2009 URMIA Journal by URMIA

URMIA Journal 2009

Nashville

UNIVERSITY RISK MANAGEMENT AND INSURANCE ASSOCIATION

Music is the universal language of mankind. —HENRY WADSWORTH LONGFELLOW (1807–1882), AMERICAN POET AND EDUCATOR

Front cover: An acoustic guitar, a symbol of “The Music City.” Nashville: Host city for the 2009 URMIA Conference, September 12–16.

URMIA Journal 2009 University Risk Management and Insurance Association OFFICERS President Vincent E. Morris, ARM, CPCU, CIC, CRM, AIC Wheaton College, (630) 752-5013 vincent.e.morris@wheaton.edu vincent.e.morris@wheaton.ed u President-Elect Margaret Tungseth, CPA, MBA Concordia College, (218) 299-3327 tungseth@cord.edu tungseth@cord.ed u Secretary JoAnne Flowers, ARM-P University of Missouri, (573) 882-8577 ﬂowersj@umsystem.edu Treasurer Anita C. Ingram, MBA, ARM Southern Methodist University, (214) 768-4047 anitai@mail.smu.edu anitai@mail.smu.ed u Parliamentarian Gary W. Langsdale, ARM Pennsylvania State University, (814) 865-6308 GWL3@psu.edu GWL3@psu.ed u

The Nashville skyline at night

Immediate Past President Ellen M. Shew Holland, ARM University of Denver, (303) 871-2327 elhollan@du.edu elhollan@du.ed u DIRECTORS Megan Adams, Esq. (’11) Princeton University, (609) 258-2169 adamsm@princeton.edu Julie C. Baecker, AIC, ARM (’10) University of Alaska, (907) 450-8153 snjcb@alaska.edu Mary Breighner, CPCU, DRM (’09) FM Global, (513) 742-9516 mary.breighner@fmglobal.com Steve Bryant, CRM, ARM (’09) Texas Tech University System, (806) 742-0212 steve.bryant@ttu.edu Marjorie F. B. Lemmon, ARM, CPCU (’10) Yale University, (203) 432-0140 marjorie.lemmon@yale.edu David Pajak, ARM (’10) Syracuse University, (315) 443-5334 depajak@syr.edu

National Ofﬁce P.O. Box 1027 Bloomington, Indiana 47402 Tel. (812) 855-6683 FAX (812) 856-3149 E-mail: urmia@urmia.org Web: www.urmia.org

A Professional Non-Proﬁt Forum for the Exchange of Information, Concepts, Practices, and Developments Between Higher Education Risk Managers

Donna Pearcy, ARM, MBA (’09) The University of Iowa, (319) 335-3425 donna-pearcy@uiowa.edu Paul D. Pousson, ARM (’11) University of Texas System, (512) 499-4653 ppousson@utsystem.edu Donna Smith (’11) University of New Mexico, (505) 277-9790 donnas@unm.edu Larry V. Stephens, AIC, ARM, CPCU, AAM, DRM (’09) Indiana University, (812) 855-9758 stephenl@indiana.edu

Get over the idea that only children should spend their time in study. Be a student so long as you still have something to learn, and this will mean all your life. —HENRY L. DOHERTY (1870–1939), AMERICAN BUSINESSMAN

No matter how one may think himself accomplished, when he sets out to learn a new language, science, or the bicycle he has entered a new realm as truly as if he were a child newly born into the world, and “Except ye become as little children” is the law by which he is governed. Whether he will or not he must ﬁrst creep, then walk, then run; and the wisest guide he can have is the one who most studiously helps him to help himself.

—FRANCES WILLARD (1839–1898), “A WHEEL WITHIN A WHEEL: HOW I LEARNED TO RIDE THE BICYCLE”

From the President It gives me great pleasure to present to you the University Risk Management and Insurance Association’s Journal for 2009, the latest installment in URMIA’s efforts to provide the best in higher education risk management information. Some of my favorite films are those that make me laugh until tears stream from my eyes. One I really like is from 1980 (thus qualifying it as an “older” film, according to some of my current student friends) called The Gods Must Be Crazy. The convoluted and hilarious plot involves a soda bottle thrown from an airplane into the Kalahari Desert, a Jeep winched up a tree, and a bumbling biologist, unlucky in love, who does research on elephant dung—“She thinks I’m a lunatic, and I don’t blame her. You know, she asks me what do I do, and I say I collect manure. I don’t tell her I analyze it for my doctoral thesis. I bet you she thinks I shovel the stuff.” The smooth-voiced narrator who introduces this quirky film describes how, in our culture, we imprison our children for many years in school so they will learn how to understand the world around them—the world we have constructed—and how it works (or, maybe, doesn’t). While I find this to be poignantly true, it would also be a mistake for us to think that education is only for children or only to help us maneuver through society as it is. Education at its best helps us shape the very future of our society— and ourselves. Or, in the case of the aforementioned film, it at least helps us recognize the distinct odor of a pachyderm’s rear, which we may encounter often enough in our surprisingly diverse jobs. The articles in this publication are brought to you through the great generosity of our sponsors and by the personal contributions of our authors, via the work of our editors. They represent the best of continuing education for that biologically rare species—higher education risk managers. I hope you enjoy this edition’s topics, which have changed a bit since 1980. Same shovel, different stuff. Who knew we would need continuing education in cyber liability or on behavioral intervention or on the fine balance between privacy and violence prevention? Yet we do still need to keep learning, all our lives—in between the shoveling. Vincent Morris, Director of Risk Management, Wheaton College (Illinois) URMIA President, 2008–2009

Contributors URMIA thanks each of the ﬁnancial contributors who supported the publication of the 2009 edition of the URMIA Journal:

Arthur J. Gallagher & Co.

Gallagher’s Higher Education Practice assists colleges and universi-

The Gallagher Centre

ties in identifying and mitigating the complex risks facing today’s

Two Pierce Place

institutions of higher learning. Across all ﬁelds of insurance and

Itasca, IL 60143

risk management, our international team of experts is here to help you ﬁnd the best solution to protecting your institutional assets. To

Gallagher Koster 500 Victory Road

learn more, please contact John McLaughlin, Managing Director, at 630-285-4380 or email him at john_mclaughlin@ajg.com.

Quincy, MA 02171 800-457-5599

Marsh

For over 40 years, Marsh’s Education Practice has dedicated resources

One State Street

to support the higher education industry. Marsh is devoted to ﬁnd-

Hartford, CT 06103-3187

ing the opportunity in risk for all of our education clients. From risk identification and assessment to risk quantification and prioritization to risk mitigation and financing, our strategic approach lies at the core of a truly differentiated client experience. For further information regarding our practice, please contact your local Marsh Education Leader or our Global Education Practice Leader, Jean Demchak, at 860-805-0677.

Riggs, Counselman, Michaels & Downes, Inc. (RCM&D)

Innovative and independent since its founding in 1885, RCM&D’s

555 Fairmount Avenue

to higher education organizations. RCM&D’s “dedicated education

Baltimore, MD 21286

Education Group provides insurance brokerage services, risk consulting services, claims advocacy, and employee beneﬁt solutions

team” provides value by: •

understanding and assessing the unique risks of educational institutions;

•

developing creative group purchase and other alternative risk programs; and

•

presenting risk control solutions and best practices speciﬁc to the education client.

For further information, please contact Ric Valentino, RCM&D’s Education Group Leader, at 410-427-6435 or rvalentino@rcmd.com.

These contributors make it possible to publish this journal. We extend our appreciation and thanks.

Features

Cyber Liability and Higher Education: Professional Risk Solutions Sarah Stephens and Shannan Fort, Aon Risk Services

FERPA Then and Now: Tipping the Balance in Favor of Disclosure of Mental Health Information Under the Health and Safety Emergency Exception Allison B. Newhart, Esq., Saul Ewing LLP and Barbara F. Lovelace, Esq.

Twenty Years of University Mutuals: Theories of Success Harry Rosenthal, Unimutual

Toxic Chemicals on Campus: Risk Management Challenges and Solutions Ralph Stuart, CIH, University of Vermont and Leta C. Finch, Higher Education Practice, Arthur J. Gallagher Risk Management Services, Inc.

The George Washington University OfďŹ ce of Risk Management Health & Safety Inspection Program Fitzroy Smith, Robert Ulizio, and Dale Furrow, The George Washington University

Second Generation Behavioral Intervention Best Practices Brett A. Sokolow, J.D., and W. Scott Lewis, J.D., National Center for Higher Education Risk Management (NCHERM)

I think the Internet is uniquely suited to this free market idea: that everyone on the Internet that exchanges the trafﬁc back and forth, big or small, we all need each other. —PETE ASHDOWN (1967– ), FOUNDER AND CEO OF UTAH’S FIRST INDEPENDENT AND OLDEST INTERNET SERVICE PROVIDER, XMISSION

Cyber Liability and Higher Education: Professional Risk Solutions Sarah Stephens and Shannan Fort, Aon Risk Services

Cyber Risk Profile and Exposure Channels Abstract: Institutions of higher education face many different threats and exposures related to the internet and the security Due to the nature and complexity of operations and the and privacy of electronically stored information. While proacademic culture of open access, educational institutions tecting these information resources is essential, colleges and and, in particular, large research-oriented universities face universities also face the paradox of doingg so while operatingg unique exposures related to the internet and information within a culture that values complete open communication security and privacy. A An overriding challenge that educationa and exchange of ideas. This article provides ovides tional institutions face when dealing with priva and security risks continues to be a thorough description of the risk profifile le privacy f and various exposures that colleges andd the fundamental conflict between a culInstitutions walk a universities may face, the liability and reguture that values an unfettered exchange of ideas id and requires the security and latory environment, descriptions of specifi ecific fine line when they priva of sensitive or private informaeducation-related incidents, what strategies tegies privacy begin monitoring institutions can implement, and how to tion.1 All educational institutions have a A ensure they have proper insurance covereronline behavior, varie variety of exposure channels that constiage to protect the institution in the event ent of tute their overall risk profile. Below is a such an information breach. since doing so may discu discussion of the most salient issues. create a duty of care Introduction Scop Scope of Network Operations iThe term, “cyber risk,” may conjure vito protect students In order or to facilitate the open access des, sions of hackers, file sharing mishaps, scrib scribed above, higher education instituhe online copyright infringement, and the from dangerous or tion tions configure network systems to allow orkmurky risks arising from social networkcriminal behavior. for m multiple points of access. Outsourced lid ing. While these exposures are all valid infor information technology (IT) entities and concerns that fall within the scope off othe other service providers may also have nal cyber risk, it is critical that educational direc direct access to the education organizainstitutions take a systematic, rather ’ k h tion’s network, thus increasing exposures. Additionally, f d than piecemeal, approach to identifying, quantifying, and some larger universities may have multiple departments ultimately treating for such risks. While a comprehensive not managed by central IT that have little connectivity risk identification and transfer process would include a to the master network, operate proprietary systems, and full examination of four quadrants of risk—Professional abide by loosely defined privacy and security practices, Services, Media and Intellectual Property, Privacy and which increase the risk to the parent organization. Technology, and Vendor Management—we have chosen to focus primarily on Privacy and Technology exposures. Internet Usage2 Drawing on Aon’s experience in crafting customized Nowhere is the paradox of openness and expectation insurance solutions for a variety of industries, as well as of privacy more evident than in social networking sites, feedback from 10 leading insurance carriers, this article which are used extensively by students.3 Sites like Faexplores the unique privacy and technology risk profile cebook and MySpace allow students to share personal of higher education entities, the relevant privacy-related information in a more publicly accessible way than ever regulatory developments, and the evolution and current before. Many universities have incorporated the use of state of the risk transfer marketplace.

URMI A Journal 2009

social networking websites into their student code of latest technologies. The downside, however, can be system 4 conduct, with some even monitoring students’ postings. integration problems, employee training hurdles, and unInstitutions walk a fine line when they begin monitoring known bugs or system glitches that can facilitate a breach online behavior, since doing so may create a duty of care to of confidential information. Educational institutions must protect students from dangerous or criminal behavior. Reoften create and maintain secure networks with limited cent controversy surrounding JuicyCampus.com, a website resources, leading to the widespread use of free or open that allowed anonymous gossip specific to a particular source security software that may be less effective than a college campus, led to a consumer fraud investigation by customized solution. the New Jersey attorney general after a student claimed that she was terrorized by explicit postings that included Healthcare and Additional Miscellaneous Risks her address. JuicyCampus shut down in February 2009, Nearly all universities have custody of student health ssion and falling ad information in the co claiming that it was hurt by the recession context of on-campus health clinhe threat of continued ics, which means they must ensure compliance with the revenue, though many assume that the Hea Information Portability and Aclitigation had a significant influence as Health cessi well.5 In a step that some believe mayy cessibility Act’s (HIPAA) privacy and seThe protection curit rules. Universities with associated begin to infringe on first amendmentt curity neral hosp rights, the New Jersey Attorney General hospitals, those that host clinical trials, and disclosure of versiissued a letter to all New Jersey universiand even those that conduct any human ybersubj research may have additional ties asking them to “incorporate…cybersubject confidential consumer expo harassment…into your school’s codee of exposure and resultant liability. information is se conduct, with consequences for those 6 Liab who engage in these activities.” Liability and the Regulatory currently governed by Envi Environment Outsourcing The protection and disclosure of cona patchwork of state ngly den consumer information—both Educational institutions are increasingly fidential and federal laws. nner. pers embracing outsourcing in some manner. personally identifiable information d may (PII and protected health informaThe nature of operations outsourced (PII) burserange in scale from financial aid disbursetion (PHI)—is currently governed by a ems, patc ment systems to student e-mail systems, patchwork of state and federal laws that which a growing number of universities—43 percent, target different exposures and different entities. Some according to one study7—have outsourced or plan to of these statutes include the Family Educational Rights outsource, to the management of student identification Privacy Act (FERPA), HIPAA, Gramm Leach Bliley cards used to make purchases and gain access to buildings Act (GLBA), Fair Credit Reporting Act, Sarbanes-Oxley and resources. The cost savings of outsourcing can be very (SOX), Federal Privacy Act, and others. The regulations attractive, but these arrangements may harm the organimost applicable to the education industry include: zation’s risk profile because of the increased number of entry points and the possible inconsistencies in network Family Educational Rights Privacy Act (FERPA) operations. The outsourced service provider’s information The Family Educational Rights Privacy Act (FERPA) security protocols and marketplace reputation should be mandates protection of the privacy of education given the highest level of attention. records and affords students the right to view and correct the information contained therein. FERPA also IT Implementation allows certain information that would not be harmful Much like outsourcing, higher education institutions if made public, known as “directory information,” to can experience tremendous cost savings with effective be disclosed without consent. Directory information modernization of operations and implementation of the can include name, address, telephone number, date

U R M I A Jou r n a l 2 0 0 9

of birth, honors and awards, dates of attendance, and contains both a Security Rule (passed in 2003) that student identification numbers. In December 2008, loosely dictates protocols for the protection of electhe Department of Education published FERPA rule tronic Protected Health Information (PHI)12 and a Privacy Rule (passed in 2002) that outlines and limits changes specifying that directory information can the way PHI in any form can be disclosed, as well as only include student identification numbers if those provisions for fines or penalties in the event of nonnumbers “cannot be used to gain access to education compliance with either rule. records except when used with one or more other In July of 2008, the Department of Health and factors to authenticate the user’s identity,” which does Human Services (HHS) levied the first HIPAA fine, not necessarily prohibit Social Security numbers from 8 rmation. The rule or rather “resoluti “resolution amount,” against Providence being included as directory information. Hea encourages universities to stop using Health and Services for $100,000.13 The Providence fine was the result of a Social Security numbers as stuAlthough there is no hat leng lengthy investigation into a 2005 breach dent identifiers but recognizes that tory invo involving the theft of backup tapes from FERPA does not have the statutory statutorily recognized an employee’ em s car. HHS, in conjunction authority to issue such an edict. As ersiwith the Federal Trade Commission recently as 2004, half of all universifoundation for ers (FT (FTC), levied its second fine in February ties used Social Security numbers launching lawsuits 2009 2009—in the significantly larger amount as student ID numbers, though the of $2 $2,250,000—against CVS/Caremark trend, which is helped by state bans, over data breaches, 9 after an investigation into improper disis to discontinue the practice. posa posal of patient information. Educational lawsuits charging Fair and Accurate Credit and research institutions that run health negligence must clini Transactions Act (FACTA) clinics or hospitals and those whose resea The Fair and Accurate Credit research involves collecting any PHI of show that accepted hich hum Transactions Act (FACTA), which human subjects should pay special attenmers tion to HIPAA compliance. intended to help protect consumers standards of ons from identity theft, added sections performance were Noti to the Fair Credit Reporting Actt Notification Framework FER (FCRA). It also contains a “red flag” FERPA and FACTA do not currently not met. ty cont provision that requires any entity contain any specific provisions mandating consumer c with a covered account to adopt a notification in the event vents of a data breach, but educational instiwritten plan to detect red flag events at could indicate tutions are subjec related to consumer accounts that subject to the framework of the 44 state 10 identity theft. The Department of Education issued breach notification statutes. While some states allow guidance confirming that educational institutions exceptions for breaches involving encrypted data, participating in the Federal Perkins Loan program are most require swift public disclosure of any potential subject to the red flag rules, and any other institution breach of personally identifiable information. To that can be considered a creditor should look into bethe extent an educational institution is subject to coming compliant by the August 1, 2009, deadline.11 HIPAA, it should be aware that provisions in the American Recovery and Reinvestment Act (ARRA) Health Information Portability and Accessibility Act now extend a duty to notify individuals of any wrong(HIPAA) ful disclosure of “unsecured PHI.” Passed in 1996, HIPAA was one of the first statutes that specifically concerned any form of confidential Minnesota Plastic Card Security Act or personal information. The HIPAA framework The state of Minnesota recently amended its data

URMI A Journal 2009

breach notification law to hold entities responsible for the costs of re-issuing credit cards in the event of a data breach. The Minnesota Plastic Card Security Act (S.F. No. 1574),14 which was passed in the wake of the TJX security breach,15 can certainly pertain to educational institutions as it applies to any entity accepting credit cards, debit cards, or other stored value cards. The statute requires companies to reimburse card issuing financial institutions for the “costs of reasonable actions” to both protect their cardholders’ information and to provide post-breach services to their cardholders. More specifically, reimbursement covers costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts, stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover the costs of damages it pays to cardholders resulting from a breach.16 Currently, Minnesota is the only state with such a law, but other states have tried to pass similar statutes, so far without success. Regulatory Actions In the aftermath of some data breach incidents, it is not uncommon for the FTC, Federal Communications Commission (FCC), or State Attorneys General to launch investigations and levy penalties. In 2006, ChoicePoint, a consumer data provider, paid a $15 million fine to the FTC after thieves hacked the company’s database.17 In 2008, Hannaford Bros., an East Coast grocery store chain, suffered a data breach that exposed over four million credit card numbers and resulted in 1,800 cases of fraud. Four class action suits were quickly filed against the company, and lawyers subsequently filed 12 additional complaints. Not only has the incident led to Hannaford defending litigation across the East Coast, but the Secret Service has also launched an investigation into the breach.18 Civil Litigation Although there is no statutorily recognized foundation for launching lawsuits over data breaches, lawsuits charging negligence must show that accepted standards of performance were not met.19 Historically, the plaintiff must

U R M I A Jou r n a l 2 0 0 9

show that he or she suffered some sort of direct harm as a result of the negligence. A 2006 case involving a stolen laptop containing 550,000 individuals’ full credit information sheds some light on what “reasonable” protections an entity must provide in order to avoid damages. Stacy Guin had a student loan with Brazos Higher Education Service Corporation. Brazos employed a financial analyst to review its loan portfolio and decide which loans to buy and sell. The financial analyst worked from his house in Maryland and had files related to as many as 550,000 of these loans on his laptop at home. The analyst’s house was burglarized, and the unencrypted files were stolen. Ms. Guin sued Brazos for breach of contract, breach of fiduciary duty, and negligence. The court granted summary judgment for the defendant mortgage company, finding that it was not negligent and that the victims who lost data could not demonstrate any “damages” as a result of the conduct. The court concluded that the defendant had complied with the statutory provisions of the Gramm Leach Bliley Act (GLBA), a federal regulation that requires financial institutions to protect consumer information, because it had written security policies, had current risk assessment reports, and had “proper safeguards for its customers’ personal information,” therefore meeting the required standard of care.20 Courts in other data breach cases, such as those in Forbes v. Wells Fargo Bank,21 Bell v. Acxiom Corporation,22 and Key v. DSW,23 have dismissed similar litigation based on plaintiffs’ lack of ability to demonstrate damages stemming from the theft or loss of their PII. For example, the United States Court of Appeals for the Seventh Circuit has held that plaintiffs who only sought damages for future credit monitoring and emotional distress did not suffer a “compensable damage” under Indiana law for negligence and breach of contract actions.24 Most recently, in May 2009, a US District Court handed a victory to data-breached entities, telling Hannaford consumers that because they were compensated by their banks, they have no basis to sue civilly.25 Following the breach described earlier in this article, the company was hit with class-action lawsuits alleging breach of implied contract, breach of implied warranty, negligence and violation of Maine’s Unfair Trade Practices Act. The judge ruled that without actual and substantial loss of

money or property, consumers could not seek damages. In the course of coming to its decision, the court solidified the idea that no legal duty exists to provide “perfect” security—security obligations will be judged on a reasonableness standard instead. While civil lawsuits generally contend that a plaintiff must have suffered harm in order to recover from the offending firm, regulatory proceedings can focus on merely the offending firm’s actions or inactions. For instance, in March 2008, ValueClick settled with the FTC for $2.9 million regarding a lawsuit that alleged negligence in protecting sensitive data.26 The lawsuit stated that ValueClick violated its own privacy policy by neglecting to encrypt consumers’ private information, as well as failing to fix vulnerabilities to hacker attacks. Education Incidents According to the Open Security Foundation, a group that tracks publicly reported data breaches, educational institutions were responsible for 25 percent of data breaches in 2007 and 22 percent in 2008 (see Figure 1).27 The same data shows that from January 1, 2007, until December 31, 2008, approximately 224 educational institutions experienced data breaches involving 4,351,319 records. Combine those statistics with a study conducted by the Ponemon Institute28 that found the average cost of a data breach was $197 per record, and the potential costs are astounding.

