Most of the time when a violent incident shatters a workplace and ends lives, experts learn too late about information that someone knew – somewhere – that could have been used to prevent the attack.

That’s why every time I speak with security directors regarding workplace violence, I warn them. “Don’t let misinterpretations of privacy laws,” I caution, “hinder your ability to prevent workplace violence.”

Sharing Information – in a Compliant Manner – Saves Lives.

As a result of the tragic Ft. Hood and Navy Yard shootings by employees, the Government Accountability Office (GAO) released a report, “Insider Threats: DOD Should Improve Information Sharing and Oversight to Protect U.S. Installations.” This valuable study examined the Department of Defense’s recommendations for promoting information sharing to protect against insider threats. It also reviewed federal internal control standards for sharing information within an organization. The report states that “DOD is not sharing all the information about such actions because DOD officials are not consistently using existing mechanisms to share information.”

Security Directors: This Often Starts with You. Be Alert to the Signs.

Over the course of our support to clients developing workplace violence programs and training in this area, we’ve learned a lot that the DoD could use in their own plans. I’ve seen it a number of times: a security director learns of an employee who exhibits warning signs, but upon double-checking the privacy laws, he or she becomes afraid of violating them – and does nothing.

Understand the 3 Privacy Laws – and Their Allowable Exceptions.

Ignoring the warning signs exhibited by someone who has the interest, motive, intention and capability of mounting an attack against a facility, employee, family member or visitor, is not the right option. As a security director, it’s critical that you have an in-depth conversation with your company’s legal counsel and HR team about three specific privacy laws:

1.     The Health Insurance Portability and Accountability Act (HIPAA)

While, in most cases, human resources staff have an extensive understanding of the HIPAA regulations with respect to the privacy of an employee’s health records, the security director should make sure that HR is aware of the public safety exceptions as it gathers information about a subject. There are situations where privacy is outweighed by certain interests.

For example, health care providers must disclose information about a person who presents an imminent threat to the health and safety of individuals and the public. Providers can disclose information to law enforcement in order to locate a fugitive or suspect, and are also authorized to disclose information when state law requires it.

2.     The Family Educational Rights and Privacy Act (FERPA)

When a facility has academic programs, such as a school or medical facility internship, a security director should be aware of public safety exceptions to FERPA. The privacy of any student’s educational records is primarily governed by federal law and regulations issued by the Secretary of Education that interpret these laws.

Like HIPAA, FERPA’s basic rule favors privacy. Information from educational records cannot be shared unless authorized by law or a consenting parent or if the enrolled student is 18 or older and provides their consent. It is important to note that a student’s behavior is often misinterpreted as an “academic record.” This error can have tragic consequences. One of the more infamous examples was the Virginia Tech Shooting wherein the shooter exhibited signs of troubling behavior, but the faculty did not share the information with law enforcement because that information was erroneously considered part of the shooter’s academic record.[1]

3.     Employee Assistance Programs: A Duty to Warn – The Tarasoff Case

When an employee or contractor has been referred to an Employee Assistance Program (EAP), the security director should ensure that the HR department making the referral is aware that a therapist has a “duty to warn” prospective victims that they are at risk of falling prey to some violent act. “The discharge of this duty may require the therapist to … warn the intended victim or others likely to apprise the victim of the danger, to notify the police or to take whatever steps are reasonably necessary under the circumstances.”[2]

Understanding these laws and workplace violence prevention can be difficult, but by working with a team comprising legal counsel, HR and a security consultant, you and your company can develop a plan that is easy to understand and implement – and one that will save lives.


[1] 20 U.S.C. § 1232g(a)(7)(B)(h)(1)–(2) (2006):

Nothing in this section shall prohibit an educational agency or institution from— (1) including appropriate information in the education record of any student concerning disciplinary action taken against such student for conduct that posed a significant risk to the safety or well-being of that student, other students, or other members of the school or community, or (2) disclosing such information to teachers and school officials, including teachers and school officials in other schools, who have legitimate educational interests in the behavior of the student.

[2] Tarasoff v. Regents of the University of California (17 Cal. 3d 425, 551 P.2d 334, 131 Cal. Rptr. 14 [Cal. 1976]) was decided by the California Supreme Court in 1976.


The risk of workplace violence is pervasive. It doesn't discriminate between C-suites or cubicles.
Learn More