti-discrimination trainings, ten years as an in-house counsel at a university, and time as an Interim HR Director.  I am not just going with my gut here.

[7] Nor does the current model policy, report form, or training materials. Considering that New York is a hive of corporations, this void is rather mind-boggling, but these State resources were compiled with haste.  I imagine this will be addressed in later versions.

[9] Or some other reasonable number.  This is just a recommendation.  Basically, you don’t want the number of institutions or attendees to make the “interactive” requirement arguably meaningless.

[10] But by no means the only element.  The most important one will be following the new law, and documenting that you are following it!

[11] Bernice Cosgrove. 

[12] The patron was quite upset.  In retrospect, he may have had some mental health concerns.  These matters often come with complications that require tact, diplomacy, and compassion.

 

This question seems simple, but it actually involves some high-end concepts of business law and liability.[1]

Most libraries, museums, theaters, and other units within large institutions are actually part of the same entity.  In other words, although they may have a distinct identity within their institution (“The Michael  Library” “The Peter Museum” or “the Catherine Gym”), there is only one actual legal entity (“Romanov College”).

Many people find these niceties hard to grasp, but here is why it is important: in this scenario, the single entity (the college) includes the on-campus copy shop.  This means that what the shop does, the entity does…including alleged infringement.[2]

This same unity generally applies to employees, too.  In a body of law called “Master and Servant,”[3] if an employee is performing a task related to their job, and not deliberately violating employer policy or the law,  for purposes of the legal system, the employee’s actions will generally[4] be imputed to the institution. 

This is why institutions are best served in this area by educating their employees about copyright, and documenting the employees good-faith efforts[5] to abide by the law (it is also why many HR manuals have warnings about the consequences of not following policy: it limits the institution’s ability to protect you).

This puts lot of pressure on the employees who staffing the in-house copy shop. What are their responsibilities?  Do they need to educate their co-workers on copyright risk?  Are they expected to protect the entire college?  Each institution has different policies and job descriptions that answer those questions differently.

That said, is there a simple approach that can help with this?  Yes.  For the in-house copy shop (NOT for an on-campus contractor), below is a framework to address copyright priorities with diplomacy, tact, and helpfulness.  It is designed to be used with an institution’s “Fair Use Assessment” form, and to route people to the person responsible for permissions at your institution[6]. 

NOTE:  All that said, any copyright-related form not custom-designed for your organization should be reviewed for cohesion and consistency with other institutional policies, including those in the employee manual.  Never use any copyright-related form without considering your institution’s unique needs and approach to copyright and liability!  If your institution has an in-house lawyer, compliance officer, risk manager, or insurance carrier, make sure they are part of finalizing any such form or solution. 

[INSTITUTION NAME] COPY SHOP COPYRIGHT HELPER

Hello!  Thank you for coming to the [INSTITUTION NAME] copy shop to arrange duplication of your class materials.

As an instructor who generates your own copyright-protected material, you know the value of copyrights to others, and you know there are penalties for improper, unauthorized duplication.

Please follow the process below.  When you check “yes” to 1 or 3, we are happy to assist you with your copies!

1. Do you have written permission from the copyright holder or their agent to make copies?

• Yes
• No

If “yes,” attach the permission, and let’s get copying!

If “no,” please move to question 2.

2.  Do you have verbal permission from the copyright holder or their agent to make copies?

• Yes
• No

If “yes,” please confirm the permission in writing, return to us and check “yes,” above, and we’ll get right on this for you!

If “no,” please move to question 3.

3.  Do you regard this copy as a fair use?

• Yes
• No

If “yes,” please fill out the attached [INSTITUTION NAME] fair use assessment form, and we’ll get your copies made!

If “no,” or “I don’t know,” please move to question #4.

4.  Do you find this process frustrating and need help arranging permission to use this material, or more input on fair use?

• Yes
• No

If “yes,” please see XXXX at OFFICE LOCATION, who assists with permissions at INSTITUTION NAME.  You can also call them at NUMBER or reach them at EMAIL.  We hope to see you again soon!

DATE:___________________________

SIGNATURE:___________________________

PRINT NAME:______________________________

MATERIALS (Title, number of pages):_______________________________

 

---

[1] Fun!

[2] This is one of the reasons many institutions opt to host a separate company for on-campus duplication services.

[3] I know!  The law needs to move on.  Perhaps “Captain” and “team member” can replace this.

[4] That said, never assume that is the case!  Every allegation of liability must be carefully reviewed by a lawyer, as there are many exceptions and precise formulas that control such things.

[5] Demonstrable, good-faith effort to abide by the law can actually limit damages when copyright infringement is attributable to a not-for-profit education institution.

[6] If you don’t have either or one of these, share this RAQ with the decision-maker at your institution who could make that happen.  Both the form, and a person who can facilitate permissions, are worthwhile risk management investments.

 

“Ask The Lawyer” has touched on this topic a bit before.  In our 9/19/17 RAQ post “Skating the Line Between Helpful Information and Legal Advice,” we discussed the risks posed when patrons and co-workers confuse the helpful attitude and boundless information provided by librarians with legal services. 

The bottom line from that guidance was:

When [asked for legal advice], librarians must emphasize the boundary between good service and legal advice.  Here is a formula for that:

I [the librarian] provide access to library materials based on the law and policy of my profession and institution; you [the user] should consult your own attorney regarding any legal concerns about your use of the materials being provided. 

The current question takes this issue one step further: what if, when asked to play this front-lines role, the librarian is alerted to a potential claim of infringement against their institution?

Here are a few examples of how this can emerge:

Coach to librarian:  “I thought I would check with you…this guy called us and said we used his photo of the volleyball team on fliers without his permission.  But we’re not-for-profit, so copyright doesn’t apply, right?”

Curator to librarian: “We used a photo of the artist to promote the current installation on Facebook and some photographer is claiming we need a license?  But the artist said it was okay!”

HR Director to librarian: “You are our go-to on copyright.  This person says they generated it on their own time, but we own everything our employees create on our computers, right?”