*Source: Open Security Foundation / DataLossDB

Below are details of several security incidents in the education industry within the last few years, including the two largest breaches suffered by educational institutions to date. University of California, Los Angeles (UCLA) In December 2006, the University of California, Los Angeles (UCLA) reported a breach resulting from a software flaw that may have compromised more than 800,000 records, including names, birth dates, and Social Security numbers of current and former students. UCLA established an informational website, Identity Alert Hotline,29 and sent notices to all affected individuals in the wake of the breach. The website remains active to date. As of April 2007, the investigation into the breach confirmed Social Security numbers for approximately 28,600 people were illegally retrieved by the hackers. At the time, this breach was the largest ever reported by a US university.30 Chicago Public Schools (CPS) Chicago Public Schools (CPS) suffered two significant breaches in the past three years. In November 2006, a contractor sent mailings regarding benefits to more than 1,700 former CPS employees. Included in these mailings was a 125-page packet that included the names, addresses, and Social Security numbers of the former employees receiving the packets. A former teacher that received the mailing subsequently filed a lawsuit against CPS seeking compensation and punitive damages.31 In the second incident, which occurred in April 2007, more than 40,000 records were breached when two laptops belonging to an accounting firm hired to audit the CPS pension fund were stolen from the CPS central office.32 University of Miami In this April 2008 incident, the University of Miami announced a container carrying backup tapes on which nearly 2,100,000 medical records were stored was stolen from the truck of the off-site storage firm used by the university. The University of Miami was praised by the Wall Street Journal for its immediate and efficient response, which included hiring an in-

URMI A Journal 2009

formation technology forensics expert to determine if the encrypted information kept on the tapes could be accessed, notifying 47,000 individuals whose ﬁnancial information was exposed, and establishing a website and an informational call center.33

utility given the need to freely exchange information within the collaborative workings of the academic community. This dynamic, combined with the decentralized nature of most large educational institutions, makes enforcement of effective security extremely difficult. Those responsible for central IT in an educational environment should make every effort to be cognizant of how different departments are sharing information and what steps, if any, they are taking to secure it.

Causes of Security Incidents— Educational Institutions In 2008, the Campus Computing Project completed its annual national survey of information technology issues in higher education across the US.34 Senior campus IT Contractual Allocation of Risk officials representing 531 two- and four-year colleges and As 30 percent of all reported breaches are attributed to external partners, consu universities across the US provided the data. The executive consultants, outsourcers, and contractors, otal security incidents it is critical to determ summary shows the percentage of total determine the boundaries of liability when ties any confidential information is shared suffered by the colleges and universities for business b that were attributable to each type off purposes. The failure to do so can ca result in confusion and disarray incident during the last four years. Each It is essential that the le whe security incident may involve multiple when a breach occurs. Even standard insured work with he outs different types, thus accounting for the outsourcing arrangements can cause com variance in the percentage amount. Itt is complicated chains of liability when his or her broker to rted mult important to note that the data reported multiple layers of subcontractors becom by the Campus Computing Project come involved. Appropriate contractual customize it to the uch as prov includes any threat to IT security, such provisions in business agreements and institution’s specifi c sifies outs theft of laptops, not just what it classifi outsourced services arrangements can 35 mitig as a security “breach.” mitigate the effect of these situations by exposures. clear The Campus Computing Projectt clearly defining responsibility, ensuring on the proper p survey is also an important illustration precautions are taken when ple, in the iinformation is out of the control of of changing technologies. For example, ses reported spyware the educational institu 2005, just over 40 percent of campuses institution, and limiting the liability of the problems compared to 2008, when 15 percent of campusorganization in the unfortunate event of a data breach. es reported spyware problems. Reports of virus infestaInstitutions should work closely with legal counsel and tion also decreased over that time period. Additionally, insurance advisors to ensure that insurance requirements, between 2006 and 2008, the survey reports an increase in contractual indemnities, and the institution’s own insurcampus IT security incidents linked to social networking ance policies all work in concert. sites, which generated little to no breach activity in 2005. Incidents linked to social networking sites are not viewed Insurance Solutions as traditional IT security breaches but are likely due to Coverage Under Existing Policies cyberstalking or actual stalking that arose from an initial General Liability and Property Policies viewing on a social networking site. All insureds should review their traditional insurance policies to determine the exact scope of coverage Risk Management Strategies for data breaches. Changes in 2004 to the Insurance Technology and Strategy Service Organization (ISO) forms, as well as some inIt is critical that the technologies educational institusurance litigation, have limited the coverage available tions use conform to their security policies and protocols. under traditional general liability and property forms, Unfortunately, highly secure applications often have lesser and exclusions are becoming more common as general

U R M I A Jou r n a l 2 0 0 9

liability carriers oﬀer standalone network security and privacy policies.

3rd Party Coverage Part Professional Services

Other Insurance Policies Depending upon the facts of the data breach and the particular wording of the policies, some coverage could exist in various other policies, including Commercial Crime Policies, Employment Related Practices Policies, Data Processing Policies, Computer Fraud Policies, Advertising, or Kidnap and Ransom Policies. For instance, if a hacker claims that conﬁdential information will be distributed on the internet unless the insured pays some type of extortion fee, some kidnap and ransom policies may provide defense and indemnity coverage. In general, such policies were not intended to cover privacy and data breaches, however, and there are signiﬁcant coverage gaps in each. Available Coverage Overview Security and Privacy Liability insurance, also called Cyber Liability or Network Risk, can be designed to respond to third party liability and related defense costs and/or the insured’s own costs following a data breach. The available coverage parts are as follows: 1st Party Coverage Part

Covers:

Information Asset

Damage to or theft of the insured’s information assets from its computer system

Business

Lost income suffered as the result of a system outage or extended downtime due to negligence

Interruption Cyber Extortion

Extortion threats to commit an intentional computer attack against you

Crisis Management

Various costs resulting from a security / privacy breach

/ Identity Theft Expenses

FIGURE 3: FIRST PARTY COVERAGE

Coverage Content / Media Liability

Network Security Liability Privacy Liability

Covers: Acts, errors, or omissions in the course of providing professional services Personal and advertising injury and some intellectual property infringement arising out of media content created, produced, or disseminated by the insured Breaches in network security or unauthorized access events Wrongful disclosure of conﬁdential information

FIGURE 4: THIRD PARTY COVERAGE Educational institutions considering this coverage should note that the Information Asset and Business Interruption coverage parts have not been especially relevant to the education industry. There are exceptions, however; one example is an entity whose primary revenue stream is from network/internet activities, such as online universities. Additionally, there have been few first party claims paid by any insurer, and significant hurdles to coverage exist, such as waiting periods of six to 18 hours before coverage applies and no coverage for an organization’s internal information technology expenses. Coverage Features and Exclusions Each carrier addresses the risks in a different manner, so it is essential that the insured review the policy form and work with his or her broker to customize it to the institution’s specific exposures. The following areas should be carefully reviewed: Policy Trigger Early versions of network risk policies were tied to “network security” breaches and were meant to respond to breaches of the insured’s computer network security only. Today’s network risk coverage responds to breaches of the security and/or privacy of information by online or offline means arising from electronic devices not connected to a network, such as laptops, personal digital assistants (PDA), data tapes, or external hard drives, or from non-electronic incidents, including dumpster diving or the theft of paper files or log books.

URMI A Journal 2009

Media Liability Media liability, which responds to personal and advertising injury claims arising from online or print media and advertising content, is often included in the same policy. This serves a dual purpose of expanding the Advertising Injury/Personal Injury coverage in the insured’s General Liability policy and ensuring that data breach-related claims, like invasion of privacy and/or publication of private facts, are covered when they arise from content. One example would be the unintentional publication of a database of student names and Social Security numbers on the insured’s website. Insider Acts Coverage Security and privacy policies generally exclude coverage for intentional wrongful acts, and some states prohibit such coverage on public policy grounds. A broad policy should include a severability provision that maintains coverage for the entity even if the wrongful act was committed maliciously by an employee. Policies should also provide for coverage and defense of insureds facing allegations of intentional wrongful acts until such conduct is established by a ﬁnal adjudication. Employee Claimants As with most third party liability policies, there is an insured versus insured exclusion in all security and privacy policies. The broadest policies now include a carveback to cover the entity for claims made by employees in the event that a breach involves employee information. Independent Contractors Many educational institutions outsource functions like billing and data storage to third party vendors. Policies should respond on a blanket basis, whether the breach is caused by an employee of the insured or by an independent contractor operating on behalf of the insured. Regulatory Claims Proceedings related to state disclosure laws and other government initiated actions can result in both

U R M I A Jou r n a l 2 0 0 9

defense costs and fines or penalties. Defense cost coverage is readily available at a sublimit of $250,000 or less, but some carriers offer full policy limits. Coverage for fines or penalties is less available, and the coverage is only provided to the extent allowable under law; many state laws prohibit coverage for statutory or regulatory fines and penalties as against public policy. More recently, some carriers have agreed to cover the portion of a penalty that is paid into a consumer redress fund from which affected individuals can recover. Identity Theft Mitigation and Crisis Management Expenses Coverage is available for a number of the costs that can result from a data breach event. It is important for an entity to clarify its priorities in this area, since the available limit and scope of coverage differs by carrier. Covered costs can include consumer notification, provision of credit monitoring, operation of call centers and related identity theft services, or the services of a public relations, law, or crisis management firm. Carriers impose a variety of sublimits, different retentions, and coinsurance provisions to this coverage. Additional Terms and Conditions There are many other terms to consider that are not unique to network risk policies, such as Choice of Counsel, Extended Reporting Period options, “hammer clause,” and prior acts coverage. Insurance Marketplace and Benchmarking The market for Security and Privacy Liability is rather competitive at this time, with favorable risks renewing at substantial rate decreases and carriers actively soliciting new insureds. However, educational institutions are a difficult class of business for underwriters due to a perception of higher risk. Benchmarking in this area is difficult to categorize and not particularly valuable because each underwriting situation is based on many different factors, such as revenues, student statistics, loss history, information security posture, contractual allocation of liability, and number or accessibility of data records.

Underwriting Process The first step in the underwriting process is the completion of an application and/or self-assessment. It is essential that the risk management team engage the appropriate information security and privacy personnel in the application process to provide complete and accurate information. The assessment and application process also provides an opportunity to critically examine an entity’s information risk management strategies. Implementation of best practices and due diligence with respect to information security and privacy are paramount to obtaining this insurance coverage and to maintaining sound risk mitigation practices. In conjunction with the base application, a potential insured should be prepared to provide the following: • Copies of privacy policies • Standard contracts • Outsourced service arrangements • Results of any external or internal audits or assessments that illustrate the information security posture. Examples include Statement on Auditing Standard (SAS) 70,36 Payment Card Industry Data Security Standard (PCI),37 or International Organization for Standardization (ISO) 27001 (formerly 17-799)38 • Details of any security breach incidents and the response to them, as well as any new protocols put in place to prevent similar incidents • Financial information and student statistics In addition to an analysis of the standard application materials, underwriters will ask targeted questions in response to the current environment and the latest breach incidents. Policies in Action Neither Aon nor the 10 insurance carriers surveyed for this paper have seen significant losses covered by the purchase of Network Risk and Security Insurance by educational institutions. However, it is still important to determine where and how the policies would likely respond in the event that coverage is purchased and available. Using the University of Miami breach, Figure 5 indicates how different coverages could be applied. It is important to note the description in Figure 5 is merely an indication, not

a factual discussion of how coverage, if purchased, would likely respond. Figure 5 assumes that, prior to its April 2008 breach, the University of Miami purchased a policy that included both ﬁrst and third party elements with a limit of $10,000,000 (certain applicable sublimits would apply) and a retention of $500,000; the elements of coverage would only respond after the applicable retention is exhausted: 1st Party Coverage Part

Covers:

Information Asset

Coverage would likely respond, allowing University of Miami to gather and recreate the information stored on the lost back-up tapes containing the 2.1 million records. (Sublimit)

Crisis Management

Coverage would likely assist with the costs of notifying the 47,000 individuals whose ﬁnancial records were exposed, setting up the informational call center, and even providing credit monitoring if the university deemed it necessary to the extent the sublimit would allow.

/ Identity Theft Expenses

3rd Party Coverage Part Network Security Liability Privacy Liability

Covers: If a lawsuit were to be ﬁled by the affected individuals because of the breach, coverage would likely respond with the defense costs and indemnity if assessed.

FIGURE 5: COVERAGE EXAMPLES BASED ON THE UNIVERSITY OF MIAMI CASE STUDY Conclusion Educational institutions must continue to rise to the challenge of maintaining both open access and strong information security and privacy, because this dynamic is firmly embedded in the modern practice of higher education, with its reliance on advanced technology. Privacy and technology risks are constantly evolving, and the litigious nature of our society guarantees that the legal questions surrounding the liability arising from these exposures will continue evolving indefinitely. In the meantime, universities must work to minimize liability through proactive risk identification, mitigation, and, if appropriate, risk transfer. The development of specialized insurance products and expertise in this area over the last decade means that even entities that have dismissed the narrow coverage of the past may benefit from a fresh look at risk transfer.

URMI A Journal 2009

About the Authors

The Campus Computing Project, “Executive Summary: 2008 National Survey of Information Technology in US Higher Education,” October 2008, http://www.campuscomputing.net/sites/www.campuscomputing. net/ﬁles/CC2008-Executive%20Summary_3.pdf.

Federal Register, 34 CFR Part 99: Family Educational Rights and Privacy; Final Rule, December 9, 2008, http://www.ed.gov/legislation/ FedRegister/ﬁnrule/2008-4/120908a.pdf. Jill Rachlin Marbaix, “Lessons in Privacy: College May Be a Safe Haven in Many Ways, but Identity Theft Is Still a Serious Risk,” U.S. News and World Report, August 29, 2004, http://www.usnews.com/usnews/biztech/ articles/040906/6theft.htm.

SSarah Stephens is a Senior Broker w with Aon Financial Services Group aand is part of the Professional Risk S Solutions Team. Ms. Stephens’ areas oof focus include Content/Media Liaability and Security/Privacy Liability ffor risk management clients. Prior to h her current position, Ms. Stephens spent four years with Aon Risk Services as an Account Specialist focusing on client service for large accounts with multiple lines of business.

SShannan Fort is an Associate Broker w Aon Financial Services Group with a is part of the Professional Risk and S Solutions Team. Ms. Fort focuses on S Security/Privacy Liability and Techn nology Liability for risk management c clients across various industries. Prior t her current position, Ms. Fort spent to six months in Middle Market Casualty and six months as an Account Specialist, through Aon’s Early Career Development program.

Endnotes 1

Obviously, there are signiﬁcant non-privacy related risks to universities arising from internet usage, such as ﬁle sharing, plagiarism, and other content-related risks, but we have chosen to focus on privacy in this paper.

Angel Jannasch-Pennell, et al., “Crafting a Campus Identity: First-Year Students, Residential Life, and Social Networking,” Proceedings of the EDUCAUSE 2008 Annual Conference, Orlando, FL, October 28-31, 2008. Sheldon Steinbach and Lynn Deavers, “The Brave New World of MySpace and Facebook,” Inside Higher Ed, April 3, 2007, http://www. insidehighered.com/views/2007/04/03/steinbach.

Alicia Anderson, “Effective Management of Information Security and Privacy,” EDUCAUSE Quarterly, 29:1 (2006), http://www.educause. edu/EDUCAUSE+Quarterly/EDUCAUSEQuarterlyMagazineVolum/ EffectiveManagementofInformati/157387.

Matt Ivester, “A Juicy Shutdown,” Ofﬁcial JuicyCampus Blog, February 4, 2009, http://juicycampus.blogspot.com. Jack Stripling, “Juice Runs Dry,” Inside Higher Ed, February 5, 2009, http://www.insidehighered.com/news/2009/02/05/juicy. Anne Milgram, Letter to Dr. Richard L. McCormick, President of Rutgers, The State University of New Jersey, State of New Jersey Ofﬁce of the Attorney General, August 26, 2008, http://www.nj.gov/oag/ newsreleases08/082608-college-internet-letter.pdf.

U R M I A Jou r n a l 2 0 0 9

“New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft,” Federal Trade Commission, June 2008, http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm.

“Fighting Fraud with the Red Flags Rule,” Federal Trade Commission, http://ftc.gov/redﬂagsrule.

Protected Health Information is defined by HIPAA as follows: Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: 1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and i) That identifies the individual; or ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Jaikumar Vijayan, “Feds Finally Put Teeth into HIPAA Enforcement,” Computerworld, September 8, 2008, http://www.computerworld.com/ action/article.do?command=viewArticleBasic&taxonomyName=Security &articleId=325376&taxonomyId=17&pageNumber=1.

Minnesota Senate, S.F. No. 1574, 2nd Engrossment 85th Legislative Session, April 18, 2007, https://www.revisor.leg.state.mn.us/bin/ showPDF.php. “The TJX Security Breach,” The Boston Globe, 2009, http://www.boston. com/business/personalﬁnance/specials/tjx_credit.

Timothy P. Tobin, “In Response to TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations,” Proskauer Rose LLP, May 29, 2007, http://privacylaw.proskauer.com/2007/05/ articles/security-breach-notiﬁcation-l/in-response-to-tjx-data-breachone-state-enacts-legislation-imposing-new-security-and-liabilityobligations-similar-bills-pending-in-ﬁve-other-states.

“State ﬁnes Kaiser Permanente for Privacy Breach,” California Healthline, June 21, 2005, http://www.californiahealthline.org/articles/2005/6/21/ State-Fines-Kaiser-Permanente-for-Privacy-Breach.aspx?topicId=40 David Sharp, “Breach Exposes 4.2 Million Credit, Debit Cards,” MSNBC, March 17, 2008, http://www.msnbc.msn.com/id/23678909/

As stated by John Soma, Professor at the University of Denver College of Law and the Executive Director of the Privacy Foundation. See also: Doe v. Dartmouth-Hitchcock Medical Center, No. CIV. 00-100-M (D.N.H. July 19, 2001); Nexans Wires S.A. v. Sark-USA Inc., 319 F.Supp.2d 468 (S.D.N.Y. 2004); Theofel v. Farey-Jones, 359 F.3d 1066 (2004); and Charles Schwab & Co. Inc. v. Carter, No. 04 C 7071 (N.D. Ill. Sept. 27, 2005).

As stated by Dan Bacalski, Attorney with San Diego-based Bacalski,

Byrne and Koska. Guin v. Brazos Higher Education Service Corporation, No. Civ. 05-668 RHK/ JSM, Feb. 7, 2006, D. Minn. (Not Reported in F.Supp.2nd).

Forbes v. Wells Fargo Bank, 420 F.Supp.2nd 1018 (D. Minn. March 16, 2006).

Bell v. Acxiom Corporation, 2006 WL 2850042 (E.D.Ark). Key v. DSW, No. 2:06-cv-459 (S.D. Ohio, Sept. 27, 2006). “Court Limits Damages for Data Security Breach,” Scott & Scott, September 10, 2007, http://blawg.scottandscottllp.com/ businessandtechnologylaw/2007/09/court_limits_damages_for_data. html.

23 24

In Re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL Docket No. 2:08-MD-1954, May 12, 2009, D. Brock Hornby, U.S. District Ct.

Tim Wilson, “FTC Deal Suggests Enterprises Could Be Liable for Poor Security,” DarkReading, March 17, 2008, http://www.darkreading.com/ document.asp?doc_id=148572.

Open Security Foundation / DataLossDB, http://www.datalossdb.org. Ponemon Institute, “2008 Annual Study: Cost of a Data Breach,” 2008, http://www.encryptionreports.com/costofdatabreach.html.

“UCLA Identity Theft,” University of California, Los Angeles (last updated March 19, 2009), http://www.identityalert.ucla.edu/index.htm. Jaikumar Vijayan, “Breach at UCLA Exposes Data on 800,000,” Computerworld, December 12, 2006, http://www.computerworld.com/ action/article.do?command=viewArticleBasic&taxonomyName=Security &articleId=9005925&taxonomyId=17&pageNumber=1.

Linda Coady, Esq., “Former Teacher Sues Over Release of Social Security Numbers,” FindLaw, December 8, 2006, http://news.lp.ﬁndlaw.com/ andrews/bt/prv/20061208/20061208_cohen.html.

“Laptop Theft Hits Chicago Public Schools,” Network World, April 9, 2007, http://www.networkworld.com/news/2007/040907-laptop-therftchicago-schools.html. “Stolen University of Miami Computer Tapes Contain Patient Data,” iHealth Beat, April 18, 2008, http://www.ihealthbeat.org/ articles/2008/4/18/Stolen-University-of-Miami-Computer-Tapes-ContainPatient-Data.aspx.

When we refer to a “breach” in this article, we generally include any event that results in the exposure or potential exposure of conﬁdential information, including, but not limited, to any event that triggers notiﬁcation obligations under state or federal breach disclosure laws. Most privacy and security insurers use the same guidelines.

“SAS No. 70, Service Organizations,” American Institute of Certiﬁed Public Accountants (AICPA), http://infotech.aicpa.org/Resources/ Assurance+Services/Standards/SAS+No.+70+Service+Organizations. htm.

“About the PCI Data Security Standard (PCI DSS),” PCI Security Standards Council, https://www.pcisecuritystandards.org/security_standards/ pci_dss.shtml.

International Organization for Standardization, http://www.iso.org/iso/ home.htm.

