"Shall" do what? Proposed security standard is a liability nightmare for school officials
The world's largest security industry group is quietly writing a de facto legal requirement for schools.
The terms "should" and "shall" have distinct legal implications when used in regulatory standards, contracts, and legal documents:
Shall:
Mandatory: The term "shall" is used to indicate a requirement or obligation. When a regulation states that an entity "shall" do something, it means the action is compulsory and legally enforceable.
Binding Commitment: "Shall" implies a binding duty or responsibility. Failure to comply with a "shall" requirement can result in legal penalties or enforcement actions.
Should:
Advisory or Recommended: The term "should" suggests a recommendation or guidance rather than a mandatory requirement. It indicates what is advised or preferred but not obligatory.
Non-Binding: "Should" does not create a legal obligation. Non-compliance with a "should" recommendation generally does not carry legal consequences, although it may be used to demonstrate a best practice or standard of care.
Why is someone like me who studies school shootings and school security concerned with the legal nuance of shall versus should?
Unless school officials have paid $50 for access or follow the minutia of security industry news, they probably have no idea that a proposed standard is being written for school security. The draft standard has a public comment period that runs through September 9 but you need to pay to review it.
The ASIS International School Security Standard, a proposed American National Standard approved by American National Standards Institute (ANSI), is set to transform how educational institutions approach security. As the first comprehensive standard of its kind, it will provide schools with a crucial measuring stick for assessing and improving their safety measures.
This standard is expected to cover a wide range of issues, from basic security practices maximizing preventive measures, how schools can ensure that student needs as it relates to behavioral issues are being dealt with, prompting schools to critically evaluate their current safety posture and address potential vulnerabilities.
“Shall” appears 209 times in the draft School Security - ASIS SSEC-202X document. This is very important for school officials to pay attention to because a private industry standard can easily find its way into grant funding eligibility, state legislation, and private insurance requirements.
Consensus standards are typically voluntary but widespread adoption can make them de facto mandatory within an industry.
Regulatory agencies may incorporate consensus standards by reference into regulations, making compliance with the standard a legal requirement.
Contracts may explicitly require compliance with specific consensus standards, creating binding obligations for parties involved.
Failure to adhere to widely recognized consensus standards can be used as evidence of negligence in legal cases. Adhering to these standards can help demonstrate due diligence and compliance with industry norms.
Most importantly, if a student is shot and the family is suing the school for negligence, a lawyer is going to hold up these standards in court.
Who is writing this standard?
ASIS International, a global community of security practitioners, is leading this initiative. Known for its expertise and dedication to advancing security practices, ASIS is well-positioned to address the complex challenges of school security. This effort is not just a project but a mission to create a safer educational environment for everyone involved.
The ASIS School Security Standard was developed by 50+ industry experts and reflects a multi-hazard and disciplinary approach from a variety of professions including school administration, security, architectural design, mental health, behavioral threat assessment, facilities management, life safety, emergency management, law enforcement, crisis communications, business continuity, and legal.
What are some ‘shalls’ that become de facto mandates?
"Shall" implies a binding duty or responsibility. Failure to comply with a "shall" requirement can result in legal penalties or enforcement actions. “Shall” appears 209 times in this draft standard.
Here are a few shalls in the draft:
The school shall appoint an individual(s) to serve as its security leader for the purposes of implementing and managing the school security programs. (5.7)
Schools shall implement a policy to document and report specific patterns of threatening/concerning behavior to proper authorities. (5.3)
The school shall provide resources to support the school security program according to its security goals and objectives and accepted level of risk. Resources (e.g., funding, personnel equipment, information, time, tools, etc) shall be allocated to both create and sustain the program. (5.6)
Each school shall develop, implement, and maintaining a security awareness program (see ASIS Security Awareness Standard). (5.8.1)
The school shall establish, implement, and maintain a documented process for identifying and prioritizing tangible and intangible assets to support its school security program. (6.1)
The school shall conduct a security risk assessment (see the ASIS Security Risk Assessment Standard). (6.2)
The school shall conduct a physical security assessment at least once every three years. (6.2)
The school shall establish, implement, and maintain a behavior threat assessment and management (BTAM) program. (7.2)
The school shall design and implement physical protection systems to meet minimum physical security requirements outlines (sic) in Annex A. (7.3)
The school shall conduct audits at planned intervals and on an annual basis. (8.3)
What’s in Annex A: Physical Protection Systems and Measures?