Sound familiar?[1]

Before anything else, it is important to say: many institutions have an established protocol for handling ANY threat of litigation, be it copyright infringement, slip-and-fall, or breach of contract.  So first and foremost, librarians at larger institutions should know their institution’s policy or procedure for when a lawsuit is threatened.[2]  The risk manager, business manager, in-house legal counsel, or the employee who coordinates insurance coverage is often the point person for this. 

When your institution has such a protocol, the reply to questions that reveal a threatened claim of infringement should be “That sounds like it could be a claim of copyright infringement.  You should refer that the XXX, who handles claims.”  And whether or not the inquirer follows through, to protect both the librarian and the institution, the librarian should then e-mail XXX to say “Today I referred Coach/Curator/HR Director to you, as they were contacted by someone who might have a legal claim.”  This makes sure the legal hot potato doesn’t stop at the library, even if the other employee doesn’t follow through.

Of course, not every place will have an XXX, and not every person will seek advice the moment the threat of a claim arises.  Here are some alternate versions of our three scenarios:

Coach to librarian:  “This guy called us about three months ago and said we used his photo of the volleyball team on fliers without his permission.  We also put it on t-shirts.  Can you look at this “cease and desist” letter?”

Curator to librarian: “Remember that awesome installation?  Well, I’m forwarding you some emails between me, the artist, and his photographer.  They say we owe like $2,000.00 in licensing fees, but it’s fair use, right?”

HR Director to librarian: “I need to send this letter about work-for-hire, can you review?”[3]

In these scenarios, institutional debate or engagement with the claimant is well under way.  Even though things might be further along, and tempers hotter, the priority is still to end the engagement and get the matter in the right hands as soon as possible.  So, even if your institution doesn’t have an XXX, and the situation arrives at your door a little more “hot,” the best thing to say to your co-worker is: “This sounds like a legal matter.  We need to connect you with our attorney.”

If your co-worker has been so kind as to refer the (often angry) claimant to you without warning, and you are now on the phone with them, it is generally wise to:

1.  Listen, and make notes of what the claimant is saying.

2.  DO NOT ARGUE, DEBATE, or SUPPLY INFORMATION.

3.  Use your customer service skills to simply say “This sounds very important.  I have made a note, and will make sure someone gets back to you by [date].”

4.  When arranging appropriate follow-up, minimize internal e-mail discussion, which could become discoverable evidence.  Remember, the back-and-forth the employees engage in, unless it involves an attorney providing legal advice, is not subject to attorney-client privilege.

5.  Get that legal hot potato to your attorney or insurance carrier and get out!

I realize that budgets are tight in the not-for-profit world, and not everyone has an attorney in-house or on call.  This is where your insurance carrier could be a key player.  Most bigger institutions have some form of coverage that addresses copyright.  Your carrier does not want you to spend time arguing with a claimant, generating potentially damaging evidence!  So in the absence of a lawyer, your insurance liaison and carrier (who will use a lawyer) might give your institution a place to send the “hot potato.”

The bottom line: every institution has a slightly different way it approaches litigation risk[4], but every institution should have an established way.  Making sure library staff are aware of and comfortable with their institution’s protocols, and are supported in those protocols by trustees, officers and key personnel[5], are the keys to this issue.  The statutory damages and mandatory attorneys’ fees often involved in copyright litigation make this a high risk management priority.

Librarians should be on the front lines of information access and fair use, but not the first line of defense for copyright litigation.  Hopefully your institution appreciates this critical distinction, and supports it.

Or there’s always law school….

---

[1] I am sorry if any of these fictional scenarios have triggered stressful memories.

[2] If there isn’t one, I pose an alternative in a few paragraphs, but in most instances, there is.

[3] See the helpful script in paragraph two to remind people you are not a lawyer.

[4] Some alert carriers right away, others are wary of having a high claim number.  Some carriers want to know the moment there is even HINT of a claim.  This is something the person responsible for insurance will know.

[5] I am writing this guidance to be shared with such stakeholders, if it can be helpful.

 

This is a huge question.  To answer it, let’s start with where the mania over image releases comes from.

New York Civil Rights Law, §50, states:

A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor.

In this age where every “click” and post is potentially monetized (and thus “advertising”), this rule is tough to advise on.  If I post a picture of my sister on Facebook, and her smiling face helps Facebook get attention for a sidebar advertisement, can she fulfill a threat made back in 1987 to get me in “sooooooooo much trouble?”  Not quite.  But if I create an ad for an event to be held at my law firm, and I use someone’s image without permission, that could be problematic.

The next layer of concern could come from Facebook itself.  As they say in their “Terms,” users may not:

…do or share anything:

• That violates these Terms, our Community Standards, and other terms and policies that apply to your use of Facebook.
• That is unlawful, misleading, discriminatory or fraudulent.
• That infringes or violates someone else's rights.

[emphasis added].

So, if my sister alleges that I have “violated her rights,” by posting her picture, am I risking my Facebook account, too?

A lot of this comes down to how Civil Rights Law §50 is being applied these days.  As of this writing, I did not find any case law where simply posting an image to Facebook violated §50.  Further, recent case law gives insight into what the courts will consider to be “advertising.”

“Under Court of Appeals precedent, the statute is to be narrowly construed and strictly limited to nonconsensual commercial appropriations of the name, portrait, or picture of a living person. A use for advertising purposes has been defined as a use in, or as part of, an advertisement or solicitation for patronage.” [1]

This sounds helpful, until you starting thinking that, in the world of Facebook, everything is only one degree from being an advertisement.  So how does a library post photos of patrons using their library without losing sleep at night?

The 2013 case of Leviston v. Jackson is instructive.  In Leviston, a woman sued the rapper 50 Cent for posting a sex tape (not made for commercial use) featuring her on his unmonetized web site.  During his testimony, 50 Cent stated that he posted the video to antagonize an opponent in a rap war.  During his testimony, 50 Cent admitted that rap wars are conducted in part to test the mettle of different rappers, and to bring attention to the combatants.  The judge, seizing on this admission that rap wars are in part for “attention” (of the commercial variety) refused to dismiss the Plaintiff’s claim.