URMI A Journal 2009

A ship in harbor is safe, but that is not what ships are built for. —JOHN A. SHEDD, AMERICAN AUTHOR AND PROFESSOR

FERPA Then and Now: Disclosure of Mental Health Information Under the Health and Safety Emergency Exception Allison B. Newhart, Esquire, Saul Ewing LLP and Barbara F. Lovelace, Esquire

In trying to strike a balance, schools are faced with Abstract: The mental health of students, faculty, and staff the question of when it is lawful to release confidential and the safety of the campus community are major concerns mental health records and information about students to for administrators and mental health professionals on US third parties, such as off-campus mental health professioncollege campuses. Colleges and universities face a difficult als, law enforcement personnel, or parents.5 In the past, task, however, in responding to mental health issues and schools often erred on the side of maintaining a distressed indicators of potentially harmful behavior while continuing student’ s confidentiali dentiality in fear of violating confidentialto protect the privacy of their students.. The Family Educaity la laws, such as the Family Educational tional Rights and Privacy Act (FERPA) A) Righ Rights and Privacy Act (FERPA).6 was recently amended to assist colleges and Afte the recent amendments, however, After universities in protecting their campuses es Colleges and FER should no longer be viewed as FERPA and getting students the mental health asin an insurmountable obstacle to disclosure. sistance they may need. These amendments ments universities are give higher education institutions greater ter facing everWha is FERPA? What freedom in working to protect studentss from FER is a federal statute that governs FERPA themselves and from potentially dangerrincreasing discl disclosure of student records and inforous behavior of others without the fearr of 7 mati Although parents have access mation. violating confidentiality laws. This article icle pressures to st to student records while their child is in discusses how the recent FERPA amendndidentify and elem elementary or secondary school, once a ments will impact mental health providers ders stud attends college, the rights prostudent on campus and how the amendments aim manage students vide by FERPA rest with the student— vided to provide campuses with greater options ons not tthe parents—even if he or she is for responding to high risk students. in mental distress. youn than 18 years old.8 Generally, younger unde FERPA, an institution cannot disunder Introduction close information from a college student’s owing Mental illness is a significant and growing 1 “education records” unless (1) the information is directory concern for colleges and universities nationwide. Increasinformation and the student has not requested it remain ing numbers of students are seeking out on-campus men2 private, (2) the student consents to the disclosure, or (3) tal health services for a variety of mental health issues. an exception applies which allows disclosure without the Although student shooters who kill or injure others are student’s consent.9 FERPA contains several exceptions to more likely to receive press coverage, students who commit the general rule of non-consensual disclosure of education suicide, which is the third leading cause of death among 3 records. Of particular importance in dealing with oncollege students, are far more common. As a result of campus mental health issues is FERPA’s health and safety increasing caseloads, greater numbers of more seriously ill emergency exception.10 students, and poor insurance coverage which pays for only brief hospitalizations, colleges and universities are facing The Health and Safety Emergency Exception ever-increasing pressures to identify and manage students 4 Under FERPA, medical and psychological records used in mental distress. This pressure to help students strugonly for the treatment of students, termed “treatment gling with mental illness is often counterbalanced by colrecords,” are not considered “education records” or subject leges’ and universities’ duty and desire to protect student to FERPA’s disclosure rules.11 However, once student privacy.

URMI A Journal 2009

medical information is released for a reason other than treatment, such as in response to an emergency, that information is deemed to be “education records” under FERPA. At that point, it cannot be disclosed absent an exception.12 The health and safety emergency exception allows disclosure of student information to appropriate parties in connection with an emergency if the knowledge is necessary to protect the health or safety of the student or another individual.13 Although signs of student emotional distress rising to the level of an emergency are sometimes difficult to identify, especially in college students who may have a unique definition of acceptable behaviors, this exception could apply to a student’s suicidal statements or ideations or atypical erratic and angry behavior posing a risk of harm to the student or others.14 Amendments to the federal regulations implementing FERPA, including the regulation on the health and safety emergency exception, became effective on January 8, 2009.15 An understanding of how and why the law has changed provides insight into how the amended exception is intended and how it might be interpreted in the future. FERPA Enforcement Although parents and students do not have a right to sue for violations of FERPA, the government can investigate allegations of violations from any source.16 Under FERPA, the government may not make funds available to any agency or institution that has a policy or practice of violating a parent’s or a student’s rights under the statute with regard to disclosure of education records.17 Before seeking to withhold, terminate, or recover funds for a violation of FERPA, the Secretary must first find that an institution has a policy or practice in violation of FERPA’s non-disclosure requirements. Further, the government cannot take any action against a school that has violated FERPA until it has provided the school a reasonable period of time to come into compliance with the law voluntarily. Potential punishments include withholding payments under any applicable program, issuing a complaint to compel compliance, terminating eligibility to receive future funding, entering into a compliance agreement, seeking an injunction, or any other legally available enforcement action.18 In wrongful death lawsuits involving alleged violations of FERPA, many times initiated by a deceased student’s family, the most common claim is for negligence.

U R M I A Jou r n a l 2 0 0 9

Looking Back: Strictly Construing “Emergency” Under the Prior Regulations Under the prior FERPA regulations, institutions were required to strictly construe the definition of “emergency” under the health and safety emergency exception.19 In attempting to comply with the law, school officials often erred on the side of maintaining a distressed student’s confidentiality, sometimes with disastrous results.20 The April 2007 Virginia Tech shootings, during which Seung Hui Cho killed 33 people, including himself, is such a case.21 In the months prior to the shootings, Mr. Cho’s behavior disturbed both professors and fellow students.22 In 2005, he was declared at “imminent risk” of causing harm and ordered by a judge to seek counseling.23 Some faculty members reported that they complained about Mr. Cho’s behavior to school authorities but were unaware of student complaints about him.24 Other faculty members wanted to notify Mr. Cho’s parents of his disturbing behavior but believed that to do so would violate FERPA.25 If under the pre-amended regulations school officials were reluctant to share information on a student whose behavior was as overtly disturbing as Mr. Cho’s, then they were even less likely to disclose information of students whose mental distress was less obvious or whose risk of harm to themselves or others was less clear. Two wellknown case examples illustrate two significant problems that arose under pre-amendment FERPA: (1) schools’ reluctance to break student confidentiality and (2) the complicated nature of a school’s decision to disclose a student’s confidential information in the face of mental illness.26 The Case of Elizabeth Shin On April 14, 2000, Elizabeth Shin died from burns she suffered from a fire in her dormitory room at the Massachusetts Institute of Technology (MIT).27 At the time of the fire, she had overdosed on medications.28 As early as her freshman year, and possibly before, Elizabeth experienced psychiatric problems with periods of severe depression accompanied by threats of suicide and cutting followed by periods of apparently normal behavior.29 During her time at MIT, Elizabeth had numerous interactions with MIT staff and administrators regarding her mental health. For instance, she met with a dean to discuss her mental health and received counseling and treatment at the campus mental health center.30 Signs

of her worsening distress included overdosing on mediproviders, student life administrators, dormitory housecation, sending a disturbing e-mail to a professor, and masters, and MIT police officers, arguing that MIT repeatedly threatening suicide.31 At one point, Elizabeth’s violated the health and safety exception in FERPA by friends took turns staying up at night with her because not notifying them of Elizabeth’s troubling behavior.43 In 2005, the Massachusetts Superior Court dismissed claims they feared for her safety.32 Her treating mental health professionals considered hospitalization and contacted against MIT and its police officers but held that MIT ening condition.33 On administrators and medical m the dean of students about her worsening staff were potentially liable for Elizabeth’s death, allowing allo the morning of her suicide, a “deans and psychs” meeting Elizabeth’s parents to proceed 344 was held to discuss Elizabeth’s case. It with the negligence claims.44 In March 2006 is unclear what treatment options, if any, 2006, in response to the proposition that In 2002, a $27.65 nonwere discussed at the meeting.35 non-clinicians, including school adminOn Monday, April 10, 2000, Elizazaistra istrators, might be held liable for student million wrongful 36 suici beth again threatened suicide. Thatt suicides, schools nationwide filed amicus brief evening, Elizabeth locked her dorm room briefs in support of MIT.45 Elizabeth’s death lawsuit was m, case never made it to a jury. Instead, in door and lit candles. Around 9:00 pm, brought against moke Apri April 2006, MIT and Elizabeth’s parents students smelled smoke, heard the smoke eth’s reach reached a confidential settlement agreedetector, and tried to get into Elizabeth’ MIT, MIT healthcare ved, men ment.46 room. When the campus police arrived, es they found Elizabeth with her clothes providers, student The Case of Chuck Mahoney engulfed in flames. She was taken to the life administrators, om In 22002, 20-year old Chuck Mahoney, hospital, where days later she died from 37 who had been diagnosed with major her injuries. dormitory During her struggle with mental depr depression by a psychiatrist, hanged himself iin his fraternity house at Allegheny illness at MIT, Elizabeth specifically housemasters, and nColl requested that her parents not be conCollege in Meadvillle, Pennsylvania.47 MIT police officers, He w was considered a high risk for suicide tacted.38 Her friends who were awaree and had been hospitalized between his of the relationship she had with her arguing that MIT ot fresh parents indicated that they would not freshman and sophomore years. Chuck’s men have considered calling her parents, mental health issues seemed to go violated the health 39 nts thro either. Ultimately, Elizabeth’s parents through periods of control and exacerbaand safety exception r’s tion, with the stress from performing were never notified of their daughter’ ere both academically and athletically and troubling behavior by MIT. They were in FERPA. erelat aware and reassured that she was seerelationship troubles contributing to his ith decli ing a psychiatrist to help her cope with decline.48 ut D During his time at Allegheny, Chuck academic and relationship stresses, but h ll counselor l who consulted with several offsaw a college they did not know that she had, over a course off months, 40 campus mental health professionals about his case. Chuck repeatedly threatened suicide. They also did not know that Elizabeth cut herself with a knife or that some of her had refused repeated requests from his counselor that she psychiatrists recommended hospitalization.41 The night have his consent to contact his parents or hospitalize him. in the spring of 2000 when Elizabeth was taken to the The professionals disagreed as to the extent of the risk and infirmary, her parents were told only that she was taken to whether it justified breaking Chuck’s confidentiality.49 When Chuck told his counselor that he had reguthe infirmary, but they were denied further information lar thoughts of suicide and planned to kill himself, she because of confidentiality rules.42 In 2002, Elizabeth’s parents brought a $27.65 million notified the dean of students and once again consulted wrongful death lawsuit against MIT, MIT healthcare with colleagues, some of whom believed Chuck should

URMI A Journal 2009

be forced to take a leave of absence.50 The concern over school officials to specifically notify parents when there is Chuck grew so great that the president of Chuck’s fraa health or safety emergency involving their child.57 The amendments also require a school to record what informaternity house called both the dean of students and the tion is released under the exception.58 Thus, the amendassociate dean at home to express his concern over Chuck’s ments afford greater flexibility and deference to school behavior, and another of his fraternity brothers sent an eadministrators to use appropriate resources quickly and mail to Chuck’s counselor, the two deans, and other college decisively in managing emergencies.59 They also provide staff requesting a meeting.51 College officials met and debated whether to call Chuck’s parents or force him to take reassurance to school officials that their reasonable decia leave of absence. Unfortunately, Chuck hanged himself sions to disclose information about students who may be at risk of harming themselves the in his fraternity house on February 11, 2002. His parents or others will not be second 60 guessed by the government. govern were never notified of his disturbing behavior prior to his Whereas under the prior regulations W death.52 the term, t In 2003, Chuck’s parents broughtt “emergency,” had to be “strictly The amendments cons a civil action against Chuck’s college construed” before a school was permitted tto disclose confidential information counselor, the college, the two deans,, and afford greater icide with a doctor.53 At the time of Chuck’s suicide without a student’s consent, the amended A’s regu in 2002, an emergency under FERPA’ regulations alter this standard. Under flexibility and on the amended a health and safety emergency exception regulations, a school may deference to school gh discl was to be strictly construed. Although disclose confidential student information al to ap Allegheny school officials and mental appropriate parties, including parents, administrators to her in connection co health professionals discussed whether with an emergency “if aknow to share Chuck’s confidential informaknowledge of the information is necesuse appropriate sary to protect the health or safety of tion with his parents, they decided itt was resources quickly ke the student s not in his best interest to do so.54 Like or other individual.”61 In d decid Elizabeth, Chuck had repeatedly and deciding whether to disclose information and decisively unde explicitly refused to give his consent to under this exception, a school is permitents. ted t consider all of the circumstances the release of information to his parents. to in managing essurro Although Chuck’s parents might quessurrounding the threat.62 If the school emergencies. dete determines that there is “an articulable tion whether Chuck was capable of maknored and significant threat” to the health or ing this decision, school officials honored reed safet safety of a student or other individual, it Chuck’s wishes. A jury ultimately agreed wn actions and that may disclose information informat from the student’s confidential that Chuck was responsible for his own records to parties “whose knowledge of the information the school and its officials could not be held liable for his 55 is necessary to protect the health or safety of the student suicide. or other individuals.”63 If there is a “rational basis” for the Looking Forward: Affording Schools Greater school’s decision to release the information, based on Flexibility Under the Amended Regulations information available at the time, then the Department of Although FERPA has never been a complete obstacle to Education will defer to the school and not substitute its releasing confidential student information in the case of judgment for that of the institution.64 The Analysis of Comments and Changes section of the an emergency, the amendments to the health and safety amended FERPA regulations explains that an emergency emergency exception now make it easier for a college could be a situation where a student gives “sufficient cumuor university to release information to parents or other lative warning signs” that lead a school or school officials appropriate third parties without a student’s consent.56 Specifically, the amendments remove the requirement that to believe that the student may be a danger to himself or the emergency exception be strictly construed and allow others at any moment. A school official must be able to

U R M I A Jou r n a l 2 0 0 9

express in words the circumstances leading the official parents been notified of the students’ behavior prior to reasonably conclude that a student poses a significant to their deaths.69 In general, however, the amendments present no downside to disclosure in such situations. It threat of substantial bodily harm to any person, including is understandable that, prior to the amendments, schools the student himself. If a school official can do so, then he felt constrained to maintain confidentiality. The newly may disclose the confidential student information to any amended regulations remove many of those constraints. person whose knowledge of the information will help in Because the amended FERPA regulations no longer protecting a person from that threat. Further, the pperson ave to be the person require that an emergency emerg be strictly construed, school receiving the information does not have tion. c have greater flexibility to notify officials responsible for providing the protection. ed e law enforcement, mental health profesThe information can also be disclosed sion sionals, or students’ parents in an attempt in order to gather information from any The recent ental to pr prevent similar situations if they person, including other students, mental nt, cons consider a student a danger to himself or health professionals, law enforcement, amendments also othe By erring on the side of disclosure others. the potential victim, or other schoolss or require a school he su situations, schools can minimize in such institutions previously attended by the n l the likelihood of a court ruling that student, who has further information to keep a record he scho officials should have taken action school that would be necessary to provide the 65 pr to protect a student based on a special protection needed. In addition, un-of the “articulable ded relat like the prior regulations, the amended relationship but failed to do so. and signifi cant dent’s regulations specifically include a student’ hom Whe Disclosure May Not Be in a parents as an appropriate party to whom When threat” that formed nforStud a school can disclose mental health inforStudent’s Best Interest mation in an emergency. In so some cases, campus officials or health the basis for the uire a prof The recent amendments also require professionals may believe that a student’s disclosure and the lable situa school to keep a record of the “articulable situation is best handled without involvhe p and significant threat” that formed the ing parents or other third parties. In such parties to whom es to case school officials or mental health basis for the disclosure and the parties cases, d.66 prof whom the information was disclosed. professionals might seek a student’s conthe information was in a A school must make the record within sent to disclosure of his information to a disclosed. pare However, if the student refuses, reasonable time period after the disparent. o cial or professional may believe closure has been made and maintain the offi ds this record with the education records that breaking the student’s confidentiality cation records are would cost them the student’ s of the student for as long as the education s trust or push the student to 67 maintained. The purpose of this record requirement is suicide. Therefore, the official or professional might decide to demonstrate to parents, students, and the Department not to notify the student’s parents, even if the law allows of Education the circumstances that led school officials them to do so.70 In those cases, the FERPA amendments may have little direct impact. to believe there was an emergency and how they justified the disclosure of information otherwise protected by Sued for Disclosure, Sued for Non-Disclosure FERPA.68 In the past, schools have opened themselves to lawsuits A Second Look at Two Lives Lost: by students and their families regardless of whether they The Balance Has Shifted in Favor of Disclosure decided to disclose information or keep it confidential.71 For example, some universities have tried to avoid liability Taking a second look at the cases of Elizabeth Shin and by forcing potentially suicidal students off campus under Chuck Mahoney, there is no clear answer as to whether mandatory withdrawal policies.72 In addition to having the either case would have turned out differently had their

URMI A Journal 2009

possible effect of deterring suicidal students from seeking because a special relationship existed between Elizatreatment on-campus, this may also open schools up to beth and university administrators.81 The amendments to FERPA suggest that schools can mitigate their risk liability for violation of discrimination laws, such as the of exposure by erring on the side of disclosure in cases Americans with Disabilities Act or the Rehabilitation 73 involving indicators such as those in the cases of Elizabeth Act. In 2005, Jordan Nott sued George Washington ion barred him from Shin and Chuck Mah University, claiming that the institution Mahoney, although the full impact of the ass ame campus and suspended him from class amendments on court decisions remains sion after he sought treatment for depression to be seen. 74 and suicidal thoughts. The case wass In addition to nts Imm settled out of court.75 Several students Immediate Steps Colleges and rtUniv have filed complaints with the DepartUniversities Can Take the health and Coll ment of Education, alleging that theyy Colleges and universities should view 76 incre safety emergency have faced situations similar to Nott’’s. increased discretion granted by the es FER amendments as an opportunity It is important to note that these cases FERPA exception, FERPA ove re involved affirmative school action above to review their policies and resources a and beyond merely disclosing a stufor addressing student mental health allows campus der issue Now that FERPA’s regulations dent’s mental health information under issues. nt or personnel to share FERPA, such as suspending a student have been amended, nothing is stopping ool. sch with a rational basis for doing forcing his withdrawal from the school. a school information from merfr disclosing mental health inforOn the other hand, there are numerso from tumati Even though it is important to ous examples of cases where an institumation. student education tion was criticized or sued because itt know when, under FERPA’s amended n regu records with other failed to disclose student information regulations, school officials can share 77 under FERPA’s previous regulations.. confidential student information, schools “school offi cials” shou also work to (1) try to prevent Although many such lawsuits settle out should poreme of court, two court decisions are imporemergencies by providing coordinated if those officials tant to note. In Jain v. Iowa, brought in and effective mental health services for eld stud 2000, the Supreme Court of Iowa held have a “legitimate students and (2) be prepared for when eme that non-therapist school officials at the emergencies arise. There are certain steps educational interest” uty University of Iowa had no general duty that colleges and universities can take n towa these goals now. to notify parents that their son was in toward in the information mit“impending danger” before he commitonRevi Current Policies being disclosed. ted suicide and that no special relationReview ad ship existed between the school and the In addition to the health and safety tive eme student that would create an affirmative emergency exception, FERPA allows camp personnel to share informaduty to prevent the suicide.78 In com-campus parison, in 2002, in Schieszler v. Ferrum College, a Virginia tion from student education records with other “school federal court held that school officials had a legal duty to officials” if those officials have a “legitimate educational ensure the safety of the deceased student, Michael Frentinterest” in the information being disclosed.82 Under both the previous regulations and the amended regulations, inzel, because they knew of the “imminent probability” that 79 dividual institutions may define in their own policies who he would try to harm himself. In 2003, Ferrum settled the lawsuit with Mr. Frentzel’s family, admitting to “shared is considered to be a “school official” and what is deemed responsibility” for his suicide, the first such acknowledgto be a “legitimate educational interest.”83 Therefore, each college and university should make its own determination ment by an American college.80 Similarly, the court in the Shin case reasoned that Elizabeth’s suicide was foreseeable as to which school officials can access a student’s educa-

U R M I A Jou r n a l 2 0 0 9

tion records and disclose information to parents or other if they have questions or concerns. Schools can consider 84 appropriate parties. Institutions with policies in place providing information through publications on the intershould also review their current FERPA policies for the net or newsletters or through speeches and seminars.94 Schools can also extend awareness beyond their scope of “school officials” and other terms to gain the max85 campuses to parents by encouraging parents to (1) inform imum flexibility and discretion for sharing information. The policy should be clear as to which school officials have school officials in advance if they know that their child access to and the responsibility for disclosing information has a history of mental health problems and (2) file the 86 in emergency situations. necessary paperwork to establish that their child is a In addition, schools should review their policies dependent.95 By taking steps to establish that a student is a dependent prior to the manifestations of any mental regarding student consent for disclosure of information. health issues, the school will be in a position, if necessary, Under FERPA’s regulations, both before and after amendcy of seeking prospecto release information to that student’s parents without ment, schools are able to have a policy fear of liability under FERPA. tive student consent for disclosure off confidential information or may havee nt Imp Improve Quality of and Access to a policy for obtaining student consent Through 87 s. On-C On-Campus Mental Health Services for disclosure on a case-by-case basis. Similarly, schools can have a policy A 20 2004 government-ordered investigacommunication, placing all students under the age of 24 tion discovered major gaps in college mental health oof men health services, including limited in the dependent category unless proof mental ire crisi management, a shortage of mental of independence is provided or require crisis response or cy heal professionals, limited communicaparents to verify students’ dependency health heir each semester by sending a copy of their tion between campus mental health staff threat assessment me to tax returns.88 Schools should take time and student health services staff, a lack teams can better xire review their policies and provide maxiof re-integration plans for students who retu to school after a hospitalization or mum flexibility to act in preparation for return monitor high risk future emergencies. leave of absence, and extreme variation in inter interpretations of FERPA.96 In addition, students. ess stud students are becoming increasingly conTrain Staff and Increase Awareness n cern cerned that, when dealing with mental It is often difficult to determine, even ch heal health issues, schools are more concerned for mental health professionals, which h l or others. h i h minimizing i i i i their h i own liability than with the wellwith students are in danger of harming themselves being of their students.97 Many troubled students who are depressed or angry do Some believe that cases such as Elizabeth’s and Chuck’s not ultimately engage in overtly destructive behavior.89 Many times the best way of knowing that a student is are good for schools and students because they encourage in distress is through intuition.90 Therefore, one of the all schools to re-evaluate their policies and provide more most effective ways of identifying students in distress is comprehensive mental health services to their students.98 As an example, prior to Elizabeth’s death, MIT did not to provide training to people of all levels and positions 91 offer evening counseling hours and had few therapists, on campus. Education on the common warning signs of such things as suicide and eating disorders is key.92 School which forced students to wait at least 10 days for an apofficials and staff should be educated on the limits and pointment.99 As a result of Elizabeth’s case, MIT made important changes to its mental health treatment policy, applications of FERPA’s emergency health and safety exincluding evening hours for the mental health department, ception through training sessions and should know what increased mental health staff fluent in a variety of languagsteps to take in the case of an emergency or suspected 93 es, and improved coordination of mental health and mediemergency. In addition, employees should know where to go to find further information on the school’s policies cal care with other campus departments, including athlet-

URMI A Journal 2009

ics, religious services, the disabilities office, and residential life.100 MIT’s Medical Department is now fully staffed by physicians, psychiatrists, and other medical specialists.101 However, many other institutions still do not have a psychologist or psychiatrist on staff at their campuses, and, unfortunately, therapists and guidance counselors may not be aware of their responsibilities under FERPA or when it is lawful to break a student’s confidentiality.102 Although individual health professionals are essential to averting student suicides and other destructive behavior, it is vital that institutions develop mental health response teams or threat assessment teams consisting of people all across campus, including professors, housing and security staff, counselors or mental health professionals, and deans.103 Through communication, these teams can better monitor high risk students.104 For instance, at Cornell University, professors report students who have poor grades, seem withdrawn, or are not coming to class mid-semester. Although therapists are legally required to keep patient information confidential, they can receive information from other college staff members and follow up with students. Further, Cornell’s health center screens students who come in, regardless of the reason, for signs of depression by asking about warning signs, including trouble sleeping, poor appetite, difficulties concentrating, or thoughts of self-harm. Cornell’s therapists also hold free, no appointment consulting hours in multiple locations across campus.105 Similarly, the University of Illinois considers all students who make non-lethal suicide attempts to be high risk. Each suicide attempt or gesture triggers an incident report and a follow-up response. These students are ordered to undergo mandatory assessment sessions for four weeks and, if necessary, receive continued therapy.106 Conclusion Each case involving a student’s mental health is as different as are the students themselves. Therefore, there are no hard and fast rules for schools to follow when deciding whether to release information under FERPA’s health and safety emergency exception. Although in retrospect a school official, counselor, or mental health professional may wish he or she had acted differently or disclosed or not disclosed certain information, those in the difficult position of making this decision can only base their deci-

U R M I A Jou r n a l 2 0 0 9

sions on information available at the time and what the law allows. The new, more discretionary amendments do not provide a complete answer, but they do suggest that the more prudent option may often be disclosure. Under the amended FERPA regulations, schools are afforded more flexibility to decide whether to disclose information regarding a student’s mental health, and, if they do decide to disclose the information, their decisions are less likely to be second guessed by the government. The balance has now tipped in favor of disclosure. By disclosing information of a student considered to be a danger to himself or others, schools can minimize their own risk of liability. Further, there are certain steps that institutions can take immediately to improve their response to emergencies and decrease the likelihood of emergencies arising, including educating employees on school policies, training staff and increasing awareness, and improving the quality of and access to mental health services on-campus.