Crime prevention through environmental design (Another misapplied criminology theory: and I’ll bet the people who wrote this standard didn’t read Clark’s paper and books on Situational Crime Prevention)
Security lighting
Physical barrier
Intrusion detection systems
Physical entry and access control
Visitor management
Video surveillance
Alarm, communication, and display
Security personnel
For example, the school shall secure the perimeter with 8-foot anti-cut/anti-climb fencing. (Note: whoever wrote this probably has never visited a school in New York or Chicago where the front door opens directly to the street, or a school in rural Iowa with 10 acres of athletic and recreational fields.)
The school shall also have a comprehensive video surveillance system that is remotely accessible.
About 15% of Americans (42 million people) don’t have access to high-speed internet. How many schools in rural and remote areas have no, minimal, or limited access to an internet connection that can stream the +100 CCTV cameras needed to provide comprehensive, remote coverage of the entire campus?
It’s clear that there was very little consideration given to the size, location, resources, or priorities that a school has. At a school in a small town of 5,000 people where everybody has known everybody for generations, what’s the purpose of a credentialling system for all staff, students, contractors, and visitors.
This standard makes issuing ID cards a de facto requirement even if that does nothing to increase safety at the school…but it does sell the products and services to make ID cards and a visitor management system (just like the vendor’s system that leaked 4,000,000 private student records this year).
Follow the money
When you start looking at the types of things that a school shall do, most of them involve buying something from a commercial vendor or contracting services from a “security expert” who knows the ASIS standards. Based on my evaluation of the draft, these requirements are not based on data and published research.
For example, here is the design of what the front entry of a school should look like (without any empirical evidence supporting this design because during a planned attack by an insider/student, this type of entry is a chokepoint and vulnerability):
Take a look at this diagram for a minute and think about how many different products need to be purchased. I see security cameras, fortified doors, ballistic glass, electronic locks, video intercom, and card readers (plus digital access cards). This could easily be a +$1 million project to retrofit the front entry of just one school building.
If that diagram wasn’t enough to show that selling products is driving the standard, there is a whole section about emerging technology.
Why is this a problem for school officials?
Once there is a consensus industry standard on paper, if there is a school shooting and prosecutors want to evaluate negligence by school officials, they would see if the school followed the “shalls” in this document. After the Oxford, MI school shooting, prosecutors explored criminal charges against school officials who didn’t take action on the warning signs or properly implement the threat assessment program.
The problem with this proposed ASIS standard is that these de facto mandates are not being vetted by a representative group of school officials from all parts of the country and different sized/resourced school systems. While school officials will face the legal consequences of this standard, private industry will profit from publishing this. There is a strong incentive for ASIS to keep school officials from being involved or commenting on this document (thus the $50 fee just to review it).
Of the 98,000 public k-12 schools in the country, about 41,000 are located in small towns or rural areas with enrollment of under 1,000 students. When a national organization passes a standard that requires a school to have a security director, have a formal threat assessment team, or conduct a physical security survey every 3 years, thousands of rural school districts don’t have the budget or staffing to comply with these mandates.
Over the last 60 years, planned attacks at schools are most common in small towns and rural areas with a population under 50,000. The next small town where a school shooting happens will not only deal with the tragedy of the attack, but if this standard is published, the school officials will also face a huge legal burden for not complying with the 209 “shalls” in it.
David Riedman is the creator of the K-12 School Shooting Database, Chief Data Officer at a global risk management firm, and a tenure-track professor. Listen to my recent interviews on Freakonomics Radio, New England Journal of Medicine, and my article on CNN about AI and school security.