So, if your public library is at war with the association library across town, or fighting a budget battle, and you would like to post pictures of patrons claiming “Our Books Our Bigger!” your library should get written image releases.   If, however, your not-for-profit library is simply publicizing “new hours!”, the person whose image you use would have a very weak claim (if they had a claim at all).

That said, in general, it is a good practice for libraries to get image releases whenever possible.  First, you never know when you might snap the perfect picture to illustrate why a new resources or a bigger budget would really help your mission.  Second, asking for permission to use a person’s image will emphasize your library’s respect for personal privacy and patron confidentiality.  And finally, by memorializing permission to use an image, you reinforce the patron’s connection to the library…and generate a great record for the archivist who will be trying to catalog your photos in 2118!

Thank you for your question.

---

[1] Leviston v. Jackson.

 

This is a great question, since it shows how libraries not only provide access to information, but serve as patrons for the arts.  This nurtures local culture, spurs community creativity, and brings special attention to a library.

As the member points out, though, this role also comes with its own set of legal issues, including copyright concerns.

“Ask the Lawyer” was created to provide practical guidance and tips to libraries, museums and archives on the front lines of culture.  So, while there are many excellent treatises out there on copyright, fair use, contributory infringement, estate law, and contract law—all of which are showcased in this question—rather than wax philosophical, this answer will try, above all, to be useful to a librarian as they work with their community to nurture new art. 

With that in mind, here is a checklist flowchart of “red flag” issues, and potential solutions, to help you find the smoothest legal road for bringing custom art to your library.

Bringing Custom Art to Your Library

Contract Development Flow Chart

Step 1: Establish the vision and shared goals for the projectWork with the artist[1] to develop a carefully description of the project.

• What media is it in? 
• What is the title?
• Is the artist ready to provide contract assurances about copyright, image rights, or trademark?

NOTE:  In other words, is the artist considering any permission they might need, or fair use they need to make?  In this exercise, they should rely on their own lawyer (sometimes provided pro bono by an arts organization), and never on input from the library.

• What is the location of the display?
• Will the library promote the work through a special event?
• Will there be special conditions to prevent wear and tear?
• Are any library employees assisting with the production and/or installation?
• Is this project wholly or partially funded by a grant?  If so, does the grant have any special requirements?
• Confirm the artist’s name, address, and if relevant, get their 1099 form.
• Every project is unique; what special considerations does this one have?

NOTE:  All discussions should make it clear that until a formal written agreement is reached, discussions are just speculative, and not a contract for services.

Step 2: Establish how it is being paid for

• Make sure all the financial details are clear.
• Who is paying for supplies?
• Is the artist being compensated?
  • If so, how much?
  •  When are the payments to be?  Are they tied to project progress or completion?

NOTE:  if the artist is being paid (and they should be), or is selling anything based on the end result, and the materials are not becoming part of the library (like a mural or a custom Narnia-inspired wardrobe that is actually a built-in bookcase), the library should not purchase the materials…but the artist can factor the cost into the final price.[2]

Step 3: Establish ownership

This step controls a lot of the latter considerations.

• Is the library to be a co-author or co-owner of the work?

NOTE:  If the answer is “yes,” a plan for jointly managing the asset should be developed.  Generally, to avoid this complication, you want the answer to be “no.”

• Who will own the physical object?
• Who will own the copyright(s)?
• If the library won’t own the copyrights, what permission does it have to duplicate or use the work?  (examples include: put a copy on the website, make fund-raising t-shirts, display it in a window, digitization and inclusion in online archive, or any use the library wants).
• Will the author be using an alternative form of copyright licensing (like Creative Commons) to ensure community access to the work?

Step 4: Establish clear boundaries

This can help avoid confusion and stress later.

• Whose workspace is being used to create the work?
• What support is the library providing during creation?

NOTE:  “Nothing except moral support” is a great answer.

• Who is transporting the work to the library?
• If it requires installation or hanging, who is doing that?
• What are the mutually-agreed methods of promoting the work, and what methods (if any) are forbidden?  For example, some libraries might encourage promotion via Facebook, while others might regard that as less than desirable.

Step 5: Confirm critical responsibilities

• When is the work to be completed by?
• When is payment due?
• Who is responsible for securing any necessary copyright permission or image rights?

NOTE:  Unless you are co-authors on an exciting joint venture with a very well-developed contract and express insurance provisions, clearance and permissions should never be done by your library.  Further, when you develop a final agreement for the work, it should contain a clause stating that the artist is the sole author of the work, the artist is responsible for obtaining necessary permissions, that all necessary permissions have been secured, and that the artist will hold harmless, indemnify, and defend the library (and its trustees, employees and volunteers) in the event a third party claims the work is infringing any copyright, trade mark, image right, or right to privacy.

• Who is responsible for organizing any promotional events?
• Who is responsible for damage to the work during display at the library?
• Who is removing the work from the library when complete?

Step 6: Protect the library!

You can tell by the questions on the worksheet that my final guidance on is this: when developing a public art project, be picky about the details, and turn them into a good contract.

Because there are too many variables amongst the libraries (public libraries, college/university libraries, hospital and prison libraries, museums, private archives), I cannot offer a standard template for this.  A public library is in a different place than a library within a college or museum; they all live in different regulatory universes, have different vulnerabilities, and have different rules and obligations.  This is why simply “borrowing” a template from another institution is often a bad idea.

However, I can say that any good contract will address the above-raised issues, and if you have used this worksheet in advance, assembling such a contract will be easier.

Step 7: Promote Culture, Enjoy Art

I know: nothing kills inspiration faster than the word “indemnification.”  This worksheet brings up a lot of messy details that, if brought up at the wrong time, can hamper creativity. 

But I have found that addressing these details early actually helps a project move forward.  It gives the library and the artist clarity about their roles.  It gives the security of assurance about vital details.  Most importantly, by inspiring forethought about possible impediments, it makes challenging projects possible.