About the Authors

Allison B. Newhart, Esquire, is an A aassociate in the litigation department aand a member of the Higher E Education and Insurance Practice G Groups at Saul Ewing LLP. She is aalso a member of URMIA and the N National Association of College and U University Attorneys (NACUA).

Barbara F. Lovelace, Esquire, is B aadmitted to practice law in New Jersey aand Pennsylvania. Ms. Lovelace earned h her law degree from Rutgers School of L Law–Camden. After law school, she cclerked for a federal judge for a year aand then worked as a member of the H Higher Education Practice Group at Saul Ewing LLP for a year and a half.

Endnotes 1

Six percent of undergraduates and four percent of graduate students seriously considered suicide within the previous 12 months, according to an August 2008 American Psychological Association survey.

Scott Jaschik, “Redeﬁning Suicide Risk – and Prevention Strategy,”

Roan, “Crisis on Campus Anxious Parents, Troubled Students.”

Inside Higher Ed, August 18, 2008, http://www.insidehighered.com/ news/2008/08/18/suicide.

Sharpe, “Suicide at MIT Raises Parents’ Ire.” 4

Karen Grava, “Communication Key to Helping Students with Mental

in risky activities, (2) increased alcohol or drug use, (3) anxiety, and (4)

Health Issues,” University of Connecticut Advance, March 17, 2008, http://

being unable to sleep or sleeping all the time. Many of these symptoms are

advance.uconn.edu/2008/080317/08031714.htm.

typical for the average college student, making it difﬁcult for counselors or

Common mental health issues on college campuses include attention

peers to recognize which students are at risk for suicide or might endanger

deﬁcit and eating disorders, depression, addiction, personality and

the well-being of others. It is especially difﬁcult to get help for those who

mood disorders, phobias, and anxiety and panic disorders. According

are struggling with these disorders because many students with problems

to a 2007 survey by the Association of University College Counseling

never seek help themselves. The Jed Foundation, About Suicide Prevention, 2009, http://www.

Center Directors, a national organization, 82 percent of counseling center

jedfoundation.org/learn-more/about-suicide-prevention).

directors noted that the number of students seeking counseling who have signiﬁcant psychological problems is increasing. The increasing numbers

Jaschik, “Redeﬁning Suicide Risk—and Prevention Strategy.”

of students with mental illness on campuses is attributed to a number

Roan, “Crisis on Campus Anxious Parents, Troubled Students.” Sharpe, “Suicide at MIT Raises Parents’ Ire.”

of factors, including onset of many disorders around college age, better diagnosis, and improved treatment options, such as medications which

Roan, “Crisis on Campus Anxious Parents, Troubled Students.”

See 20 U.S.C. § 1232g. FERPA applies to any “educational agency or

allow mentally ill students to become functional and attend college. Some students who are diagnosed with a mental illness and receive treatment

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

prior to college begin to deteriorate once on campus when they stop taking their medications or have a change in their support systems. In

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

addition to the often difﬁcult transition from home to college, students

institution” that receives funds under any program administered by the

also face increasing competition in academics and sports at a younger age

Department of Education which includes virtually all public and private

and disruptive or chaotic family lives. Working while attending college to

postsecondary institutions. 34 C.F.R. section 99.1(a)).

afford laptops, cell phones, and other technology is yet another stressor

United States Department of Education, Family Educational Rights and

for many students.

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis,

National Institute of Mental Health, The Numbers Count: Mental

December 2008, http://www.ed.gov/policy/gen/guid/fpco/pdf/ht12-17-08-

Disorders in America, 2008, http://www.nimh.nih.gov/health/publications/

att.pdf.

the-numbers-count-mental-disorders-in-america/index.shtml.

Elizabeth Bernstein, “Education Department Reworks Privacy

Grava, “Communication Key to Helping Students with Mental Health

Regulations,” The Wall Street Journal, December 9, 2008, http://online.wsj.

Issues.”

com/article/SB122878222728889843.html.

Shari Roan, “Crisis on Campus Anxious Parents, Troubled Students,” Los

The National Association of College and University Attorneys (NACUA),

Angeles Times, September 3, 2007, http://articles.latimes.com/2007/sep/03/

FERPA and Campus Safety, NACUANOTES, August 6, 2007, http://www.

health/he-mental3. University of Michigan, “Students with Symptoms of Mental Illness Often Don’t Seek Help,” ScienceDaily, June 25, 2007, http://www.

missouristate.edu/assets/registrar/NACUANOTES_Aug_07.pdf. 8

NACUA, FERPA and Campus Safety.

Education records are broadly deﬁned as records (1) directly related to

sciencedaily.com/releases/2007/06/070624141841.htm.

a student and (2) maintained by an educational agency or institution or

Elizabeth Bernstein, “Colleges’ Culture of Privacy Often Overshadows

by a party acting for the agency or institution. Directory information is

Safety,” The Wall Street Journal, April 27, 2007, http://online.wsj.com/

information contained in a student’s education record that would not

article/SB117763681568684306.html.

generally be considered harmful or an invasion of privacy if disclosed.

Jon Marcus, “Judge Backs Family in MIT Suicide Case,” Times Higher

Directory information includes, for example, a student’s name,

Education, August 12, 2005, http://www.timeshighereducation.co.uk/story.

photograph, date of birth, and degrees. See 34 CFR § 99.3.

asp?storyCode=197854&sectioncode=26.

United States Department of Education and United States Department

Deborah Sontag, “Who Was Responsible for Elizabeth Shin?” The New

of Health and Human Services, Joint Guidance on the Application of

York Times, April 28, 2002, http://query.nytimes.com/gst/fullpage.html?res

the Family Educational Rights and Privacy Act (FERPA) and the Health

=9F00EED7113FF93BA15757C0A9649C8B63.

Insurance Portability and Accountability Act of 1996 (HIPAA) to Student

Rochelle Sharpe, “Suicide at MIT Raises Parents’ Ire,” USA Today,

Health Records, November 2008, http://www.hhs.gov/ocr/privacy/hipaa/

January 24, 2002, http://www.usatoday.com/news/nation/2002/01/25/usat3

Common warning signs of suicide include (1) acting recklessly or engaging

understanding/coveredentities/hipaaferpajointguide.pdf.

mit.htm.

NACUA, FERPA and Campus Safety.

In 2005, suicide ranked as the third leading cause of death for people ages

University of Rhode Island, Introduction to FERPA, Family Education Rights and Privacy Act, or FERPA 101, http://www.uri.edu/es/forms/pdf/

15-24. Further, according to the Jed Foundation, 80 percent of college

faculty/ferpa.pdf.

students who commit suicide never sought mental health services at their college counseling center. Grava, “Communication Key to Helping Students with Mental Health Issues.” American Association of Suicidology, Youth Suicide Fact Sheet, January 28, 2008, http://www.suicidology.org/web/guest/stats-and-tools/fact-sheets.

34 CFR § 99.36. In addition to the health and safety emergency exception, FERPA allows campus personnel to share information from student education records with other “school ofﬁcials” if those ofﬁcials have a “legitimate educational interest” in the information being disclosed. 34 CFR § 99.31.

URMI A Journal 2009

Portability and Accountability Act of 1996 (HIPAA) to Student Health

Two other exceptions allow disclosure of student information to

Records.

a student’s parents without the student’s consent. Under the ﬁrst,

United States Department of Education, Disclosure of Information from

student information can be released to a parent or guardian under any circumstances if the student is dependent for federal tax purposes as

Education Records to Parents of Postsecondary Students, http://www.ed.gov/

deﬁned in section 152 of the Internal Revenue Code of 1986. To disclose

policy/gen/guid/fpco/hottopics/ht-parents-postsecstudents.html (last modiﬁed June 7, 2007).

information under this exception, the institution must verify the student’s dependent status by, for example, asking the student for conﬁrmation or

NACUA, FERPA and Campus Safety.

asking the parents for a copy of their tax return. This exception will apply

Ibid.

to approximately 50 percent of undergraduate students. Under the second,

Federal Register, 34 CFR Part 99.

the institution may disclose information to a student’s parents regarding

34 CFR § 99.64.

any violation of a law or of an institutional rule or policy governing the use

United States Department of Education, Family Educational Rights and

or possession of alcohol or a controlled substance. To release information

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

under this exception, the institution must have determined that the

Bernstein, “Education Department Reworks Privacy Regulations.”

student committed a disciplinary violation with respect to the law or

Federal Register, 34 CFR Part 99.

institutional policy and the student must be under 21 at the time of both

Ibid.

the violation and disclosure. 34 CFR § 99.31.

Bernstein, “Education Department Reworks Privacy Regulations.”

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

Federal Register, 34 CFR Part 99: Family Educational Rights and Privacy; Final Rule, December 9, 2008, http://www.ed.gov/legislation/FedRegister/

Eric Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed,” The

ﬁnrule/2008-4/120908a.pdf.

Chronicle of Higher Education, August 12, 2005, http://chronicle.com/cgi2-

United States Department of Education, Family Educational Rights and Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

bin/printable.cgi?article=http://chronicle.com/free/v51/i49/49a00101.htm. 21

Karin McAnaney, “Finding the Proper Balance: Protecting Suicidal

eSchoolNews, January 12, 2009, http://www.eschoolnews.com/news/top-

Students Without Harming Universities,” Virginia Law Review, 94:197 (2008), 204. NACUA, FERPA and Campus Safety. 11

State and federal laws, other than FERPA, may protect the privacy of

news/index.cfm?i=56670. 22

Ibid.

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

Three days after the Virginia Tech shootings, Virginia Governor Timothy

student medical records, including mental health records. For example,

Kaine formed the Virginia Tech Review Panel to evaluate the events of

professional conﬁdentiality rules demand a higher burden than FERPA

that day. The panel’s ﬁndings indicated that there were clear warning

regulations for release of information, such as the existence of a signiﬁcant

signs of Mr. Cho’s mental distress and that, although individuals and

threat of serious and imminent harm to a speciﬁcally foreseeable victim.

school departments were aware of the signs, they did not communicate

If this threshold is met, then conﬁdential mental health information

with each other or intervene effectively. The panel also found that there

can be shared with police or other authorities or the individual may be

was confusion among school ofﬁcials about what information could be

involuntarily hospitalized.

disclosed to each other and Mr. Cho’s parents under FERPA.

34 CFR § 99.36.

Va. Tech Review Panel, Mass Shootings at Virginia Tech, Report of the

34 CFR § 99.3.

Review Panel 2.

NACUA, FERPA and Campus Safety. Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.” 25

University of Rhode Island, Introduction to FERPA, Family Education

Walter Olson, “Could Less Rigid Privacy Laws Have Prevented

United States Department of Education and United States Department

the Virginia Tragedy,” Times Online, April 20, 2007, http://business.

of Health and Human Services, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance

timesonline.co.uk/tol/business/law/columnists/article1683556.ece. 26

It is important to note that many times school mental health personnel

Portability and Accountability Act of 1996 (HIPAA) to Student Health

do not believe it is in the best interest of a student with mental illness to

Records.

release mental health information to parents or other third parties, even if

The federal Health Insurance Portability and Accountability Act (HIPAA),

they are legally able to do so. Every case must be assessed on an individual

Pub. L. 104-191, 110 Stat. 1936 (codiﬁed as amended in scattered sections

basis. Roan, “Crisis on Campus Anxious Parents, Troubled Students.”

of 18, 26, 29, and 42 U.S.C.), excludes from coverage treatment and education records that are protected by FERPA at schools that provide

Elizabeth suffered third degree burns over 60 percent of her body.

health or medical services to students. Therefore, once a student’s mental

Although her death was initially ruled a suicide by “self-inﬂicted thermal

health information is released for purposes other than treatment and that

burns” by the Suffolk County Medical Examiner’s Ofﬁce and the Cambridge

information is considered part of an “education record,” its disclosure

Fire Department, toxicology reports showed that she had overdosed on

would have to fall under one of FERPA’s exceptions to be justiﬁed. HIPAA

medications at the time of the ﬁre, which may have prevented her from

would not apply.

reacting to the ﬁre.

United States Department of Education and United States Department of Health and Human Services, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance

Carter, “Updated Privacy Law Addresses Student Safety.” Bernstein, “Education Department Reworks Privacy Regulations.”

Rights and Privacy Act, or FERPA 101.

Dennis Carter, “Updated Privacy Law Addresses Student Safety,”

U R M I A Jou r n a l 2 0 0 9

Curt Fischer, “Controversial MIT-Related Cases Resolved Last Year,” The Tech, February 9, 2007, http://tech.mit.edu/V127/N2/2lawsuits.html. Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

to refuse requests to notify her parents.

Shin v. Massachusetts Institute of Technology, No. 02-0403, 2005 Mass.

Fischer, “Controversial MIT-Related Cases Resolved Last Year.”

Super. LEXIS 333, at * 15 (Mass. Super. June 27, 2005).

Barbara Lauren, “MIT Student Suicide Case Settled Out of Court,”

Sontag, “Who Was Responsible for Elizabeth Shin?”

American Association of Collegiate Registrars and Admissions Ofﬁcers

Sharpe, “Suicide at MIT Raises Parents’ Ire.” 28

Fischer, “Controversial MIT-Related Cases Resolved Last Year.”

(AACRAO), April 5, 2006, http://www.aacrao.org/transcript/index.

Elizabeth enrolled at MIT in 1998 and experienced psychiatric problems

cfm?fuseaction=show_print&doc_id=3116. Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

during the spring of her freshman year. It appears that Elizabeth had

Sontag, “Who Was Responsible for Elizabeth Shin?”

mental health problems as far back as high school. She told a psychiatrist that she had cut herself deliberately during that time. A psychiatrist

The Superior Court of Massachusetts held that there was a “special

described her as suffering from depressive disorder and possible

relationship” between the MIT administrators, the dormitory housemaster,

borderline personality disorder.

and a dean and Elizabeth, “imposing a duty on [the housemaster and

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

dean] to exercise reasonable care to protect Elizabeth from harm.”

Sontag, “Who Was Responsible for Elizabeth Shin?”

Shin, No. 02-0403, 2005 Mass. Super. LEXIS 333, at * 37-38.

Sharpe, “Suicide at MIT Raises Parents’ Ire.”

Fischer, “Controversial MIT-Related Cases Resolved Last Year.”

Sontag, “Who Was Responsible for Elizabeth Shin?”

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

After receiving a poor grade in physics while at the same time suffering from mononucleosis, she spent a week in a hospital for evaluation after

Marcus, “Judge Backs Family in MIT Suicide Case.” 45

Twenty-three universities, including Cornell, and eight national higher

overdosing on Tylenol with codeine. The following month, she sent a

education associations ﬁled three amicus briefs on behalf of MIT arguing

disturbing e-mail message regarding a bottle of sleeping pills to one of

that university staff members who were not health professionals should

her instructors who forwarded the message to another professor who

not be held liable for failing to prevent a student’s suicide and that

sent the e-mail on to the dean with whom Elizabeth had previously met.

imposing a legal duty on non-clinicians to detect and prevent suicides

It is unclear what, if any, action was taken in response to this e-mail. On

will foster an incentive for school ofﬁcials to disengage from distressed

Saturday, April 8, 2000, Elizabeth was taken to the inﬁrmary by campus

students’ lives.

police after she told another student she was going to kill herself with a

Fischer, “Controversial MIT-Related Cases Resolved Last Year.”

knife. The psychiatrist on call, who had not previously treated Elizabeth,

Lauren, “MIT Student Suicide Case Settled Out of Court.”

spoke with her by phone for approximately ﬁve minutes and decided it

Marcella Bombardieri, “Parents Strike Settlement with MIT in Death of

was safe for her to return to her dorm room.

Daughter,” The Boston Globe, April 4, 2006, http://www.boston.com/news/

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

local/articles/2006/04/04/parents_strike_settlement_with_mit_in_death_

Shin, No. 02-0403, 2005 Mass. Super. LEXIS 333, at * 11-12.

of_daughter.

Sontag, “Who Was Responsible for Elizabeth Shin?”

Danny Pearlstein, “Honoring Elizabeth Shin,” The Cornell Daily Sun,

Sharpe, “Suicide at MIT Raises Parents’ Ire.”

March 15, 2006, http://cornellsun.com/node/17077.

Sontag, “Who Was Responsible for Elizabeth Shin?”

Ibid.

the MIT psychiatrists and agreed that Elizabeth’s death was probably

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

accidental. Lauren, “MIT Student Suicide Case Settled Out of Court.”

Shin, No. 02-0403, 2005 Mass. Super. LEXIS 333, at * 13. 35

Shin, No. 02-0403, 2005 Mass. Super. LEXIS 333, at * 13.

Elizabeth told two friends that she was preparing to kill herself with a combination of alcohol and Tylenol and requested one of them erase her

Rob Capriccioso, “Settlement in MIT Suicide Suit,” Insider Higher Ed, April 4, 2006, http://www.insidehighered.com/news/2006/04/04/shin. 47

computer ﬁle. After threatening to kill herself, Elizabeth fell asleep. Her

Elizabeth Bernstein, “After a Suicide, Privacy on Trial,” The Wall Street Journal, March 24, 2007, http://online.wsj.com/article/

friend talked to the dorm master who contacted the psychiatrist on call.

SB117470447130847751.html.

They decided to let her sleep and contact the school administrators in the

Ibid.

morning.

Ibid.

In the months preceding Chuck’s death, his fraternity brothers and

Sontag, “Who Was Responsible for Elizabeth Shin?” 37

As part of the agreement, the Shins did not proceed with a lawsuit against

ex-girlfriend grew increasingly concerned about his behavior. He was

Sontag, “Who Was Responsible for Elizabeth Shin?”

spending a great deal of time alone in his room, drinking heavily, and

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.” 38

Sontag, “Who Was Responsible for Elizabeth Shin?”

Ibid.

Sharpe, “Suicide at MIT Raises Parents’ Ire.”

Ibid.

Sontag, “Who Was Responsible for Elizabeth Shin?”

Ibid.

By the time the case reached the jury, the only remaining defendants were

Sharpe, “Suicide at MIT Raises Parents’ Ire.” 42

Sontag, “Who Was Responsible for Elizabeth Shin?” Sharpe, “Suicide at MIT Raises Parents’ Ire.”

making plans to give away his dog. Ibid.

The Shins’ lawsuit claimed that MIT was overly concerned with

Allegheny College, Chuck’s counselor, and a doctor. The jury voted 11-1 in

protecting Elizabeth’s conﬁdentiality, failed to notify them of her mental

favor of the defendants. Ibid.

deterioration, and did not provide adequate coordinated mental health services. They questioned whether Elizabeth was in the right state of mind

Federal Register, 34 CFR Part 99.

URMI A Journal 2009

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

NACUA, FERPA and Campus Safety. 57

Bernstein, “Education Department Reworks Privacy Regulations.”

The amended regulations state that, in some cases, it might be appropriate

NACUA, FERPA and Campus Safety.

to release information to a spouse or other family member. Federal Register, 34 CFR Part 99.

Ibid.

Federal Register, 34 CFR Part 99.

United States Department of Education, Family Educational Rights and

Although it is impossible to objectively evaluate in retrospect the wisdom

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

of Allegheny’s or MIT’s decisions not to disclose information to Elizabeth’s

Federal Register, 34 CFR Part 99. 60

Bernstein, “Education Department Reworks Privacy Regulations.”