So revel in the details, make room on the walls, and let the art flow!

---

[1] You’ll see that throughout this checklist I also refer to the artist as the “author.”  The copyright law uses “author” as a catch-all term for the creator, whether they are a writer, photographer, sculptor, etc…

[2] I know, if the library can buy the materials, they’re tax free!  But both the state of NY and the IRS are pretty clear on this.

 

From tools, to bikes, to digital printers, an increasing number of libraries are providing access to more than information. 

I imagine someone has named this phenomenon, but I got a J.D., not an MLS, so I couldn’t find its overall name.  Therefore, I call it “The Library of Things.”  [1]

Joining “The Library of Things,” signals a sea change in the identity of a library.  It expands its lending model beyond information (books, media, data) to capability (printers, kayaks, cameras). It converts a community asset from a place of intellectual access to a source of physical action and production. 

This combined role  is re-framing community awareness of libraries.  But whether it’s called a “makerspace,” or a “tool library” or simply a “3D printer,” these resources are challenging traditional library laws and ethics governing access, liability, and patron privacy.[2]  The member’s question is a perfect example of the complications that brings.

What complications?  The “Library of Things” is not simply about accessing assets, but using them, applying them, and sometimes, riding them.  Most library law (parts of the education law, CPLR 4509, a robust array of civil rights jurisprudence, and a body of case law regarding library operations) is built around that premise that a library’s mission to provide access to information must be safeguarded at all costs.  But that jurisprudence is largely silent on the issues posed by using equipment to take action or produce something.  That function, while important, is not enshrined in the law.  Prediction: the Library of Things will soon start testing the conventions of libraries’ legal status quo. 

But let’s get down to the brass tacks (or the greased chains).  What about the bikes?

Regarding the member’s precise question (“…as long as you have a policy in place, and the borrower signs the agreement, are all injuries waived once off your property? Is it really as simple as that?”), the answer is “no.”  The liability for lending equipment is a varied as the disclaimers and warrantees that equipment comes with, and in general, a simple policy and waiver are not the only things needed to anticipate risk and reduce liability.  So how does a library do it?

First (and I cannot say this enough): no library should contemplate the loan of functional equipment without thoroughly considering the risks and conditions of that equipment’s use.  The member’s question says it all: Please help me identify any worst case scenario possibilities that I should be prepared for.

When it comes to lending bikes, here an initial laundry list or “worst case scenario” thinking:

• Will the library require helmets?
• Will the library then provide helmets?
• Can minors under 18 borrow them?
• Can children under 14 borrow them?
• Will the library provide information about the rules of the road?
• Will the library require a safety demo before the first ride?
• Has the library picked a demonstrably safe model of bike?  Is that model safe for all sizes?
• Does it have all the required reflectors and bell?
• Who will verify ridable condition before lending?
• Who will deal with flats, rusty chains, and brakes?
• How will the library respond to notice of an injury?
• How will the library deter theft?
• Who will own the bikes?
• Who is providing insurance for every worst-case scenario?

Don’t worry…there are many ways to address the risks these questions highlight.  One solution, which can greatly ease the burden on a library, is to have the liability assumed (and insurance provided) by a third party through a rental contract.  With that approach, rather than accession the bikes, the library picks up the fee (rather like paying for access to a database), and the patrons, following an established policy, check the bikes out on their card.  In such an arrangement, the library’s contract, the underlying policies, and the agreement signed by the patron, could be drafted to promote safety and to shift the liabilities away from the library…an arrangement that must be confirmed by the right combination of contract provisions and proof of insurance.[3]

Second: no library should contemplate the loan of functional equipment without thoroughly considering the unique nature of their library.  Is the library a public institution?  Is it affiliated with a larger organization?  What are the limits of its insurance?[4]  Are there physical hazards near it that warrant enhanced care?  If your public library is at the top of a steep hill with a railroad crossing at the bottom, it should not use the same bike loan policy as the college library in the flat town with no CXS line.

Third (but in many ways, first): Is the contemplated asset critical to the mission of the library?  Is fulfilling the patron need for this equipment consistent with the library’s strategic plan and goals?  If the answers are “yes,” then addressing the first two questions should be easier, since clearly the identified risks and complications will be worth it.  If bikes with baskets help fulfill the mission to deliver books to the senior center, then bikes with baskets it is.

And finally, there are ancillary considerations.  Is the loan of equipment a “circulation record” subject to privacy laws?  Is the service as accessible as possible per ADA?  Do you need to follow a procurement policy when seeking a third-party bike provider or a purchase source? 

When developing a bike loan program, it’s essential to consider:

• New York Vehicle and Traffic Law (“VTL”) 1236 requires that a bike have a bell (and expressly NOT a siren or whistle);
• If ridden from dusk to dawn, a bike must have reflectors meeting the specs in 16 CFR 1512.16 (by law, all new bikes in the U.S.A. meet this standard);
• Children under 14 must wear a helmet (NYS VTL 1238) (your insurance carrier might require ALL riders to wear a helmet);
• It is a violation-level offense for a person over 18 to leave the scene of a bike crash causing MINOR injury to another without calling law enforcement (VTL 1240);
• It is a B misdemeanor for a person over 18 to leave the scene of a bike crash causing MAJOR injury to another without calling law enforcement (VTL 1241);
• Your insurance carrier will probably want to know about any injuries;
• VTL 374 bars riding while listening to more than one earphone (no books on tape while riding); 
• VTL 1235 bars carrying something that prevents keeping at least one arm on the handlebars (limit how many books your patrons are carrying home!).

That’s a lot, but there are resources to help you.  The library’s insurance carrier should be consulted at the outset.  The NY Department of Transportation maintains a list of current bike laws.  There are an array of groups that offer free safety training, and many civic organizations offer free helmets.  If possible, a third party vendor is the way to go, since it can help limit the library’s liability. Liability waivers should be custom-drafted to fit your library and the precise arrangements it has made for the bikes, but drafting your waiver should be the last step, after you’ve made your decisions about safety and conditions.

With a little coordination, you can address all the bells (but by law, leave off the whistles).

There’s a lot to wade through, but one thing is clear: libraries are evolving.  This means that with a few fits and starts, the law will evolve with them.  So once your organization decides to join the Library of Things, know the assets, know your library, stick to your mission, and roll with it. 

With the right planning, it’s as easy as riding a—

(Couldn’t resist).

---

[1] I invented this term as I wrote.  During editing, my husband (who does have a library degree) checked “Library of Things,” and found that it’s been in use for quite a while.  So I got to think I was clever for about 2 hours.

[2] I’m not a historian, either, but I really do think this change is significant.  Think about it: Ben Franklin, who founded this continent’s first formal lending library, was a printer.  But did that library give members free access to a printing press?  Or a candle mold? Lending things has not been baked into the model. 

[3] These documents should be reviewed by the library’s lawyer.  It doesn’t hurt to have them reviewed by the library’s liability insurance carrier, too.

[4] For instance, Camrose, AB, the library in the member’s question, is in Canada, a country with a markedly different approach to risk and health issues.

As I work on “Ask the Lawyer,” one of the core concepts I keep in mind is a library’s unbiased commitment to provide information.  As set out in the ALA Policy Manual’s “Library Bill of Rights”:

Books and other library resources should be provided for the interest, information, and enlightenment of all people of the community the library serves. Materials should not be excluded because of the origin, background, or views of those contributing to their creation.

This commitment is backed up by section B.2.1.1 of the ALA’s Manual:

[I]t is the responsibility of every library to have a clearly defined written policy for collection development that includes a procedure for review of challenged resources.

Every library professional I have ever met takes these commitments seriously—even when adhering to them makes things complicated or messy. But what if the “origin, background, or views” of materials provided represent an alleged attack on another?  Could the library face liability?

Let’s take a hypothetical: a new documentary called “Burgerworldwide,” alleges that the (fictional[1]) franchise “Burgerworld,” is not only making people morbidly obese, but is engaged in an international conspiracy to fix meat prices.  The local library, which has a robust collection of health-related documentaries, adds a copy of “Burgerworldwide” to its DVD collection.  The local Burgerworld franchisee, who is not only a prominent local citizen, but very active in local politics (and friends with several members of the library’s board), takes offense.  Could the library face liability?

In New York, wrongly accusing a person (or company) of a crime they did not commit can be grounds for a defamation claim.  However, for a library to be found liable for such a claim it would have to repeat, independently and of its own volition, the erroneous accusation.  "[U]nder New York law, 'all who take part in the procurement, composition and publication of a libel are responsible in law and equally so.'" [2]

Simply owning and lending a movie (or book) does not meet this test.  I found no case law showing that a library acting simply as the owner and distributor/lender of information, has ever been found liable for defamation in New York. 

Given that, liability for defamation is only actionable if the library (whether or not it adds the documentary to its catalog), promoted  or discussed the movie in a way that independently and knowingly renewed a false accusation of the alleged criminal activity.  To go back to our “Burgerworld” example: if library staff made a short recording of themselves eating Burgerworld products while saying “Our local franchise is criminally fixing prices…we can prove it!”[3] and then put the recording on Facebook , that could serve as the a basis for a claim[4] (note: having a basis to make a claim is not the same as winning the claim).

In my hypothetical, a more likely scenario than a threat of a law suit would be attempted pressure on library’s fiduciaries (trustees, board members, ED) by the local franchise owner to have the library remove the movie from its catalog.  This is why training for trustees, and referring to the established guidance for library leaders, is critical.  By consistently following its clearly defined written policies for collection development—including its procedure for review of challenged resources—a library can protect itself when acquiring and promoting access to potentially inflammatory material. 

Isn’t it nice when a commitment to library values also protects a function critical to a democratic society?

---

[1] Yes, this title was inspired by Weird Al’s video, “Fat,” as well as the place of employment of “Beavis & Butthead.” I am a fan. 

[2] Treppel, 2005 U.S. Dist. LEXIS 18511, 2005 WL 2086339, at *3 (quoting Brown v. Mack, 185 Misc. 368, 56 N.Y.S.2d 910, 916 (N.Y. Sup. Ct., Kings Cnty. 1945)); see also Conte v. Newsday, Inc., 703 F. Supp. 2d 126, 147 n.19 (E.D.N.Y. 2010) (same). 

[3] I know none of you would do this, and I trust that your accession policies contemplate the responsible sourcing of non-fiction material.

[4] Remember, any time your institution is threatened with legal action (even if groundless), before making a response, it is best to alert your attorney, alert your fiduciaries, and just as critically, alert your insurance carrier.

When this question landed on my desk, I had recently watched a viral video[1] on YouTube about how some people have no "inner monologue".

The video explained, in plain and accessible terms, that there are people who, rather than internally narrate their world, don't have constant chatter in their heads.  They don't have an "inner voice."  Rather, their brains "map" their reactions to the world, and those reactions are only put into words through vocalization.

The reason the video went viral is because for those of us with a strong inner monologue, the idea of living without one was mind-blowing.

My brain was still wrestling with this concept ("You mean there is no narrator in your head?  None??"), when I read the member's question.

And when the question hit my brain, just like that, I got it.

When I read this question, I didn't hear the words, but I saw the answer.  I couldn't articulate it, but it was there: a Venn Diagram of overlapping legal concerns,[2] "mapped out" in my head, just like the video described: CPLR 4509; FERPA; NYS Image Rights Law.

Only after I had mapped out that diagram in my head could I unpack the details and start to compose.

So, before we delve into the question, I want to thank the member for inspiring a bit of neuro-diverse-empathy in yours truly.  Our brains are endless mysteries; it's good to occasionally see ourselves differently.

And with that, here is my "(Academic) Library Right to Privacy Venn Diagram," unpacked and articulated, and, per the member's request, set out in a "Policy" format, ready to customize for your academic library.