The amended regulations, section 99.36 states that the following conditions apply to disclosure of information in health and safety

or Chuck’s parents, it was apparent that both students’ counselors, mental health professionals, and friends believed that they were in immediate danger of harming themselves. 70

emergencies:

schools are faced. In both cases, (1) on-campus counselors or psychiatrists

(a) An educational agency or institution may disclose personally

evaluated and treated the students, (2) the schools’ deans were aware of

identiﬁable information from an education record to appropriate parties,

the students’ distress, and (3) off-campus mental health professionals and

including parents or an eligible student, in connection with an emergency

colleagues were consulted for advice and guidance. When both students

if knowledge of the information is necessary to protect the health or safety

explicitly refused requests that their parents be contacted, the school

of the student or other individual.

ofﬁcials abided by their wishes. The school ofﬁcials considered other

alternatives, such as hospitalization and involuntary leave of absence.

educational agency or institution may take into account the totality of the

Arguably, the school ofﬁcials took the action they believed was in the

circumstances pertaining to a threat to the health or safety of a student

students’ best interest.

or other individuals. If the educational agency or institution determines

Sharpe, “Suicide at MIT Raises Parents’ Ire.”

that there is an articulable and signiﬁcant threat to the health or safety of

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

a student or other individuals, it may disclose information from education

Bombardieri, “Parents Strike Settlement with MIT in Death of Daughter.”

records to any person whose knowledge of the information is necessary to

Mandatory withdrawal policies may also make the friends of suicidal

protect the health or safety of the student or other individuals. If based

students less likely to come forward about early warning signs of suicidal

on the information available at the time of the determination, there is a

behavior to school ofﬁcials. As an alternative to mandatory withdrawal,

rational basis for the determination, the Department will not substitute its

the University of Illinois requires every student who attempts or threatens

judgment for that of the educational agency or institution in evaluating

suicide to attend four sessions with a mental health professional for

the circumstances and making its determination.

assessment of the student’s mental health. If the students refuse to attend

34 CFR § 99.36.

the sessions, then they may face mandatory withdrawal from the school.

United States Department of Education, Family Educational Rights and

The University of Illinois also requires student affairs personnel to submit

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

a Suicide Incident Report to the school’s counseling center when they

NACUA, FERPA and Campus Safety. 62

have evidence or information that a student has “threatened or attempted suicide, engaged in efforts to prepare to commit suicide or expressed a

34 CFR § 99.36.

preoccupation with suicide.”

United States Department of Education, Family Educational Rights and

McAnaney, “Finding the Proper Balance: Protecting Suicidal Students

Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

Without Harming Universities.”

NACUA, FERPA and Campus Safety. 63

Rob Capriccioso, “Counseling Crisis,” Inside Higher Ed, March 13, 2006,

34 CFR § 99.36.

http://www.insidehighered.com/news/2006/03/13/counseling.

United States Department of Education, Family Educational Rights and Privacy Act (FERPA) Final Rule, 34 CFR Part 99, Section-by-Section Analysis.

NACUA, FERPA and Campus Safety. 64

Federal Register, 34 CFR Part 99.

Section 99.32. What recordkeeping requirements exist concerning requests

seek help. Nott was barred from campus under the school’s “endangering behavior policy” that applies to students whom the school suspects pose a danger to themselves and others. Ryan Holeywell, “University Settles Jordan Nott Lawsuit,” The GW Hatchet, November 2, 2006, http://www.gwhatchet.com/home/index.cfm?e

and disclosures?

vent=displayArticlePrinterFriendly&uStory_id=0388547b-6d39-46e0-85d4-

(a)(5) An educational agency or institution must record the following

a9c8c2210562.

information when it discloses personally identiﬁable information from

Lauren, “MIT Student Suicide Case Settled Out of Court.”

education records under the health or safety emergency exception in §

Bombardieri, “Parents Strike Settlement with MIT in Death of

99.31(a)(10) and § 99.36:

Daughter.”

(i) The articulable and signiﬁcant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and (ii) The parties to whom the agency or institution disclosed the information

Nott ﬁled suit in the D.C. Superior Court alleging that school policies discriminated against those who have mental illness and punish those who

34 CFR § 99.36. NACUA, FERPA and Campus Safety.

Elizabeth’s and Chuck’s cases illustrate the delicate balance with which

Holeywell, “University Settles Jordan Nott Lawsuit.”

In at least four cases in 2006, the Department of Education’s Ofﬁce for Civil Rights, which is responsible for enforcing the Rehabilitation Act of

Federal Register, 34 CFR Part 99.

1973 prohibiting discrimination based on disability by recipients of federal

United States Department of Education, Family Educational Rights and

assistance, sided with the students.

U R M I A Jou r n a l 2 0 0 9

Capriccioso, “Counseling Crisis.” 77

A Brown University student’s mother sued after her son, Daniel Shuster,

Ibid.

McAnaney, “Finding the Proper Balance: Protecting Suicidal Students

committed suicide in 1990. In 2004, Paul Kraut, a freshman at Babson

Without Harming Universities.”

College in Wellesley, Massachusetts, jumped off a balcony. Prior to his

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

death, his mother had asked the school to have a counselor speak with

Grava, “Communication Key to Helping Students with Mental Health

him. In 2002, James Ross, a student at State University of New York at Buffalo, shot himself to death. His parents were not notiﬁed about his

Issues.” 91

behavior prior to his death.

referrals from maintenance workers who ﬁnd vomit in wastebaskets from

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

students with eating disorders.

Sharpe, “Suicide at MIT Raises Parents’ Ire.” Tova A. Serkin, “Brown University Sued for Negligence in Suicide Case,”

Dartmouth in Hanover, New Hampshire, receives many mental health

Sharpe, “Suicide at MIT Raises Parents’ Ire.” 92

One additional consideration is education and training on cultural

The Harvard Crimson, July 14, 2000, http://www.theharvardcrimson.net/

differences and how they may affect a student’s mental health crisis or

article.aspx?ref=101273.

a school’s response. Certain cultures may be less open about dealing

McAnaney, “Finding the Proper Balance: Protecting Suicidal Students

with mental health issues. Culture may have played a role in the cases of

Without Harming Universities.”

Elizabeth Shin and Mr. Cho, both of whom came from Korean households.

Lauren, “MIT Student Suicide Case Settled Out of Court.”

Elizabeth, in consultation with her father, refused to seek treatment

Jain v. Iowa, 617 N.W.2d 293, 300 (Iowa 2000).

outside of the university contrary to a doctor’s recommendation. She did

The court explained that the fact that the school required Mr. Frentzel to

agree to meet with a university psychiatrist periodically throughout the

sign a statement that he would not hurt himself after he was found alone

academic year. For many in Korea, mental or emotional problems are signs

in his room with self-inﬂicted bruises on his head was an indication that

of shame and guilt, which are additional obstacles to getting treatment.

the school believed Mr. Frentzel was likely to harm himself again.

The impact of cultural differences will continue to grow as the immigrant

Schieszler v. Ferrum College, 236 F. Supp. 2d 602, 609 (W.D. Va. 2002).

population in the US grows. Therefore, to more fully understand students’

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

backgrounds and pressures, staff should be made aware of the potential

Hoover, “Judge Rules Suicide Suit Against MIT Can Proceed.”

The decisions that have found liability for student suicides on the

impact of cultural differences when dealing with mental health issues. Va. Tech Review Panel, Mass Shootings at Virginia Tech, Report of the Review Panel 2.

part of school administrators based on a special relationship between

The Jed Foundation, About Suicide Prevention.

the administrators and students may have the effect of discouraging

Shin v. Mass. Inst. of Tech., 19 Mass. L. Rptr. 570, 571 (Mass. Super. Ct.

administrators from becoming more actively involved in monitoring

2005).

and treating potentially suicidal students. Some schools are concerned

Sontag, “Who Was Responsible For Elizabeth Shin?”

that programs focusing on reaching out to students with mental health problems that involve school administrators learning details about

NACUA, FERPA and Campus Safety.

The University of Connecticut has a website that provides online

a student’s situation may form the basis for a court to ﬁnd that any subsequent suicide is foreseeable by the administrator. However, as an

Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

alternative to deciding not to offer such programs, schools can instead

assessment tools and self-help information for faculty, staff, parents,

minimize liability exposure by erring on the side of disclosure in cases

and students. It includes the handbook for helping students in distress.

where students are at imminent risk of harming themselves or others.

The University also produces a Counseling and Mental Health Services

Shin, No. 02-0403, 2005 Mass. Super. LEXIS 333, at * 37-38.

newsletter.

Susanna G. Dyer, “Is There a Duty?: Limiting College and University

Grava, “Communication Key to Helping Students with Mental Health

Liability for Student Suicide,” Michigan Law Review, 106:1379 (2008), 1383.

Issues.”

McAnaney, “Finding the Proper Balance: Protecting Suicidal Students

Elizabeth Bernstein, “Bucking Privacy Concerns, Cornell Acts as

Without Harming Universities.” 82

34 CFR § 99.31.

In addition to deans, trustees, and professors, law enforcement personnel

Watchdog,” The Wall Street Journal, December 28, 2007, http://online.wsj. com/article/SB119881134406054777.html. 95

Although in the Virginia Tech case Mr. Cho was bright and did well

and health staff are considered to be appropriate “school ofﬁcials” under

academically, he had signiﬁcant difﬁculty communicating with others

model deﬁnitions provided by the Family Policy Compliance Ofﬁce (FPCO).

throughout his school career. Mr. Cho’s parents were aware of the special

An ofﬁcial has a legitimate educational interest in student records and

education services he received in high school. However, Virginia Tech

information, for example, if the ofﬁcial needs to review the information in

admitted Mr. Cho based on his academic record without a personal

the performance of his or her professional responsibilities for the school,

interview. The school was unaware that the special services he received in

in performance of a task related to the student’s education or to student

high school enabled him to reach the college level with a strong academic

discipline, or maintaining safety and security on campus.

record but virtually no social or communication skills.

NACUA, FERPA and Campus Safety.

McAnaney, “Finding the Proper Balance: Protecting Suicidal Students

University of Rhode Island, Introduction to FERPA, Family Education

Without Harming Universities.”

Rights and Privacy Act, or FERPA 101.

Va. Tech Review Panel, Mass Shootings at Virginia Tech, Report of the

Bernstein, “Education Department Reworks Privacy Regulations.”

NACUA, FERPA and Campus Safety.

Roan, “Crisis on Campus Anxious Parents, Troubled Students.”

Bernstein, “Education Department Reworks Privacy Regulations.”

Pearlstein, “Honoring Elizabeth Shin.”

Review Panel 2.

URMI A Journal 2009

Capriccioso, “Counseling Crisis.” 98

Others argue that cases such as the Shin case are bad for schools because, whether schools are right or wrong, they usually settle and costs rise. Capriccioso, “Settlement in MIT Suicide Suit.”

Ibid.

100

Lauren, “MIT Student Suicide Case Settled Out of Court.”

101

Ibid.

102

The International Association of Counseling Services and the American

Sharpe, “Suicide at MIT Raises Parents’ Ire.”

College Health Association state that colleges should have at least one mental health staff member to 1,500 students, with the “platinum standard” being one mental health staff member for every 1,000 students. Grava, “Communication Key to Helping Students with Mental Health Issues.” Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.” 103

Cornell’s mental health program, which is modeled after the Air Force’s program, includes an “alert team” of administrators, campus police, and counselors who meet weekly and compare notes on signs of students with mental health problems. Cornell also encourages staff to recognize students with potential problems and provides training for college employees all across campus, including librarians and handymen. Bernstein, “Education Department Reworks Privacy Regulations.” Bernstein, “Bucking Privacy Concerns, Cornell Acts as Watchdog.” Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

104

Bernstein, “Education Department Reworks Privacy Regulations.” Grava, “Communication Key to Helping Students with Mental Health Issues.” Bernstein, “Bucking Privacy Concerns, Cornell Acts as Watchdog.” Bernstein, “Colleges’ Culture of Privacy Often Overshadows Safety.”

105

Bernstein, “Bucking Privacy Concerns, Cornell Acts as Watchdog.”

106

Sontag, “Who Was Responsible For Elizabeth Shin?”

U R M I A Jou r n a l 2 0 0 9

Health is not valued till sickness comes. —THOMAS FULLER (1608–1661), BRITISH CLERGYMAN AND WRITER

Great discoveries and improvements invariably involve the cooperation of many minds. —ALEXANDER GRAHAM BELL (1847–1922), INVENTOR AND EDUCATOR

Twenty Years of University Mutuals: Theories of Success Harry Rosenthal, General Manager of Risk Management Services, Unimutual, and Past President of the Australasian University Risk and Insurance Management Society (AURIMS)

unendearing characteristics, this desolate, cold, and hostile Abstract: For the last 20 years, universities around the world region of the planet is of special interest to leading climate have relied on a unique way of risk sharing to provide afscientists as it is regarded as one of the best locations fordable protection to the institution: the university mutual. on Earth to understand the speed and impact of global Mutuals work particularly well in the university setting for climate change. a variety of reasons, which are discussed in this article. The The researchers of the University of Tasmania regard article hypothesizes that there are fourr main reasons mututhis region as their personal laboratory to als are so effective in the higher education tion unlo the planet’s remaining geophysical unlock environment: the microeconomics of higher igher secre To probe this region, they have secrets. education, a “genetic” match between muThe loss of deve developed unique instrumentation arrays tuals and higher education, the subsequent quent to fa development of a value adding community facilitate the recording of ocean condiunity expensive tion Such arrays can cost over a quarter of colleagues, and risk coverage for emergtions. merguniversity assets ing and unpredictable risks. of a million dollars, must be dropped from research ships, and are moored for can cripple mon at a time almost a mile below the months Introduction surfa The devices are anchored to the surface. This year, Unimutual, a non-profit muresearch projects. seab by surplus train wheels and miles seabed tual owned and operated by memberr unith Sometimes these st ing of strong chain and rope. For months, versities, celebrates its 20 year serving thes utual institutions across Australia. The mutual these devices collect and record environlosses are not men data and are later retrieved by provides risk financing protections, givmental univ duct ing academics the confidence to conduct university researchers. Finding an instruknown for men array a mile down in a vast ocean rance research for which commercial insurance ment several years. is not no a task with a high success rate, and would typically be too expensive, of inlosse of instruments often occur. ilable adequate capacity, or simply not available losses W due to exclusions or restrictions. While crucial to understanding the ocea environment, such research is que This article will examine this unique oceanic and sustainable risk sharing model of higher education expensive and funded through limited financial resources. mutuals and will explore why, after 20 years, they are still The loss of expensive university assets can cripple research contributing to the management of risk in the sector. projects, losing vital data and jeopardizing funding needed to continue long-term research. Sometimes these losses Case Study: Research in the Southern Pacific Ocean are not known for several years as successive voyages fail to Consider the case of the University of Tasmania, one of locate these submerged instrument arrays. the founding members of Unimutual, and its research in Most commercial insurers would quite reasonably the Pacific Ocean. There are few locations riskier than the refuse to underwrite such risky property exposures, and Southern Pacific Ocean, a vast and deadly watery wilderthe asset value risk is too large for a small university in ness located between Australia and Antarctica. Due to its Tasmania to comfortably self-insure. Lack of risk financremoteness, it is a perfect laboratory for understanding the ing can cripple or discourage this research, as it does for geophysical dynamics of our planet. In this expanse of sea, many university activities where, while the probability of the ocean floor is miles below the surface, and waves are property loss is high, the value of the information gained often higher than most apartment blocks. In spite of these is also significant. For 20 years, the University of Tasma-

URMI A Journal 2009

nia has been able to conduct this and other cutting edge research while protecting university assets through the pooling of risk across a network of other Australian universities engaged in similar pursuits of teaching, learning, and research. This mutual risk pool, Unimutual, has successfully provided specialist higher education protections for members following a model now familiar in Canada, the United Kingdom, and Australia.

commercial insurance unavailable or prohibitively expensive, taxing already stretched budgets. They began to explore alternative methods of risk financing, allowing them to hold risk financing funds longer and leveraging their ability to raise revenue through taxes, fees, or charges. Fortunately for the risk management profession, this created a new spectrum of opportunities as large public and private employers sought to shift to a greater reliance on self-funding of risk. The risk manager had suddenly found an enterprise-w enterprise-wide application for his or her skills. ro Through the development of the profession risk managers were able to clearly sion, assis their organizations in reducing assist together losse and directly benefiting from the losses impr improved management of their risks.

tuals A Brief History of the Rise of Mutuals The banding together of universitiess to sks better finance their unique sector risks ent is not unusual. However, many current The banding ted in mutuals and risk pools initially started the government sector in response too a of universities to ondinumber of economic and industry condin tions. Some may recall the stagflation The Rise of Mutuals in Higher better finance their ed Edu recessions of the 1980s, characterized Education—Around the World unique sector risks ity th time in the United States, risk by high interest rates, high commodity At this uent prof prices, soaring unemployment, frequent professionals witnessed a significant inis not unusual. al crea in self-insurance activities amongst bankruptcies, and shrinkage of global crease gove insurance capacity, a time not unlikee government organizations, including the However, many bal univ our own today. At that time, the global university sector. In many cases, indicurrent mutuals and ing vidu states lobbied for legislation to cap economic crisis was strongly impacting vidual gove commercial insurance markets, pargovernment liability and provide greater risk pools initially al com ticularly the liability and professional comfort for this experiment in self-insurial indemnity markets. Many commercial ing. Over time, the logic of self-insuring started in the asses lowe layers of loss and purchasing cominsurers moved away from certain classes lower government sector. ovmerc insurance for only catastrophe of business and sectors, including govmercial rific cove ernment, which was undergoing terrifi coverage became self-evident and, when nues, com financial pressures from falling revenues, combined with the guidance of a risk prof increasing operating costs due to inflflaaprofessional, proved to be a successful tion, taxation caps, and increases in frequency and severity combination. Once moving to self-insurance models, few of liability claims, judgements, and awards. public entities returned to a heavy reliance on commercial In logical response to increasing losses, insurance insurance, even once the markets turned around and premarkets hardened. Many commercial insurers abandoned miums softened. Most are still self-insured today. the government markets, finding them too risky. Those Things developed differently outside of the US. In the carriers willing to continue operating in the sector began UK, Canadian, and Australian higher education markets, to charge increasingly expensive premiums, forcing public the responses were slightly different as few institutions entities to take less coverage, higher excesses, or seek alterpossessed adequate financial resources to pursue a fully native methods of financing risk. self-insured model or even to significantly increase their In response to this situation, by the later half of the retention levels. By the late 1980s, government entities in 1980s, government managers, who were traditionally these countries also faced dramatically fewer affordable conservative and financed their risk through the purchase options for commercial insurance and greater barriers to of large quantities of insurance, suddenly found affordable taking the complete self-insurance route as followed in

U R M I A Jou r n a l 2 0 0 9

the US. In response, many in the higher education sector began to explore the mutual approach to risk financing through the formation of sector-specific mutuals. In some cases, the mutuals were simply buying groups, banding together to purchase commercial coverage with combined values. In other cases, discretionary mutuals were formed to spread extensive risks amongst multiple members. Examples of this mutual activity include: • The Canadian Universities Reciprocal Insurance Exchange (CURIE), established by a group of Canadian universities in 1987 to secure long-term, stable, and economical insurance in property and casualty lines in the hard market of the 1980s. CURIE has successfully grown over the years, and its members represent almost 700,000 higher education students from all Canadian provinces except Quebec. In its 22 years of existence, it has grown to be Canada’s largest higher education property and liability insurer. • University Mutual Assurance Limited (UMAL) was formed as a mutual organization in 1992, initially with four members. Its membership now stands at 55 UK higher education institutions. It is a dedicated higher education risk pool, owned and managed by member institutions and focused solely on serving members’ unique coverage needs. • Unimutual was formed in 1989 and is now the largest provider of risk protection in the Australian higher education sector. It has 17 university members and 16 non-university members, including prominent Australian research centers and institutes. Unimutual leads the higher education sector in the financing of the unique risks faced by universities conducting cutting edge research. Theories Supporting the Continuous Success of Mutuals in Higher Education Pooling, captives, and mutuals have had a checkered experience over the past 30 years. While higher education institutions have stayed with mutuals, many other organizations initially formed or joined risk sharing arrangements, only to depart once insurance markets improved and premiums softened. However, the higher education sector has shown these mutuals to be extremely resilient, experiencing growth in membership and financial strength

regardless of the swings of the insurance cycle. What are possible explanations for this growth in higher education mutual markets, even when faced with recently soft markets and competition among members for top students and research dollars? The following are four theories which may help to explain why these sources of alternative risk financing have been so successful in the higher education sector. Theory One: The Microeconomics of Higher Education Using Australia as a representative sample for higher education funding, the prosperity of the general economy of the past 10 years—excluding the current crisis—has not been reflected in the higher education sector. While the general global economy experienced unprecedented growth up until the current economic crisis, Australian higher education institutions have endured an ongoing reduction in government support. Since the 1980s, the sector has experienced a steady decrease in percentage of government funding. Previously, university tuition and institutional operating costs were 100 percent government-funded; today, less than half of required university operating funds come from government support. From a once-free university education program, Australia has moved to a situation where students must fund much of their tuition. Universities which relied on complete government support are now seeking other areas of financial support to meet over half of their annual operating costs, including student tuition or fees, corporate sponsorship, alumni donations, and the aggressive pursuit of research funding from public and private sources. In this economic environment of shrinking government support, insurance costs have become a significant driver of university risk financing decisions. Members often view the mutual as an efficient method to bundle property and liability exposures and market them to the global insurers, resulting in lower overall premiums. In such a microeconomic environment, university chief financial officers value stability and predictability of risk financing costs over time almost as much as reductions in the actual premium cost. Mutuals are inherently successful in moderating the highs and lows of insurance costs over time, shielding members from the swings of the insurance cycle and making expenses far more predictable over the long-run.