(NOTE: Why are there TWO policy templates?  Because people may have a context-specific first amendment right to film in a public library or the library at a state university, while at a private academic library, only the rules of the institution will apply):

[PRIVATE COLLEGE/UNIVERSITY NAME] Policy on Academic Library Privacy	Related Policies:   [FERPA Compliance Policy, Student Code of Conduct, Employee Handbook, Patron Code of Conduct, Campus Guest Policy, Institutions' Data Security Policy]
Version: DRAFT FOR CUSTOMIZATION Passed on:  DATE	Positions responsible for compliance

FOR USE IN PRIVATE COLLGES AND UNIVERSITIES	POLICY The state of New York provides that library records containing personally identifying details regarding the users of college and university libraries ("Patron Records") shall be confidential, except to the extent necessary for the proper operation of the library. To safeguard this right, the [NAME] library will observe the below protocols.
	No Patron Records, including but not limited to circulation records, computer searches, information requests, inter-library loan requests, or duplication requests, shall be disclosed, unless 1) upon request or consent of the user; or 2) pursuant to subpoena, court order, or where otherwise required by statute.
	The use of security footage showing access to library resources (computers, collection materials, duplation technology) is considered to be a Patron Record.  NOTE: As authorized by law, the Library may release such records incident to promoting proper operation of the library.
	No recording of library users by any third parties is authorized on the premises without the filmed individual's express consent.  This includes recording for academic, professional, or social purposes.
	To the extent Patron Records overlap with FERPA-defined education records, the Library shall interpret the law to provide maximum assurance of the privacy of the library user, while also reserving the right to promote the proper operation of the library.

 

 

[PUBLIC COLLEGE/UNIVERSITY NAME] Policy on Library Privacy	Related policies: [FERPA Compliance Policy Student Code of Conduct Employee Handbook Patron Code of Conduct Campus Guest Policy Institutions' Data Security Policy]
Version: DRAFT FOR CUSTOMIZATION Passed on:  DATE	Positions responsible for compliance

 

FOR USE IN PUBLIC COLLEGE AND UNIVERSITIES	POLICY The state of New York provides that library records containing personally identifying details regarding the users of public college and university libraries ("Patron Records") shall be confidential, except to the extent necessary for the proper operation of the library. In New York, libraries at state, county and municipal institutions may have specific status under the Open Meetings Law and various civil rights laws, but such status does not eliminate their obligations under CPLR 4509, nor limit patrons rights to access services without fear of that record being accessed by another. To safeguard this right, the [NAME] library will observe the below protocols.
	No Patron Records, including but not limited to circulation records, computer searches, information requests, inter-library loan requests, or duplication requests, shall be disclosed, unless 1) upon request or consent of the user; or 2) pursuant to subpoena, court order, or where otherwise required by statute.
	The use of security footage showing access to library resources (computers, collection materials, duplation technology) is considered to be a Patron Record.  NOTE: As authorized by law, the Library may release such records incident to promoting proper operation of the library.
	Individuals or representatives from the media who wish to make recordings in the unrestricted areas of the library must adhere to the following rules: To record students or patrons generating Patron Records (conducting internet searches, retrieving materials, using materials, checking out books, requesting information at the Reference Desk, etc.), the patron's permission must be obtained in advance; for minors, the written permission of their guardians or parents must be obtained; Recording of the Circulation Desk(s) or Reference Desk(s) is forbidden if the area is staffed and serving patrons; Recording and/or requesting permission from patrons and students must not disrupt normal operations of the library. To avoid inadvertent violation of these rules, individuals or representatives from the media who wish to make recordings in the library may, but are not required, to discuss their projects with the Director; however, neither the Director nor staff can give permission to waive this policy or give permission to record patrons or students. Conduct that would be barred by any other policy is not legitimized by the presence of a recording or transmitting device; this includes harassing patrons or staff, or any behavior that violates the rules of the institution.
	To the extent Patron Records overlap with FERPA-defined education records, the Library shall interpret the law to provide maximum assurance of the privacy of the library user, while also reserving the right to promote the proper operation of the library.

 

Now, before I go, just a few words on working with these policy templates.

First and foremost, while templates can be a great starting place (and these are designed to inspire generative conversation), they should NEVER be adopted without a thorough analysis and scrubbing by your institution.

For instance, a public or private academic institution could already have a campus-wide policy on filming people.  Or, on the flip side, the institution could have a strong Media Communications or Film department that relies on being able to send students out onto the campus for filming; a policy like this, with no warning, could cause an unnecessary confrontation.[3]  Policies within smaller units at a big institution can cause inconsistency and friction that can be hard to anticipate, unless you bring in some colleagues to pass the policy with.

So before passing a policy based on a template I've provided, here is who I suggest should be on an academic institution's "Library Privacy Policy Collaboration Team," and why:

The Director of the Library (I trust the reason why is obvious), and at least one staff member (the staffer will provide an in-the-trenches perspective; plus, collaborating on that policy is great training for following that policy).

The Director of Campus Safety/Security/Police.  Why?  Because 1) they might have to help enforce the policy; and 2) it is important that they understand the privacy obligations of the library.  Further, at a public institution, they will likely be a ringer who understands the nuances of "quasi-public" space (for first amendment concerns[4]).

The Dean of Students: Why?  Because 1) they might have to help enforce the policy; and 2) it is important that they understand the privacy obligations of the library are for the benefit of the students.

The Director of IT: Why?  Because 1) it is important that they understand the privacy obligations of the library; and 2) they must ensure those obligations are supported by the institution's current and future information technology.

A student government rep: Why?  Because 1) it is important that students have a voice in policies that are meant for their benefit; and 2) students can help articulate the reasons and importance of policies in ways their peers can relate to.  Bonus reason: participating will look good on their apps for grad school!

The institution's lawyer and/or compliance director: Why? Basically, you want the person who keeps an eye on all the rules at your institution, to make sure they are harmonized and are consistent with each other.  Institutional policymaking cannot be done in isolation.