URMI A Journal 2009

Theory Two: A “Genetic” Match Between Risk management programs not only target sector-unique Mutuals and Higher Education compliance needs, such as the use of genetically modified This view holds that the long-term success of these mutuorganisms, but also create risk solutions which leverage 20 als is the result of an obvious match of cultures between years of cumulative knowledge of the sectors and a wealth mutuals and higher education. To the academic communiof claims and underwriting experience. Through mutuals, ty, mechanisms such as mutuals resonate with the “DNA” many members have been able to share their own experiof universities, which have for over a thousand years ences, learn lessons from losses at other institutions, and promoted the mutual concepts of collegiality and shareven conduct sector-specific research. At this time in Ausing of information, ideas, research, and even staff. On one tralia, the members of Unimutual are examining the poshand, higher education institutions do fiercely compete sibility of sharing loss data on student sport injuries with leading injury management manage s, and talent. However, for the best students, research grants, researchers to develop loss cont strategies to minimize such injuhese this competition does not prohibit these control cept institutions from sharing in the concept ries in the future. This sharing of universityof mutuality; it is programmed into the sity-specifi c loss information provides for Universities are high focused expert risk services aimed DNA of higher education. highly dge Sharing information and knowledge at sig significant issues impacting members’ hardwired from tiis not regarded as giving up a competitotal cost of risk. Using the mutual, risk years of cooperative prof ary. tive advantage or assisting an adversary. professionals can tap the academic commun view operating loss histories, rs of Universities are hardwired from years munity, research to have ally cooperative research to have a naturally and leverage their colleagues’ general risk expe rces, strong attraction to pooling of resources, experience. Professional societies, such a naturally strong th University Risk Management and her knowledge, skills, and expertise. Higher as the attraction to pooling Insu orkeducation institutions respond to workInsurance Association (URMIA) in the a Australasian Universities Risk ing together and sharing in expenses via US and of resources, aff equipment loans and, sometimes, staff and Insurance Management Society (AU urces transfers. Sharing or pooling of resources (AURIMS) in Australia, provide similar knowledge, skills, oppo fitt but is not done for personal gain or profi opportunities for knowledge sharing and expertise. asin the spirit of collegiality and increasand building of the profession of higher educ uals ing wisdom. Higher education mutuals education risk management among their mem n, as are similar in structure and operation, members. they are non-profits dedicated to fur-thering the objectives of the sector, as well as benefiting Theory Four: Risk Coverage for individual members. In the above case study, the UniverEmerging and Unpredictable Risks sity of Tasmania has been sharing its risk of losing subsea The final theory of why mutuals are so successful in the instrument arrays amongst willing members of the mutual higher education sector relates back to the University for 20 years. of Tasmania’s lost marine instrument arrays, an emerging risk. Many higher education institutions are actively Theory Three: Development of a Value Adding engaging in cutting edge research, including stem cells, Community of Colleagues nanotechnology, and quantum computing, which require In this theory, universities recognize that the mutual expensive investments in equipment and have extremely model offers a powerful distillation of sector-specific uncertain outcomes. Loss of equipment in these examples knowledge and experience, which can be tapped for the can occur due to unconventional sources, such as launchbenefit of all members. All mutuals listed above not only ing into the upper atmosphere on scramjets, unpredictprovide sector-tailored risk protections but also offer risk able chemical reactions, or equipment set adrift in hostile management programs relevant to their members’ needs. seas. In other words, the risks associated with cutting

U R M I A Jou r n a l 2 0 0 9

edge research may not be clearly known or their impacts Conclusion fully understood. Most higher education mutuals can In summary, higher education risk managers have witoffer discretionary protection to members, compensating nessed 20 years of successful growth and development members for losses which traditional insurance programs of mutuals in the higher education sector in Australia, would exclude. Canada, and the UK. This sustained contribution of risk Since promoting research is a major goal of universifinancing has aided higher education institutions in meetties, a mutual’s Board of Directors has the power to make ing their research, teaching, and learning objectives. The discretionary payments to a member that experiences a mutuals described in this paper illustrate how, through singular or unique loss, allowing the institution to cona skillful combination of loss control, risk management, tinue its research over time. Once the risks become better and specialized sector knowledge, universities can clearly known, the mutual can easily modifyy protection wording n benefit from mutual networks. Collegiality and a desire to aiting for the comto include emerging risks without waiting k share resources and knowledge have successfully brought d. In mercial insurance market to respond. toge together universities for hundreds of ing mutuals, coverages are constantly being year allowing institutions to better years, Higher education omodified and new products are intromeet their academic goals; for the past mergy duced to meet the needs of these emerg20 years, this same model of collegialrisk managers have h to ing risks, allowing associated research ity h has been put to use through mutual agre continue. agreements to successfully help develop witnessed 20 years usAnother recent example from Austhe financial and operational sections of of successful growth uine camp tralia regards a 2007 outbreak of equine campuses around the world. d influenza, which caused an estimated and development orse one billion dollars in losses to the horse Abo the Author racing industry alone. Horses were About of mutuals in the nd all Harry Rosenthal is H quarantined, races were cancelled, and higher education dtthe General Manager horse-related activities came to a sudpread oof Risk Management den halt in an attempt to slow the spread sector in Australia, ual, S Services for Unimutuof the disease. Members of Unimutual, etaal, a discretionary mumany of whom trained students in vetCanada, and the UK. nary ttual of Australian unierinary sciences and operated veterinary vversities and affiliates training clinics, were forced to shut down cw which provides a wide or board horses for months as restricrange of property and liability protections for its members. tions on horse movement were introduced. This resulted He is the former Director of the Risk Management Unit in serious financial losses for the members. Commercial of the University of New South Wales and Past President insurance policies frequently exclude animal diseases of the Australasian University Risk and Insurance Manand related business interruption costs. While others in agement Society (AURIMS). He has published numerous the racing industry sought recovery assistance from the articles on loss control and risk management-related topics government through possible class action lawsuits, mutual and is a frequent presenter at conferences and symposiums members who suffered financial loses were able to as ask on risk, insurance, and higher education loss exposures. the mutual’s Board of Directors for special consideration He holds a Master of Business degree from the Florida for their losses. Often, the board granted those instituInstitute of Technology, as well as an Associate in Risk tions funds under the mutual’s discretionary powers, enManagement (ARM) from the American Insurance Instisuring individual members did not suffer a loss that would tute. In addition, he holds the professional designation of impact teaching and learning. a Chartered Casualty and Property Underwriter (CPCU) with the American Insurance Institute, one of the highest

URMI A Journal 2009

professional titles in the American insurance industry. Mr. Rosenthal began his professional career as an archaeologist working in the Mediterranean, Europe, the US, and Mexico. Leaving archaeology in the late 1970s, he began a career in government administration and has over 25 years of experience in risk management and claims administration in the utility, government, and private sectors in both Australia and the US. He has been an adjunct lecturer and facilitator in both undergraduate and postgraduate programs at the University of New South Wales and University of Technology, Sydney and is active in the development of risk management education in Australia.

U R M I A Jou r n a l 2 0 0 9

Individual commitment to a group effort that is what makes a team work, a company work, a society work, a civilization work. —VINCE LOMBARDI (1913–1970), PROFESSIONAL FOOTBALL COACH

One doesn’t discover new lands without consenting to lose sight of the shore for a very long time. —ANDRE GIDE (1869–1951), FRENCH AUTHOR AND WINNER OF THE NOBEL PRIZE IN LITERATURE

A particular concern in this regard is the potential for Abstract: Higher education institutions have a variety of exposure to “toxic chemicals” associated with many campus settings where toxic chemical are used and exposures are settings, such as science laboratories, art studios, and mapossible. Science labs, art studios, machine shops, offices, and chine shops, as well as general office and residential areas. residential settings all provide potential avenues by which The risks associated with such exposures are often ambigutoxic chemical exposures could occur. Where should a higher ous and controversial. education risk manager turn for information on managing When such concerns arise, many risk managers logithe risks from such a wide variety of chemicals? While govcally turn to government regulations for help in determinernment regulations would be a logical first choice, risk maning appropriate respon responses to potential exposure to these agers may find it challenging to put these ese regulations to use chem chemicals. Unfortunately, our experience in defining solutions. This article focuses ses th is that these regulations present signifion how the regulatory process itself adds ds to cant challenges in identifying solutions to these challenges. It also discusses what some Unfamiliar risks ease concerns. Many of these challenges of the key challenges are when workingg arise simply because of the nature of the with government regulations and specifi ific or risk imposed regu regulatory process itself. ways higher education administrators and by others raise This paper will review some of the leaders can work to better understand and c comply with these regulations. key challenges we have found when concerns even work with government regulations working and provide suggestions about how to Introduction though their bette understand and comply with toxic better Our lives are full of risks of varying magnitude may be chem regulations as part of a campuschemical ly magnitudes, and new ones continually wide risk management program. ugh emerge. We are reminded daily through so small as to be The good news is that most campuses our personal concerns, the warnings of acro the country have gained experiacross ch others, and the news to beware of such immeasurable. ence with these types of concerns and nthings as careless driving, alcohol conr the relevant regulations, and, as such, ollusumption, food borne illnesses, air polluthey have made significant progress in otic tion, asbestos, solar radiation, antibiotic d li with i h many off these issues. For example, campuses dealing lik it i could ld bbe resistance, and earthquakes. The list seems like handle asbestos management, indoor air quality concerns, endless if we paid careful enough attention. and questions about institutional oversight of laboratory Research has shown that most people are less afraid of chemicals much more routinely today than they did 25 risk that they believe they have some control over or from years ago. Many of the lessons learned in this evolution can which they might benefit.1 On the other hand, unfamiliar risks or risk imposed by others raise concerns even though be applied to address new concerns, such as Polychlorinattheir magnitude may be so small as to be immeasurable. ed Biphenyls (PCB) in building materials, mold concerns, Given these factors, it should be no surprise that we are a and nanoparticles as they emerge. hyper-sensitive society to risks that we believe are outside our control or that we fear for lack of understanding. In The Regulatory Challenge The public in general is concerned with the health effects this context, “hyper-sensitive” suggests that the reaction of hazardous chemicals. This concern takes the form of a to a specific risk is out of proportion to the actual hazard low level anxiety that arises from ongoing news of medical presented by the concern.

URMI A Journal 2009

and scientific advances that detect chemicals with significant health effects in the outside environment, at the workplace, and in everyday products. While the exposures that these chemicals present are ambiguous, any amount seems like too much to many people. This concern has led to pressure on regulators to identify specific levels of chemicals that require action. Such determinations require a significant amount of environmental and toxicological information. Unfortunately, the number of chemicals used in commerce is far higher than those for which adequate information is available, and this number continues to rise more quickly than information about their toxicity. For example, only about 2,200 of 82,000 chemicals identified by the Environmental Protection Agency (EPA) as being “in commerce” have been completely screened for their toxicity.2 Expansion of such information is hampered by both technical and political reasons. Technical reasons include the length of time low level exposures require to cause enough disease to be detectable in epidemiological studies. Because research on human subjects is strictly regulated, data based on animal studies have to be speculatively extended for chemicals in cases where such results exist. Examples of the types of toxicity to be determined include whether a chemical is carcinogenic, an irritant, a narcotic, a teratogen, or if it acts as a sensitizer. Such determinations can also help establish if it causes sterility and/or birth defects, if it can be excreted in human milk, if skin contact should be avoided, if is it harmful to breathe, and so on. However, in order to write a useful regulation, regulatory agencies need to assess more than the toxicity of a chemical. In addition, allowable human exposure levels need to be established, technology needs to be developed to control or reduce exposures, possible substitutions have to be identified, and, after all of this information is reviewed, a cost/benefit analysis must be calculated to determine if the regulation will create a new social benefit. The political reality is that there is neither enough research money nor expertise available to submit all known chemicals to such an investigation in a timely way. Simply put, regulatory agencies must evaluate and regulate chemicals for which they have no data, very little data, or inconclusive data related to human risks available. While some groups, including the San Francisco City Council,

U R M I A Jou r n a l 2 0 0 9

have proposed to apply the “precautionary principle” to these chemicals and discontinue use until they can be thoroughly investigated, this approach does not seem to be immediately feasible within the global economy. This gap in scientific knowledge means that government agencies must often react to public concern about a specific chemical with less information than they would like. Within this constraint, they must also create regulations that are defined clearly enough to be enforced consistently across 50 states and thousands of facilities and processes. This often means creating definitions for common words that can create legally binding expectations while avoiding undue burden on companies and organizations using these materials. This balancing act has proven to be a significant challenge. The Jargon and Conflicting Regulations One of the major challenges of working with government regulations concerning chemical hazards is that government and scientific language come from two different sets of technical jargon. The words include a mix of specific scientific and legal concepts that only partially correspond to each other, even when different agencies are describing the same phenomenon. For example, the boundary between “flammable” and “non-flammable” liquids is set at a flashpoint of 100 degrees Fahrenheit by the Occupational Safety and Health Administration (OSHA) (1910.106(a) (19)),3 while the Department of Transportation (DOT) uses 140 degrees Fahrenheit (49 CFR Parts 171 - 180).4 To further demonstrate this issue, OSHA has enacted specific regulatory standards for 27 carcinogens but recognizes 191 others as potential carcinogens. The significance of this distinction is that OSHA has not yet been able to complete the regulatory research described above in order to demonstrate the value of a regulation for these “potential” carcinogens. In addition, extra confusion is created because different government agencies may have an interest in different segments of the life cycle of a chemical. An example of the practical effect of this challenge arises when a laboratory worker generates a normal amount of chemical waste in the laboratory, such as one liter of acetone. While the OSHA Laboratory Standard (29 CFR 1910.1450)5 covers the employee working with the solvent, a variety of other government regulations will apply to this laboratory waste.

For example, the Laboratory Standard does not cover • Grassroots environmental groups that are conproper disposal of the chemical involved, which will be cerned about the health of the general ecosystem determined by the EPA’s RCRA regulations (40 CFR and changes in the environment that result from 6 Parts 239 through 299) and states’ variants of these reguthe release of a chemical; lations, which are likely to identify the leftover acetone as • Victims of specific diseases that may or may not be a “D001” hazardous waste. Additionally, a chemical waste scientifically connected to certain toxins; and disposal plan will need to address the DOT’s requirements • The regulators themselves, who have to balance for shipment of hazardous materials (49 CFR Parts 100their interest in the public health, the economic im7 185), which considers the acetone a Waste Flammable pacts of regulations, and their own need to be able Liquid, UN1993. to effectively enforce the regulations. Further, the transport of threshold quantities of certain ge of these materials waste chemicals will result in coverage Another challenge is that stakeholder groups interested ty th regulation and management of by Department of Homeland Security in the ans (DHS) requirements for security plans toxic chemicals are becoming increasingly inter (6 CFR Part 27).8 The lab worker is then international as economic globalization The core of cont expected to consult DHS’ Chemical Facontinues to grow. This has resulted ATS) on cility Anti-Terrorism Standards (CFATS) in ongoing confusion associated with the problem is 9 ted in regu table to determine if the liquid is listed regulatory requirements for chemical that laws and mical safet information. One example of this the standards’ Appendix A as a chemical safety conf of interest. confusion is the different definitions regulations are ents OSH and DOT have for flammability, Combining all of these requirements OSHA ano above.10 The United Nations with their varying jargon and expectaas noted often developed ding Econ Economic Commission for Europe has tions requires not only an understanding in reaction to bad ions mad made an effort to address this challenge of the text of the appropriate regulations thro through the Globally Harmonized System but also the enforcement policies of the experiences in of Cl Classification and Labelling of Chemicals relevant agencies and how these fac11 (GH This system includes a variety (GHS). tors interact with one another. Only by specific situations. ieces of ch chemical risk statements and associunderstanding how these different pieces he ated cautions that are recommended for interact can one develop an answer the the use u of specific chemicals. question of what to do with chemicall The GHS approach is a significant change to the genwaste once he or she is finished with it. eral approach to toxics regulation. The predecessor was the Chemical Right-to-Know regulations for employees and Regulatory Stakeholders community members that were promulgated by OSHA How does this situation arise? The core of the problem is and superseded by many states in the 1980s. In 2006, that laws and regulations are often developed in reaction OSHA issued a notice of proposed rulemaking that began to bad experiences in specific situations. These laws and the implementation of the GHS within its regulatory regulations are then meant to serve as general rules that framework. Past experience suggests that, while an update apply broadly. Additionally, these general rules are legislato the Right-to-Know regulations is badly needed, effective compromises implemented by regulatory agencies that tive implementation of the GHS approach will be a long are responding to many different interest groups who have process—several years to a decade. widely varying stakes in the outcome of the regulatory process. The Impact of Politics These interest groups represent not only chemical-proFor historical reasons, the various agencies that have toxic ducing companies but also other groups who are concerned chemical regulatory authority have differing jurisdictions about the chemical’s production or release, including:

URMI A Journal 2009

and, thus, varying organizational structures and procedures At the same time, all of these agencies must abide by for studying toxic substances. A few examples demonstrate a variety of statutory laws and administrative orders that how widely different the reporting structures of these require them to consider the costs and benefits of any agencies can be: proposed regulations. Additionally, Congress can pass • The Food and Drug Administration (FDA), special legislation to preempt agency decisions. The most formed in 1906, and the EPA, organized in 1970, recent example of such an action occurred in 2001 when are each headed by a single official. The EPA the adversarial Republican Congress voided OSHA’s ergoadministrator’s cabinet-level position, however, nomics standard. The standard, which had been initiated is appointed by the president, subject to congresby a Republican administration and vetted for 10 years sional confirmation. The FDA is a division of the by the standard regulatory process, was repealed within Department of Health and Human Services; its five months of enactm enactment. While this is not specifically a chem regulation, this sort of potential administrator is appointed byy the chemical press explains why agencies are quite Secretary of the Departmentt of pressure cauti Health and Human Services.. cautious in moving the regulatory process Once the regulation ent • The United States Department to a final rule. O the regulation has been enacted, of Transportation is a federall Once has been enacted, Cabinet department that wass esthe w work of making a physical difference the work of making ess on th workplace and outside environment tablished by an act of Congress in the October 15, 1966, and begann opbased on that regulation has just begun. a physical difference e eration on April 1, 1967. It iss the The establishment of an acceptable degree ussed only one of the agencies discussed of ris risk is typically debated between those in the workplace ris with their health and those at risk that is directly administered by a at risk and outside abiecon member of the President’s Cabieconomically. Those at risk economiary of net, the United States Secretary cally usually have a greater advantage in environment based n Transportation. the negotiation process; they can invest 70, is nan resources to build a case for their • OSHA, also organized in 1970, financial on that regulation abor. part of the Department of Labor. side oof the issue. For example, stakeholdhas just begun. The agency’s administrator, an ers at risk financially can produce reports illu assistant secretary of labor, iss apto illustrate how a regulation will affect bject pointed by the president, subject their corporate bottom line based on curn. to congressional confirmation. rent economic data co collected as part of doing business. On • The Consumer Product Safety Commission the other hand, those concerned about health risks all too (CPSC) is an independent agency of the United often have only anecdotal evidence and speculative associaStates government created in 1972. It has authority tions on which to base their arguments. over five statutes, including the Consumer Product Further, once promulgated, regulations often continue Safety Act and the Federal Hazardous Substances to be criticized by “scientists, industry representatives, and Act. The CPSC is governed by five commissioners public-interest groups.”12 Although simple rules and consistent procedures would benefit all, the history and nature appointed by the president, subject to congressioof chemical regulations precludes such expectations. New nal confirmation. approaches, however, are being encouraged. These variations in reporting structures create different New Approaches levels of enforcement powers and result in very different In such a bewildering environment of words, stakeholdcultures within the agencies regarding acceptable levels of ers, and competing agendas, what is a risk manager to do? risk and the relative priority of the various stakeholders in The good news, as mentioned earlier, is that many people, how a regulation is enforced.

U R M I A Jou r n a l 2 0 0 9

including regulators, are getting smarter about managing more organizations began to understand the value of the concerns about toxic chemicals. The EPA and OSHA are management system approach, this number had more than good examples of agencies that have begun to adopt a more doubled to 250; by 2006, 2,000 organizations had joined. holistic approach to chemical regulation. The management system programs developed by reguOne reason for this interest on the regulators’ part is latory agencies are so popular because they allow organizathat, while developing regulations for toxic chemicals is tions to identify and prioritize health and safety concerns, expensive, enforcing such regulations is even more expenincluding exposure to toxic chemicals, associated with their sive. While Congress passed many chemical control laws operations in ways that don’t necessarily correspond to the and the EPA promulgated many regulations to implement existing regulatory structure. While there is no relaxation these laws in the 1970s and 1980s, concerns about toxic of the compliance requirements, developing an effective chemicals continued to expand and diversify. In the 1990s, management system plan to managing workplace hazards the EPA took a step back from regulatory activity and assures the agency that the employer is making a good recognized that, while there were certain specific successes faith effort to address health and safety concerns. OSHA’s research has shown that th the resulting program is also more that arose from it, there were many more concerns that ny within the agency effective at lowering w remained. This realization led to many workplace injuries, illnesses, and fataliadvocating moving from a “commandd and ties.115 erforOf interest to risk managers, programs O control” strategy to a more flexible “perforThe management lling such as the National Environmental mance-oriented” approach to controlling Perfo Performance Track and VPP adopt a chemical exposures and spills. system approach mana management approach that is similar The alternative strategy that has arisen to th that of Enterprise Risk Management from both the EPA and OSHA is a focuses on the hich (ERM (ERM). These programs help manag“management system” approach in which ‘‘Plan, Do, Check, xic ers develop d a strategic overview of the the institution views managing its toxic organ organization’s risks to develop a proactive, risks with a continuous improvementt Act’’ cycle. tion comp comprehensive program to prevent chemiattitude. This means that the institution cal ex exposures and resulting losses. Thus, develops the internal capabilities to assess, ciated unde understanding the newly developing reguprioritize, and control the risks associated latory regime for toxic chemicals may allow risk managers with hazardous chemicals to balance physical, toxicity, and to identify opportunities to help guide the development regulatory risks in a transparent way. of their institutions’ programs to proactively manage these The management system approach focuses on the risks. ‘‘Plan, Do, Check, Act’’ management cycle. The ultimate goal of this management cycle is not to reach a specific Conclusion goal but to continuously improve processes and systems. Risk managers must understand the overall picture of The EPA’s program, National Environmental Performance chemical regulations and how to comply with those regulaTrack,13 is exploring this approach. The National Environmental Performance Track recognizes and drives envitions. An intimate understanding of chemical regulations ronmental excellence by encouraging facilities with strong can also help managers build a proactive risk manageenvironmental records to go above and beyond their legal ment strategy. To prevent potential chemical risks from requirements. Currently, the program has more than 500 becoming costly allegations or losses, risk managers should members and welcomes all qualifying facilities. develop an integrated approach that prioritizes physiOSHA has been promoting occupational safety cal, regulatory, and perceptions of risks into an oversight management systems through its Voluntary Protection program based on continuous improvement. OSHA’s VPP Program (VPP).14 The VPP was established in 1982 and program and EPA’s interest in environmental management had a slow start. After a decade, in 1993, only 100 organisystems support this approach to the challenges of chemizations had enrolled in this program. However, by 1996, as cal risks.