Optional, but a gold-star member: your institution's Family Rights Education Act (FERPA) compliance officer (for a discussion on how FERPA and library privacy obligations interact, see FERPA and NYS Privacy Laws.).

And, in the case of this member's question: the Chair of the Media Arts Department: because as you meet, you can explore setting up ways for the film students to get the permission and image releases they need, in a way that supports their projects but respects the rights of others…skills they will need in "real life."

Okay, I can hear some of you (in my inner monologue!) saying: that's a huge meeting!  Do I really need to convene all those people?

Based on my experience as an in-house counsel at a University (ten years or so), my answer is: YES.

Why?  Because you don't want your first discussion about privacy with Campus Safety to take place when they ask you for the internet search records of a student who was reportedly making a weapon in his dorm room.  You don't want your first discussion about privacy with the Dean of Students to occur when they demand to know if a student was in the library at the time they are accused of driving drunk across campus.  You don't want your first discussion about privacy with a student rep to be when a "first amendment auditor"[5] shows up at your public university campus.  And you don't want to jeopardize your relationship with the IT Director by finding out she set up security cameras you don't know about.

And most critically: Privacy, security and safety on any college/university campus are a collaborative effort, and your library deserves special consideration within that effort.  Why?

No other space on campus has your precise mission and obligations.[6]  A team that knows and supports that mission, and those obligations, can be a great asset.

This is true whether your library's commitment to access and privacy is fully articulated by the team members' constant inner monologues, or is simply hard-wired into the "maps" in their heads.[7]

By jointly working on a policy, and paying attention to the details, either is possible.

Thanks for a great question, and best wishes for developing a strong, coordinated, customized policy!

---

[1] You can enter the rabbit hole here: https://youtu.be/u69YSh-cFXY I hope it's still there!

[2] NY CPLR 4509, FERPA, Civil Rights Law §50, the first amendment, 20 U.S.C. 1011(a), and a bunch of laws on trespass, Public Officers Law, etc.

[3] I'm a lawyer, so I am very happy about the concept of "necessary confrontation," but I like to save people time and stress whenever possible.

[4] This is not the place to dissect the first amendment's impact on public college/university libraries (see next footnote), but for the record, the "Higher Education Opportunity Act" emphasizes that ALL higher education institutions should be a place for "the free and open exchange of ideas."

[6] That said, an on-campus Health Services facility, Campus Counseling, Records, or other place with confidentiality obligations will have similar needs that might be instructive.

[7] I would like to apologize for any painful pseudo-science in this "Ask the Lawyer."  Stupid viral videos.

 

There are many technical aspects to this question, and this answer will explore many of them.  But first, I invite each reader to sit back, close their eyes, and envision the types of information their library takes in, maintains, or manages digitally.

Name…address…phone number…e-mail…library card number and account information.  Perhaps a driver’s license, or other photo ID.  Credit card information? Job applicant information, payroll, and employee data….  Donor information.  Survey responses.  Licensed lists.  Content related to digitization.   And (of course) every digital record related to a library’s core function: providing information access.

Now envision what someone with less-than-ethical intentions could do if they accessed or appropriated that digital information:

Disclose confidential library records…sell active credit card information on the dark web...use the information to design a very convincing phishing[1] scheme….

And I bet you can easily think of more. 

Scary?  You bet it is.  This is the type of risk-management New York’s lawmakers had in mind when they enacted the SHIELD Act[2], a far-reaching amendment to the state’s laws governing data security.

And as the member points out, the changes will impact your library.

So, what does this law require?

A lot. 

And here is where we get technical.  Because the law will hit different types of institutions differently, this “Ask the Lawyer” can’t give you a word-by-word recital of the precise obligations the SHIELD Act will impose on your institution.   But it can give you a plain-language DIAGNOSTIC FORM to help your board, your director, and your (internal or external) IT team a tool to start assessing your obligations.

So here, without further ado, is the ‘ASK THE LAWYER’ SHIELD ACT DIAGNOSTIC FORM.  If you have a buddy to fill this in with, I suggest you invite them to help, this is not the type of exercise to do alone.[3]

 