URMI A Journal 2009

Understanding these regulations is also important when risk managers are part of the institution’s response to chemical concerns. As the history discussed above illustrates, institutional leaders and managers must understand and carefully use government regulations when discussing health hazards associated with specific chemical exposures. Otherwise, the regulations are as likely to create confusion and concern as they are to answer questions or identify solutions. With this in mind, one of the key roles of a risk manager in discussing toxic chemicals and addressing exposure concerns on campus is to identify the various stakeholders in a particular situation and get a clear sense of the interests of each one. This understanding will help the risk manager to find common ground to build a management agreement that works to address the needs of all key stakeholders. With the EPA and OSHA taking strides to support this effort, finding common ground should be easier to achieve.

About the Authors

Ralph Stuart, CIH, has been a R m member of the Risk Management D Department at the University of V Vermont since 1985. He has guided t development of the university’s the la laboratory safety program since t then, including participation in the E Environmental Protection Agency’s (EPA) Lab-XL project, which reinvented hazardous waste regulations for laboratories. He is actively involved in several professional associations, including the Campus Consortium for Environmental Excellence, the Division of Chemical Health and Safety of the American Chemical Society, and the Campus Safety, Health and Environmental Management Association. He is also a national leader in the development of health and safety information resources on the internet.

Leta C. Finch, MPA, DRM, is L aan Executive Director of Arthur JJ. Gallagher’s Higher Education P Practice and serves as an experienced aand knowledgeable resource to the ccompany’s college and university cclients. Prior to joining Arthur J. G Gallagher, Ms. Finch was president of Champlain Captive Management, Inc., a Vermont and Hawaii ﬁrm managing captive insurance companies for national and international clients. Ms. Finch’s prior higher education experience includes serving as the founding Director of Risk Management at the University of Vermont. She was the founding Director of the Institute for Financial Services at Champlain College, where she was a member of Dean’s Council, a member of the President’s Task Force on International Programs, and she taught as an adjunct instructor in the college’s business administration division. Ms. Finch is a trustee emeritus of the Board of Trustees at Champlain College. She is an active member of the University Risk Management and Insurance Association (URMIA) and has served as its president. She is the recipient of URMIA’s Distinguished Risk Manager Award and served as a founding board member of United Educators Risk Retention Group. Her international experience in working abroad has spanned 20 years. She is the founder and president of the Foundation for Higher Education in Central Asia. She served as a trustee of the American University of Central Asia, and is a current trustee of Samara State University in Samara, Russia. She has written and presented nationally and internationally on a range of insurance and risk management topics.

Endnotes 1

David Ropeik and George Gray, Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You (New York, NY: Houghton Mifﬂin Company, 2002).

Cheryl Hogue, “The Future of U.S. Chemical Regulation,” Chemical and Engineering News, January 8, 2007, http://pubs.acs.org/cen/ government/85/8502regulation.html.

Occupational Safety and Health Administration, “Regulations (Standards 29 CFR): Flammable and Combustible Liquids (see 29 CFR Parts 1910.106(a) (19)),” United States Department of Labor, http://www.osha.gov/pls/ oshaweb/owadisp.show_document?p_table=STANDARDS&p_id=9752.

U R M I A Jou r n a l 2 0 0 9

National Transportation Library, “Hazardous Materials Transportation

Guides (see 49 CFR Parts 171-180),” United State Department of Transportation, http://ntl.bts.gov/DOCS/hmtg.html. 5

Occupational Safety and Health Administration, “Regulations (Standards - 29 CFR): Occupational Exposure to Hazardous Chemicals in Laboratories (see 29 CFR Part 1910.1450),” United States Department of Labor, http://www.osha.gov/pls/oshaweb/owadisp.show_document?p_ table=standards&p_id=10106.

Electronic Code of Federal Regulations, “Title 40: Protection of Environment (see 40 CFR Parts 239-299),” GPO Access, May 22, 2009, http:// ecfr.gpoaccess.gov/cgi/t/text/text-idx?sid=27d0dad4dd3d4c1969aad205b79 8e315&c=ecfr&tpl=/ecfrbrowse/Title40/40tab_02.tpl.

Federal Register, 49 CFR Parts 100-185: Transportation, October 1, 2007, http://www.10east.com/ﬁles/pdf/49CFR_V2.pdf.

Electronic Code of Federal Regulations, “Title 6: Domestic Security (see 6 CFR Part 27),” GPO Access, May 22, 2009, http://ecfr.gpoaccess.gov/cgi/t/ text/text-idx?c=ecfr&sid=34d33fa824fc703a83a20b977c2e13f2&tpl=/ ecfrbrowse/Title06/6cfr27_main_02.tpl.

Department of Homeland Security, “Chemical Facility Anti-Terrorism Standards,” January 8, 2009, http://www.dhs.gov/xprevprot/laws/ gc_1166796969417.shtm.

National Fire Protection Association, “FAQ - NFPA 30,” http://www.nfpa. org/faq.asp?categoryID=920&cookie%5Ftest=1.

United Nations Economic Commission for Europe, “Globally Harmonized System of Classiﬁcation and Labelling of Chemicals (GHS),” http://www. unece.org/trans/danger/publi/ghs/ghs_welcome_e.html

Committee on the Institutional Means for Assessment of Risks to Public Health, Commission on Life Sciences, and National Research Council, Risk Assessment in the Federal Government: Managing the Process (Washington, DC: National Academy Press, 1983).

U.S. Environmental Protection Agency, “National Environmental Performance Track” (last updated May 20, 2009), http://www.epa.gov/ perftrac.

Occupational Safety and Health Administration, “Voluntary Protection Programs,” United States Department of Labor (last updated May 13, 2009), http://www.osha.gov/dcsp/vpp/index.html.

Occupational Safety and Health Administration, “OSHA Fact Sheet: Effective Workplace Safety and Health Management Systems,” United States Department of Labor, March 2008, http://www.osha.gov/Publications/ safety-health-management-systems.pdf.

URMI A Journal 2009

A good plan is like a road map: it shows the ﬁnal destination and usually the best way to get there. —H. STANLEY JUDD (1936– ), AUTHOR

The George Washington University Ofﬁce of Risk Management Health & Safety Inspection Fitzroy Smith, Robert Ulizio, and Dale Furrow, The George Washington University

was a comprehensive list of items that are prohibited from Abstract: This article details a program developed by The dormitory rooms. George Washington University to help develop, measure, and maintain a safe environment for its students. The Implementing the P Program Office of Risk Management developed this health and The H&S Inspection Program was initiated in the 2006 safety inspection program, which is aimed med at monitoring, acad academic year, and the Office of Risk tracking, and minimizing health and Man Management has been responsible for safety risks in the university’s dormitories. ries. As a result of the p the program since its inception. InspecThe article describes the development of tion are performed by a team of health tions the program from the risk identificationn automation of the and safety inspectors, who enter every phase to implementation of the program m one of the 3,500 residential rooms across and provides detailed resources, forms,, inspection process, camp four times a year. The following campus communication tools, and sample the university have caused the inspection process to documents for other universities furth evolve over time: further considering the implementation of similar ilar can now collect • Standardization and consistency of programs. the inspection process standardized data • Standardization of reporting Introduction regarding fi re and procedures The George Washington University • Recognition of the enforcement tan(GW) is committed to the highest stanhealth hazards of established regulations and vidard of excellence, including the proviguidelines sion of a safe environment to enable our and emergency • Overall decrease in the number of trastudents to achieve academic and extramaintenance health and safety violations is curricular success. To better meet this standard of excellence, GW’s Office of issues. The H&S Inspection Program was ealth Risk Management developed the Health desig designed to reduce the potential of fires m, a & Safety (H&S) Inspection Program, in th the residence halls. The program niverkey program aimed at helping the univerutilizes an inspection team of three full-time health and sity achieve a safe environment. safety inspectors and one supervisor. They inspect the students’ dormitory rooms for compliance with university Background health and safety policies. During the 2005 academic year, a cross-functional task The health and safety inspectors use handheld comforce was convened with representatives from the offices puters and printers to make note of all violations, conof general counsel, student affairs, facilities managefiscating prohibited items. As a result of the automation ment, student housing, and risk management to develop of the inspection process, the university can now collect a comprehensive fire and life safety inspection program. standardized data regarding fire and health hazards and The Office of Risk Management led this task force in the emergency maintenance issues. To the extent that residevelopment of the H&S Inspection Program. Particidents are present, it also provides the health and safety pants on the task force focused on the need for greater inspectors with an opportunity to talk with the students safety awareness and communication among departments about the use of fire extinguishers and safety in general. involved. A key element of the H&S Inspection Program

URMI A Journal 2009

The inspection process also enables the enforcement of other university policies, such as the Residential Community Conduct Guidelines (RCCG), the Student Code of Conduct, and the Housing License Agreement.

to one’s individual needs is not difficult. Users input common Windows commands to shape the program to fit their needs. An example of the software’s adaptability is its tailoring for chemical lab inspections. The Chemical LaboraHealth & Safety Inspection Program Procedures tory Inspection Program (CLIP) was developed within Changes to technology have also helped the program’s the Office of Risk Management. The objective of CLIP is ram’s inception, the procedures to evolve. Since the program’ to reduce the number of safety concerns that are presprocess has evolved from filling out and i laboratories (see Appendix C for ent in d leaving paper forms to producing and C the CLIP lab checklist). The laboratory h the leaving printed forms—created with safet inspections are in compliance safety At the onset of ed mobility devices previously mentioned with the university’s Chemical Hygiene (see Appendix A). Inspection data iss Plan and Hazardous Materials Managethe process, the now retained in a violations databasee men Plan. Main topic areas, which are ment program utilized nts that authorized university departments com compiled in the CLIP Checklist, include nally, can easily view and update. Additionally, f the following: general work environment, an off-thefacilities management is studying thee chem storage, emergency planning, chemical gepossible integration of its task managerequ required information/postings, personal shelf software th ment software with the current health prot protective equipment, electrical hazards, to develop graand safety inspection software. Integraam flammable liquids, compressed gasses, tion of these two systems holds the wast disposal, ventilation/fume hoods, waste a platform n of potential to expedite the remediation secu security, and training/awareness. ness violations and increase the effectiveness Th ese criteria are based on commonly meeting the of communication. cited Environmental Protection Agency mobility, (EPA regulations, Occupational Safety (EPA) Software Technology Utilized forr and Health Administration (OSHA) printing, Various Tasks regu regulations, and the District of Columram At the onset of the process, the program bia F Fire Code. Risk management staff and data utilized an off-the-shelf software to mem members conduct the inspections, and management ility, develop a platform meeting the mobility, the findings are identified by comparing ds. printing, and data management needs. oper operations against the standards conneeds. bility The software was chosen for its flexibility taine in the CLIP Checklist. tained he and low initial costs. Over time, as the R management staff inspect a Risk eeds university learned more about the needs total of 62 university laboratories and ik of the program and the data managementt pprocess, risk i t d storage t associated areas each semester as part of the CLIP. management developed an internal database system utilizInspectors review the lab procedures and storage practices ing the versatility of the Microsoft Office program suite, and, if faculty and staff are present, interview them to specifically MS Access. This software is adaptable, and the obtain greater detail on laboratory activity and to evaluoutput data can be easily manipulated to be compatible ate their laboratory safety knowledge. The Office of Risk with other commonly used applications, such as Oracle, Management monitors the trends to measure what needs Sequel, Windows, and Linux. The solutions utilized for to be reinforced during training and to identify the inforthe program can be employed for other uses. The tracking mation needs of laboratory staff. and management software, for example, may be used for maintenance and inventory solutions (see Appendix B for screenshots of the software in use). Tailoring the software

U R M I A Jou r n a l 2 0 0 9

Cost of Implementation and the End Result of the Program Since the George Washington University’s H&S Inspection Program was developed internally, the university was able to limit design costs to a minimum. In the past two academic years, the Office of Risk Management has hired four full-time H&S inspectors. The addition of full-time staff and the frequency of the health and safety inspections also compensate for the reduction of live-in staff members employed by the Housing Department. Softer benefits include increased life safety compliance and awareness. This leads to a reduction in exposure, including regulatory, liability, and property loss. Through analysis of the data produced by the inspections, we believe that this process has improved the campus living environment. From the outset, we have observed an overall decrease in the total number of violations recorded. This includes a distinct reduction in the quantity of violations attributed to prohibited items. The statistics indicate a downward trend of violations from the initiation to the conclusion of each academic year with a peak reoccurrence of violations following the summer break period. Moving forward, we anticipate these trends will continue. The ebb and flow of recordable violations appears to naturally fluctuate with the departure and return of the student population for breaks and academic term completion. The article appendices display several graphs and images of the data that the inspectors collect, the hardware used in data collection, and the safety awareness posters posted around public viewing areas in every residential hall and university-owned building (see Appendices D, E, and F).

to maximize eﬃciency while minimizing risk exposures, and we hope that other universities ﬁnd the information in this paper useful in developing similar programs.

Conclusion The H&S Inspection Program, implemented by the Office of Risk Management in the university’s residence halls, has resulted in a safer environment. Other universities may find a similar H&S Inspection Program for their residence halls to be beneficial as well. The transparency inherent in the program serves as a checks-and-balances system for the multitude of departments involved in the maintenance and upkeep of residence halls. Additionally, the program makes complaint tracking, inventory control, and records management quick and effective. The H&S Inspection Program at GW is an excellent example of how

URMI A Journal 2009

APPENDICES: Copies, Samples, and Examples of Material Used in the George Washington University Health and Safety Inspection Program APPENDIX A: INSPECTION RECEIPTS Figure A-1: Passed Inspection Receipt

U R M I A Jou r n a l 2 0 0 9

Figure A-2: Failed Inspection Receipt

APPENDIX B: SOFTWARE SCREENSHOTS Figure B-1: Accessing the H&S Inspection Program Database

Figure B-2: Database Table Displaying the Data Collected During Inspections

URMI A Journal 2009

U R M I A Jou r n a l 2 0 0 9

Figure B-3: Health and Safety Data Collected from Program Inspections

URMI A Journal 2009

Figure B-4: Accessing the H&S Inspection Program Database

APPENDIX C: The George Washington University Chemical Laboratory Inspection Program Checklist Building: PI/Supervisor: Inspected by:

Room #:

Dept.: Phone #: Date:

Chemical Laboratory Inspection Program Checklist S = Satisfactory, U = Unsatisfactory, N = Not Applicable A. GENERAL WORK ENVIRONMENT 1. Work areas illuminated

C. REQUIRED INFORMATION/POSTINGS S

Information

2. No food allowed

1. Material Safety Data Sheets and chemical

3. Storage of combustible materials minimized

inventories complete and readily accessible

4. Trash removed promptly

2. Written Chemical Hygiene Plan and

4. Building Evacuation Routes posted

5. Ice making machines posted “Not for

3. Industrial safety glasses for ﬂying particles

4. Areas requiring the use of eye protection

5. Aisles and passageways kept clear

Emergency Action Plan is available

6. Wet surfaces covered with non-slip material

Postings

7. Heavy items stored on lower shelves

3. Lab Hazard Information Forms accurate

8. Means available to reach items stored above

and current

shoulder level 9. Storage at least 18 inches below sprinkler head (in sprinklered spaces) 10. Storage at least 24 inches below ceiling (in

Human Consumption”

non-sprinklered spaces) 11. Illuminated signs working

12. Paths free from obstruction

13. Alternate exits available

14. Fire doors not blocked or wedged open

15. Emergency exit doors not locked or blocked

B. EMERGENCY PLANNING 1. Fire extinguisher mounted

2. Fire extinguisher unobstructed

3. Fire extinguisher fully charged

4. Fire extinguisher tamper indicator in place

5. Eyewash and safety showers available in

close proximity and unobstructed 6. Fire alarm pull stations unobstructed

7. Emergency lights functional

Inspections 8. Fire extinguisher inspected annually

9. Eyewash and safety shower inspected

Procedures adequate to cover anticipated spills

U R M I A Jou r n a l 2 0 0 9

needed 2. Goggles and face shields for corrosives

posted 5. Open toe shoes prohibited in areas where corrosives are used

Facilities

10. Spill control materials available and

D. PERSONAL PROTECTIVE EQUIPMENT 1. Eye and face protection available where

Exits

E. ELECTRICAL HAZARDS 1. Flexible cords in good condition 2. Cover plate in place for outlets and switches

3. Circuit breaker panels unobstructed

4. Machine/instrument access panels in place

5. No exposed electrical conductors (50 volts

6. Multiplug adapters have overload protection

7. No extension cords used

8. Ground fault circuit interrupters (GFCI) used

or more)

for wet/exterior use

Chemical Laboratory Inspection Program Checklist (continued) S = Satisfactory, U = Unsatisfactory, N = Not Applicable F. CHEMICAL STORAGE

H. COMPRESSED GASES

Facilities

1. Used in well ventilated area

3. Storage quantities minimized

4. Secured from tipping

5. Regulators compatible with gas cylinder

6. Cylinder carts used for transport

7. Protective valve caps in place

8. Empty or unused gas cylinders promptly

6. Containers compatible with waste

7. Separate disposal containers available for

2. Fume hood vents (bafﬂes) unobstructed

3. Fume hoods used with sash in appropriate

1. Shelving adequate for loads imposed

2. Toxic, ﬂammable, corrosive gases used in

2. Refrigeration units for chemical storage

fume hood

labeled “No Food” 3. Refrigeration units for food labeled “Food

Only” 4. Chemical storage cabinets properly labeled

Containers 5. Containers clearly labeled with chemical

returned to supplier

name(s) 6. Containers kept closed except during

11. Corrosives not stored above eye level

12. Storage quantities minimized

13. Secondary containment used during

transfers 7. Storage strictly limited in actively used fume

1. Containers kept sealed except during

hoods 8. Containers compatible with the chemical

appear dated are disposed

5. Storage limited to <1 quart of acutely hazardous waste

broken glass 8. Biohazardous waste red-bagged; sharps

G. FLAMMABLE LIQUIDS

containers utilized

1. Used in fume hood or well-ventilated area

2. Stored in ﬂammable liquid storage cabinet

for more than 10 gallons per room S

4. Flammables separated from strong oxidizers

5. Class ABC or BC ﬁre extinguisher available

6. Flammable liquids not stored near hot plates

storage

or other ignition sources

hazardous chemicals are treated as hazardous waste

transport and storage of chemicals

3. Refrigeration units approved for ﬂammables

container label 4. Empty containers that contained acutely

shelves

14. Materials with shelf lives dated or if they

ous Waste” and accumulation start date 3. Constituents of the waste described on the

incompatibilities 10. Large/heavy containers stored on lower

transfer 2. Containers labeled with the words “Hazard-

Procedures 9. Chemicals segregated to avoid

I. WASTE DISPOSAL

J. VENTILATION/FUME HOODS 1. Each chemical fume hood has been surveyed

position 4. Chemical storage strictly limited in actively used hoods

URMI A Journal 2009

APPENDIX D: Equipment Used in the Health and Safety Inspection Program

Chemical Laboratory Inspection Program Checklist (continued) S = Satisfactory, U = Unsatisfactory, N = Not Applicable K. SECURITY 1. Doors to the lab operate, close, and lock

properly 2. Windows operate, close, and lock properly

3. Alarm systems are operating properly

4. Keys and access cards are kept in a secure

4. How to clean up chemical spills

5. The location/contents of the Chemical

area, out of sight

L. TRAINING/AWARENESS Training 1. Workers have attended Laboratory Safety and Emergency Action Plan Training 2. Workers have attended a lab-speciﬁc orientation Awareness: Do laboratory workers know... 3. What to do in the event of an emergency, such as ﬁre or injury, including evacuation routes

Hygiene Plan 6. The Chemical Hygiene Ofﬁcer and Safety

Figure D-1: Handheld Device

Manager for the department 7. What an MSDS is and where to ﬁnd them and

9. What to do with chemical waste

10. What are the most hazardous materials you

12. To question unfamiliar visitors in the lab

13. If anyone in the laboratory is conducting

other safety information 8. What type of personal protective equipment to use and when to use it

use and what precautions to take 11. Where and how to use emergency equipment, such as safety showers and eyewash stations

unauthorized research activities 14. To report unusual or suspicious conditions and security incidents to UPD

Figure D-2: Portable Printer

U R M I A Jou r n a l 2 0 0 9

APPENDIX E: Sample Graphs from Collected Inspection Data

Figure E-1: Number of Violations per Semester by Responsible Party

Figure E-2: Number of ConďŹ scated Items per Semester

URMI A Journal 2009

Figure E-3: Number of ConďŹ scated Halogen Lamps per Semester

U R M I A Jou r n a l 2 0 0 9

APPENDIX F: H&S Inspection Program Safety Awareness Publications

URMI A Journal 2009

About the Authors

F Fitzroy A. Smith, CPCU, ARM, MS, is the Executive Director of Risk M M Management & Insurance at The G George Washington University. Mr. S Smith oversees the operations of the O ce of Risk Management, including Oﬃ P Property and Liability Insurance proc curement, environmental health and safety issues, management of the self-insurance fund – general liability, workers’ compensation, auto liability, and medical malpractice. He also represents GW on Genesis, Ltd., which is a captive-insurance company that is owned by 16 member universities. Prior to joining GW, he served as the Risk Manager for Arlington County, Virginia, and the Director of Property & Liability Services for Local Government Insurance Trust (LGIT).