	Diagnostic question   [NOTE: Any member of a library council in the State of NY is licensed to make a copy of this form for diagnostic purposes. However, THIS IS NOT INDIVIDUALIZED LEGAL ADVICE and no legal conclusion about the obligations of your institution should be made without the input of a lawyer.   That said, filling this out will help that lawyer help you a lot faster.]	Your Answer	Significance
1.	Does your library collect electronic versions of “personal information” as defined by SHIELD?   Here is the definition of “personal information”: "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.		If your library collects “Personal information” as defined by SHIELD, it may be subject to SHIELD’s requirements.    So, if you marked “yes,” keep going!
2.	Does your library’s network or equipment collect electronic versions of “private information” as defined by SHIELD?   Here is the type of data that, when combined with “personal information” becomes “private information” protected under SHIELD: (1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, [or] password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.		If your library collects “private information” as defined by SHIELD, it may be subject to SHIELD’s requirements.    So if you marked “yes,” keep going!                       (NOTE: if any libraries out there are using biometric records like retina scans in place of library cards, please let me know, because that is Bladerunner-level cool).
3.	Does the “private information” your library collects include information from residents of New York?[4]		If your library collects “private information” relating to New Yorkers, it may be subject to SHIELD’s requirements.    So if you marked “yes,” keep going!
4.	Is your library part of a larger institution such as a school, college, university, museum, religious institution, or hospital?		If the answer is “yes,” then STOP.   Your work on SHIELD ACT compliance should be coordinated with your full entity, who should be sensitive to not only your library’s obligations under CPLR 4509, but your institution’s obligations under SHIELD and other data security laws like FERPA and HIPAA.[5]   Don’t go rogue!
5.	Does your institution contract with another entity, like a library system, to maintain private information?    EXAMPLE: When a person applies for a library card, does the personal information supplied stay on the local library’s network, or does it simply flow through a terminal at the local library to a system’s network? This is a very common arrangement in NY.	If “yes” list and attach the contracts, along with the information maintained by the contractor.	This question applies to both parties.   If the answer is “yes,” gather the contract(s) governing the arrangement(s), and be ready to check the contracts for assurance of SHIELD compliance. This includes assurance of “reasonable security requirements,” and a clause governing data breach notification.
6.	Now, aside from information maintained on another entity’s network as listed in #5 above, (library system, payroll service, credit card service provider, etc.) does your institution maintain any computer system with private information?	If yes, list the information gathered and where it is maintained:	If the answer is “no,” you only have to follow step #7, below.   If the answer is “yes,” make an appointment with your IT team, and be ready to do steps #7 through #15, too.
7.	Contract compliance check:   If you answered “yes” to #5, above, the contracts governing that relationship would be clear about SHIELD Act compliance, including the notification procedures for data breach.	Who is the person at your institution who will do this work with your contractors?	This is a smart step because contract vendors must meet this standard: Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.
8.	Okay, so it looks like my institution has to comply with the SHIELD Act.  What does that mean?   Well, firstly: Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.   So, does your institution have a policy for data breach notification?		Your institution may already have one! If so, it should be updated to reflect the changes in the law.    If it doesn’t have one, now is a good time to get a policy in motion.   The law lists the steps and requirements for notification.  Among other things, those requirements  can depend on the size and nature of the breach.   NOTE: a data breach response is something a library should respond to with a qualified IT team and, if there are concerns about liability and compliance, a lawyer and your insurance carrier.
9.	Secondly:  Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.   Does your institution have a policy to implement these “reasonable security requirements?”		Your institution may already have one.    If so, it should be updated to reflect the changes in the law.    If it doesn’t have one, now is a good time to get a policy in motion!   NOTE:  ***I have put the SHIELD Act’s criteria for a data security program next to three asterisks in the text following this form.
10.	Thirdly, are you a small library and feeling panicked about your security requirements?   Don’t worry, if you’re a “small business,” the law has a provision related to your obligations.   Here is the SHIELD Act’s definition of a “small business”: "Small business" shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.   So (deep breath) are you a “small business?”		If the answer is “yes,” then your “reasonable security requirements” are tempered: …if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers.   This analysis is why having an inventory of the private information maintained by your library (or for your library) is critical; depending on the “sensitivity” (or use) of what you maintain, your plan can adjusted for what is “appropriate.”
11.	Just to reiterate: if you have gotten this far into the assessment diagnosis, you should probably have a “data breach” plan—even if it is just for coordinating with the entity who holds most of your data.   So: do you have a “Data Security and Data Breach Notification Policy and Procedure?”		As can be seen in the factors cited in the sections above, policy and procedures related to data security and data breach notification cannot be a cookie-cutter based simply on what other libraries do.  Your policy and practices will be governed by many factors.
12.	Are you insured for data breach and recovery?		This is a great question to ask your insurance carrier!  You should also be familiar with their notice requirements in the event of a hack or breach.
13.	Who at your institution is responsible for coordinating your data security program?		This responsibility should be confirmed in a job description and reinforced with regular training.  Working with your system or other larger supporting entity may be important, too.
14.	Who are your outside contractors assisting with emergency response in the event of data breach?		This is a good standing contract to have, and one that systems and councils might consider jointly negotiating for on behalf of members (and hopefully it is a service you never need to invoke!).
15.	Did you ever think, when you chose a library career, you’d get to moonlight in IT?		IT and libraries: two great tastes that go great together….with enough planning.

 

And that’s the SHIELD Act.[6]

How does a small not-for-profit tackle this expansion of data security laws?  Like anything else: inventory your status under the law, establish a goal for compliance, develop a budget and a plan, make sure the responsibility is appropriately allocated, confirm insurance coverage alignment, use all the resources at your disposal (your system, council, insurance carrier, and board members who have lived through data breach compliance) and get it done. 

In practical terms, this is also means:

• If your library makes a practice of getting a copy of every member’s photo ID, and stores it on an Excel spreadsheet on an unsecured computer, now is a great time to stop doing that.
• If your library maintains a list of users, credit card numbers, CCV numbers and expiration dates on your network, now is a great time for a network security assessment.
• If your library uses an outside IT contractor, now is a great time to review their contract and make sure it provides assurance that services will be SHIELD Act-compliant.
• If you have no idea if your institution’s insurance covers data breach (and recovery), now is a great time to ask your agent, broker, or carrier.  They might even have some resources to help you with SHIELD Act compliance.

The penalties for violation of the SHIELD Act are $5,000 per violation, in an action brought by the New York Attorney General (the law doesn’t create a private right to sue).  Other changes to the law make it easier for the AG to learn of data breaches, and to coordinate with other law enforcement agencies trying to combat them.  As we envisioned at the beginning of this article, the states for a breach are high.

But don’t worry.  No matter where your diagnosis falls, remember: libraries have been operating under heightened privacy obligations since before there were computers.  That mindset—awareness of an ethical duty to protect privacy--is the most important part of a program to minimize the risk of breaches. 

You’ve got this.

Thanks for a great question.

 

***A data security program includes the following:

 (A) reasonable administrative safeguards such as the following, in which the person or business:

(1) designates one or more employees to coordinate the security program;

(2) identifies reasonably foreseeable internal and external risks;

(3) assesses the sufficiency of safeguards in place to control the identified risks;

(4) trains and manages employees in the security program practices and procedures;

(5) selects service providers capable of maintaining appropriate safe-guards, and requires those safeguards by contract; and

(6) adjusts the security program in light of business changes or new circumstances; and

 

(B) reasonable technical safeguards such as the following, in which the person or business:

(1) assesses risks in network and software design;

(2) assesses risks in information processing, transmission and storage;

(3) detects, prevents and responds to attacks or system failures; and

(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and

 

(C) reasonable physical safeguards such as the following, in which the person or business:

(1) assesses risks of information storage and disposal;

(2) detects, prevents and responds to intrusions;

(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.