Dale E. Furrow is the Senior OcD ccupational Environmental Health aand Safety Specialist at The George W Washington University. Mr. Furrow jo joined the Office of Risk Managem ment staff in the spring of 2004 after h holding a position as an environmental sscientist for a national consulting firm. Mr. Furrow has more than seven years of experience in industrial hygiene and environmental health and safetyrelated compliance. He is the primary point of contact for remediation activities in university buildings, and he works closely within the university community to maintain a compliant and safe environment. Mr. Furrow is also pursuing a master’s degree in the Environmental and Occupational Health Program through the GW School of Public Health and Health Sciences.

U R M I A Jou r n a l 2 0 0 9

Robert A. Ulizio is the Health & R S Safety Inspection Manager at The G George Washington University. M Ulizio joined the Office of Risk Mr. M Management staff in the fall of 2006 a after holding a position as an insura fraud investigator and consultant ance w a national firm for 10 years. Mr. with Ulizio has more than three years of experience conducting the Health & Safety Inspections at GW. One of Mr. Ulizio’s primary responsibilities is managing the residence halls’ health and safety inspection function and fostering a safe campus environment. Other responsibilities are to minimize the potential risks and liabilities that can expose GW’s assets to damage or loss. Mr. Ulizio is also pursuing a master’s degree in the Crisis, Emergency and Risk Management Program through the GW School of Engineering and Applied Sciences.

The principle is competing against yourself. It’s about self-improvement, about being better than you were the day before. —STEVE YOUNG (1961– ), PROFESSIONAL FOOTBALL PLAYER

Many hands make light work. —JOHN HEYWOOD (1497–1580), ENGLISH PLAYWRIGHT AND POET

Second Generation Behavioral Intervention Best Practices Brett A. Sokolow, J.D., and W. Scott Lewis, J.D., National Center for Higher Education Risk Management (NCHERM)*

best chances to head off violence before it occurs. If we can Abstract: Since the tragedy of the shooting that took place at empower cultures of reporting on our campuses, friends, Virginia Tech in 2007, colleges and universities across the colleagues, family members, professors, sorority sisters, country have experienced a massive push to identify trouroommates, and resident assistants (RA) can share what bling behavior earlier and proactively prevent such tragedies they know. However, they need to know who to tell. For from taking place in the future. However, ver, what is the best that, they need a behavioral intervention method of identifying potentially harmful mful team (BIT). They need to know what to behavior, communicating that behaviorr to repo report. For that, they need a BIT. The the right people, and, when needed, acting ting We know from the infor information must be centralized to break to prevent harm to others? This articlee dow focuses on how Behavioral Interventionn down the information silos in which research that most mem Teams can help empower cultures of reportmembers of our communities have pieces eportperpetrators of of the th puzzle, but no one team or group ing on campus, ensure information about out gets to see the whole picture. For that, potential threats gets to the right peoplee in school violence do they need a BIT. Once the information is an effective manner, and assist campuses ses assim in acting to protect students, faculty, and assimilated, a caring and effective internd not emerge from vent staff. The article also outlines the 12 best vention must be orchestrated. For that, est the ether with they need a BIT. practices for behavioral intervention teams. eams. H Hundreds of intervention teams surprise attacks no have Introduction been created across the United Stat The post-Virginia Tech era shows a States since April of 2007. The question one saw coming. to as n dramatic shift to proactive prevention ask is whether your team is just an Instead, it is quite infor of dangerous or potentially harmful informal administrative comparing of note ucabehavior in institutions of higher educanotes about concerning behaviors, or is the opposite. it a fformalized BIT operating according ve to tion as the majority of campuses move to policies, po rvenimplement or update behavioral intervenprocedures, and protocols that reflect the best practices that are ng tion team practices. This is a gratifying evolving in our field? ongly back against the trend to those of us who pushed strongly field? That question represents the heart text message system hysteria following the Virginia Tech of this article. First, though, another essential point must shootings and the classroom door lock hysteria of the be made. Regardless of what form an intervention team period after the Northern Illinois University shootings. takes, members of the BIT should be well-trained so that While reactive measures do have worth, the job of higher they know for what behavioral indicators they are looking. education leaders and risk managers is to focus also on NCHERM’s 2008 white paper1 focused on the need to make sure teams are cognizant of the research on patterns proactive prevention of such events. of violence. Since then, it has become apparent that, while Why is behavioral intervention the right approach? We that cognizance is important, stereotypes of violence are know from the research that most perpetrators of school dominating our public conversations. The CNN Speviolence do not emerge from the ether with surprise atcial on campus violence was called “Campus Rage.”2 We tacks no one saw coming. Instead, it is quite the opposite. have replaced “going postal” as a catch phrase with the They give clues. They cause concern amongst friends, colcampus version, “active shooter.” That terminology begs leagues, and even online acquaintances. They make people the question: is there such a thing as a passive shooter? uncomfortable. These clues, signs, and concerns are the *Printed with permission from the National Center for Higher Education Risk Management (NCHERM). URMI A Journal 2009

To effectively protect our higher education institutions and communities, this article will move past the hype and dispel the myth of the “active shooter.” Who should be included in a BIT? If a team is student-focused, it is often comprised of a dean of students or other student affairs administrator, who usually serves as Chair. Additionally, the team may include administrators from housing and residential life if the campus is residential. It may also include a counseling center director or other counselor or mental health professional. The same is true if there is a health center. The Director of Disability Services is a common choice, as iss a director or other orcerepresentative from campus law enforcement. When the team also includes staff uman in its scope, it is common to add a human If your resources representative.

active shooter is a Primal Aggressor. The problem is that school shooters are almost never Primal Aggressors. They are Cognitive Aggressors. Cognitive Aggressors plan their aggression and methodically execute it. At the highest levels of Cognitive Aggression, the point where a school shooting is possible, the aggressor is willing to give up his life for his cause. According to Byrnes, this aggressor experiences a profound disconnection from his own well-being. His body loses animation. His face loses expression. In fact, the “active shooter” is not outwardly angry at all. Our behavioral intervention teams need to assess threat accurately. If th they are looking for the angry aggressor w who is about to explode, they will p be playing to proﬁling, not to the clear resea that is available. Behavioral research mental inter intervention teams must have a better unde understanding of aggression to accurately image of an 4 asses threat. assess

The Myth of the Active Shooter active shooter ur What mental picture comes into your mind’s eye when you hear the term, “acThe Evolution of Behavioral Interis an angry man cribe tive shooter?” What do you see? Describe vent vention him or her. What is he or she doing?? First Generation Intervention Teams dressed in black, What does he or she look like? As bbehavioral intervention teams evolve you have bought ry If your mental image was an angry and become more sophisticated, what ght man dressed in black, you have bought best practices are evolving and what futhe media-driven the media-driven stereotyping. Whatt is ture transformations are on the horizon? merworse, if you imagined an Asian-AmerC Campus assessment, response, and stereotyping. ia ican, the actual images of the Virginia evalu evaluation (CARE) teams and behavioral type Tech shootings have created a stereotype inter intervention functions existed on college camp of their own. What else did you see? Was campuses before Virginia Tech, but their t iti and function are changing dramatihe sweating, out-of-control, and aboutt tto snap?? W Was hhe nature, composition, actively shooting in your mental image? Was he enjoying cally as campuses adjust to new complexities of student it? What was the expression on his face? Was it vengeance? mental illness and increasing violence. Revised models Was it rage? have evolved as a direct response to the Governor’s Panel Report on the Virginia Tech shootings and other national Becoming a Student of Aggression panel and internal review recommendations. To understand attributes and characteristics of the active First generation teams—those that existed before Virshooter, you need to become a student of aggression. Acginia Tech—generally had some commonality. They were cording to John Byrnes, the President of the Center for often informal, and their scope and function was narrow. Aggression Management, there are two types of aggresWe refer to them as the “Resolve Carpet Cleaner” model. 3 sors: the Primal Aggressor and the Cognitive Aggressor. Are you familiar with this miraculous substance? The The Primal Aggressor comes home to find his or her authors have four children under age five between them, partner in bed with someone else and just snaps. Anger, so we are intimately familiar with and grateful for Resolve. rage, and humiliation feed his or her aggression. This is Spray it on anything your kids leave behind, and seconds the stereotype of the active shooter, and it is accurate if an later, the stain is gone from your carpet. Similarly, first

U R M I A Jou r n a l 2 0 0 9

generation teams were spot problem solvers. If they had a problem, they sprayed on an intervention and then moved on to the next stain. Rarely did they have the capacity for longitudinal tracking of student behaviors over time. They also lacked the ability to track and view trends in behavior, both individually and collectively. This short-term, problem solving focus proved to be a fatal flaw—quite literally—in first generation team design. Second Generation Behavioral Intervention Team Best Practices Many distinguishing characteristics set second generation models apart from prior intervention models, but the most salient are 12 key elements, listed briefly below and then expanded upon in the remainder of this article: 1. Second generation behavioral intervention teams use formalized protocols of explicit engagement techniques and strategies. 2. Second generation behavioral intervention teams see their role as nominally to address threat and primarily to support and provide resources to students. 3. Second generation behavioral intervention teams utilize mandated psychological assessment. 4. Second generation behavioral intervention teams have the authority to invoke involuntary medical/psychological withdrawal policies. 5. Second generation behavioral intervention teams are undergirded by sophisticated threat assessment capacity, beyond law enforcement and psychological assessment tools. 6. Second generation behavioral intervention teams use risk rubrics to classify threats. 7. Second generation behavioral intervention teams foster a comprehensive reporting culture within the institution. 8. Second generation behavioral intervention teams train and educate the community on what to report and how. 9. Second generation behavioral intervention teams are technologically advanced and are supported by comprehensive databases that allow the team to have a longitudinal view of a student’s behavior patterns and trends. 10. Second generation behavioral intervention teams focus not only on student-based risks but on faculty

and staff as well. 11. Second generation behavioral intervention teams intentionally integrate with campus risk management programs and risk mitigation strategies. 12. Second generation behavioral intervention teams have a mechanism for “minding the gap.” #1. Second generation behavioral intervention teams use formalized protocols of explicit engagement techniques and strategies. When we discuss the informal nature of first generation teams, we don’t only mean that they met ad hoc, bringing the interested parties for each case to the table as needed. The informal organization of these teams also meant that interventions were not performed using a consistent set of standards. By contrast, second generation teams have fixed membership, regular meeting times, and standardized procedures. The high expectations that are particular to safety and security on campus have highlighted the importance of using formalized protocols and procedures. When a factory or other workplace experiences a shooting, does anyone convene a Governor’s Panel to investigate? Does the President of the United States command a report of what went wrong or how it could have been prevented? When the same kind of violence touches a college campus or any school, the president, the governor, the state legislature, and law enforcement investigators all demand answers. They ask, how could campus administrators let this happen? Higher education is held to a higher standard because the societal expectation is that colleges are relatively immune from violence. When it impacts us, we have to answer to everyone and their aunt. Thus, second generation teams have seen the benefit of clear operating protocols. When the Governor’s Panel asks why we did what we did, we can point to established policies and answer that we did what we did because this is what we always do when faced with a threat of this nature. Second generation teams are consistent, use research and data-driven measures of risk, treat all similarly-situated students similarly and with fairness, and are comprehensive in their engagement. While teams cannot prevent every act, second generation teams are much more than carpet cleaner.

URMI A Journal 2009

#2. Second generation behavioral intervention will have one arm tied behind its back if you refuse teams see their role as nominally to address threat to mandate students to be assessed for their potential and primarily to support and provide resources to for self-harm. Assessment is not an end in itself, but it students. can point the way toward a more successful intervenOne of the challenges of introducing a behavioral tion. It can also encourage a student into a long-term intervention team to your community is that you need and potentially life-saving therapeutic relationship. to market it successfully and create effective buy-in. Legally, teams are entitled to mandate assessment Including “threat” in the name of your team, such as where there are reasonable grounds to believe a Threat Assessment Team (TAT) or Threat Assessstudent may be a threat of harm to themselves or ment Group (TAG), is not going to help. Although others. Some might argue that assessment is a form of counseling and that th it is unethical to mandate counGovernor s Panel sug this is what the Virginia Tech Governor’ sugseling. However, mandating assessment is an ethical n our view. Members gested, it is not a best practice in coun of our communities are sensitivee to counseling practice, and, while individual coun how these teams will function, and counselors have the right to determine whe me, we convey through a team’s name, whether their professional ethics prevent Your team will them for evaluating “coerced” clients who in part, what the intended goals of have one arm tied are u ma the team are. Naming your team under a mandate, that does not mean your team has to abandon the practice of TAT or TAG tells members of your behind its back impo community that the subjects of your imposing this mandate when necessary. If yo mbers team’s caseload are threats. Members you do not have a campus counseling if you refuse to cent of our communities are willing to center, create a contract with an outside mandate students prov ater sacrifice some autonomy for greater provider or agency who feels comfortable with this practice. If your campus security, but they aren’t willing too to be assessed for coun pels submit to a Big Brother who expels counseling center refuses mandated assessm reat” every suicidal student. Using “threat” sessments, again you can look to outside their potential for prov ong in a team’s name conveys the wrong providers, or you can hire new staff as self-harm. ther message about who is being pro-there is turnover in the counseling center who indicate a willingness to engage in tected, from whom, and how. It tells this practice even if your current counselthe members of your communityy to ing staff is not. oncerning behaviors report threats, rather than the concerning that may give you the chance to get out ahead of the Sometimes, even if your campus counselors are threat. Choose a name that conveys that your team is willing to accept mandates, your counseling center about supportive and caring intervention. Examples director may block the practice by center policy. of names that convey a more appropriate tone include Work with your center director to learn what his or campus assessment, response, and evaluation (CARE) her specific objections are and whether compromise teams, students of concern (SOC), and behavioral is possible. Having your center’s director on your intervention teams (BIT). Ultimately, teams will have team may allow that individual better insight into to address some threats, but they will be rare. More the team’s mission, purpose, and challenges. With the often, the team will be engaged in the early intervencounseling center director as a team ally or, better still, tion and support that prevents a behavioral concern a team member, you might be able to more effectively from rising to the level of a threat or crisis. problem solve by getting to the root of the issue. For instance, perhaps the center staff feels inundated by #3. Second generation behavioral intervention mandated assessments. Evaluations usually take no teams utilize mandated psychological assessment. more than a session or two, but many teams mandate This one is a non-negotiable best practice. Your team four sessions, emulating the University of Illinois,

U R M I A Jou r n a l 2 0 0 9

Urbana-Champaign model. Perhaps your director disagrees with this model or just wasn’t consulted about implementation of it. You may need to build some bridges. Most often, counseling center directors tell us that, if they are going to accept mandated assessments, they need expanded staff to handle the caseload those assessments will bring. If your team can effectively advocate for expanded capacity on behalf of the counseling center, the counseling center may become a more willing participant in mandated assessment. Regardless of whether the assessor is internal or external, there are some important decisions to be made by the team. Who will choose the assessor? Will it be your team or the student? If your team will decide, it needs to identify who will conduct the assessment. Will it be a social worker? A psychologist? A psychiatrist? You need to choose a provider you trust and in whose diagnostic capabilities you have faith. Who will pay for the sessions? How soon must the evaluation be completed? Will the student be on interim suspension pending the results of the evaluation? Will you require the student to permit you to communicate with the provider to gain access to the findings of the evaluation? What consequences will you impose if the student fails to grant this permission to your team? What will you do if the student fails to complete the evaluation in time or does not participate in good faith in the assessment? All of this should be clearly spelled out in a policy that enables the team to mandate assessment and in a protocol that spells out how. #4. Second generation behavioral intervention teams have the authority invoke involuntary medical/psychological withdrawal policies. Although this policy should only be invoked in the most extreme and rare cases, you will need it in place as a point of leverage and as the ultimate last resort for those rare times that a last resort is the only option. There are going to be times when it is best for your college or university and for the student to be separated for some period of time. Usually, you can help this process go more smoothly by encouraging the student to voluntarily withdraw. Often, you

can work with parents and community resources to facilitate this transition. Some students may need assistance with refunds, class withdrawals, or grades to make it easier for them to choose to withdraw. Your policy should spell out what your authority is in making it possible for a student who needs help to withdraw without penalties to his or her financial health and academic future. However, there will be rare times where a student refuses to withdraw, parents or families refuse to take him or her home, or the student lacks capacity to make the decision to withdraw. At that point, you need to separate that student involuntarily. If the behavior is not disability-based, you can often accomplish this under the conduct code. If the behavior is disability-based, as in the case of suicidality, disability law is in play, and you can only separate the student from housing or from the university if you determine them to be a direct threat, as defined under Section 504 of the Rehabilitation Act.5 You can make a direct threat determination under your code of conduct, if you have direct threat as a codified violation, but most of our codes lack this provision, and there are procedural reasons why this can be a hairy approach. Instead, most campuses have developed a separate procedure for involuntary withdrawal on a medical or psychological basis. This is an area that requires diligent research and consultation with your legal advisors. Again, you will rarely need to use this policy, but it is essential that you have it in place. #5. Second generation behavioral intervention teams are undergirded by sophisticated threat assessment capacity, beyond law enforcement and psychological assessment tools. When NCHERM created the College and University Behavioral Intervention Team (CUBIT) model,6 we knew it would need to incorporate a body of threat assessment knowledge that would enable teams to accurately and quickly assess threat and risk. However, no such body of knowledge existed at the time in a digestible, easily-packaged form that could be readily implemented by teams. While many experts and approaches had pieces of how to do it, we needed to synthesize the body of knowledge that was out there

URMI A Journal 2009

to create the model. It incorporates measures for harm to self, harm to others, and generalized risk. A multidisciplinary Threat Assessment Tool is included in the NaBITA white paper, Threat Assessment in the Campus Setting, under “Threat Assessment.”7 This free resource will help your team, whether you use the CUBIT model or another approach.

everything, and wonder why the team does not make each concern reported a high priority. Some of us are unlucky. On unlucky campuses, members of the community may not take threats and concerning behaviors seriously, try to conduct interventions on their own without team input, do not know what to report or to whom, and fail to help the team to connect the dots that would help avert an oral intervention impending crisis. These communities have no culture #6. Second generation behavioral fy threats. of reporting. teams use risk rubrics to classify des O course, each of our campuses has The CUBIT Risk Rubric provides Of uaelem a five-level risk tool for every situaelements of all three types. Some people tion that comes to the attention of over report, some underreport, and some Campuses that the team. The job of the team is to know just what to do. If you are unlucky do not have a ly classify the situation as accurately or to too lucky, you need a better balance n y as possible, given the information for your campus. Campuses with over widespread culture repo known at the time, and then to take reporting do not want to squelch that; u repo action accordingly. Whether you reporting is good. The challenge for these of reporting need wn team is to teach members of the comuse this rubric or one of your own teams to intentionally mun what is within the scope of the devising, the key is that you use one munity ficato enable a consistency of classifi cateam and what needs to be addressed create one. Public uld elsew tion and response. A rubric should elsewhere or by the reporter themselves. Ofte the team can coach the reporter include not only a taxonomy for Often, relations campaigns classifying risk but also a “Tools in on h how to quell disruption, set boundintroducing your sts aries or otherwise manage a minor the Toolbox” portion that suggests aries, situa support mechanisms, resources, and situation without relying on the team for team to the n to assis appropriate levels of intervention assistance. C deploy for the given level of risk or Campuses that do not have a widecommunity am. spre culture of reporting need to threat that is perceived by the team. spread will help. inten intentionally create one. Public relations oral camp #7. Second generation behavioral campaigns introducing your team to the mprecom intervention teams foster a comprecommunity will help. Marketing your n the institution. team’s existence aand function will answer questions hensive reporting culture within Some of us are lucky. Members of some campus commany members of your community have been askmunities actively report concerns without delay. This ing: “What do I tell, to whom, when, and how?” We is more common on small campuses or on campuses recommend that you teach your risk rubric to your where a high level of training has instilled in faculty community, distribute brochures, create a team weband staff the need to report concerning behaviors that site, and educate your community with mental health, they see and hear. disability, disruptive student, and suicide gatekeeper Some of us are too lucky, and, on some camtrainings. The goal is to create a common language puses, behavioral intervention team members hear for your community to understand what is concernabout everything, to an extreme. Rather than manage ing and what the team can do about it. Here are a few classrooms, offices, residence halls, or other facilities, other suggestions that may help you to empower a faculty and staff use the intervention team as a crutch. culture of reporting: Members of these communities often see threats in • Mandate reporting by all employees

U R M I A Jou r n a l 2 0 0 9

• • • •

Create an online reporting system Enable anonymous reporting Accept reports from outside your campus Create an amnesty policy to minimize any stigma associated with reporting

#8. Second generation behavioral intervention teams train and educate the community on what to report and how. The associate athletic director notices that Troy has missed three successive practices, and his excuses are ﬂimsy. Troy’s roommate notices that Troy is having some unusually erratic mood swings. Troy’s organizational dynamics professor has two encounters with Troy over inappropriate classroom conduct. Troy’s RA notices a profusion of prescription drug containers in Troy’s Dopp kit when he uses the hall bathroom. None of these members of your community reported the behavior they observed to the behavioral intervention team, because each of them believed the observed behavior was minor and isolated. Each of these members of the community failed to report important information because they did not know it was important. That failure is our failure, not theirs. The team needs to provide training and communicate to the members of our community that, no matter how minor the behavior or incident, the intervention team needs to know. Four minor incidents all within the same period of time are not minor anymore. They indicate a pattern or trend and, when taken together, could be an indicator of an individual in a serious situation. We need to train members of our community that threat assessment is not their job, but the job of the behavioral intervention team. Therefore, they need to pass everything along, so that the team can connect the dots and see the patterns that individual reporters may miss. It is important that you train the campus community to use a common language in identifying and reporting behaviors. For instance, NCHERM uses the “D scale,” which provides straightforward deﬁnitions of four increasing levels of mental health-related risk that can help members of your community better understand what they are seeing and experiencing, and what needs to be reported to the behavioral interven-

tion team. The four levels of the D scale are distress, disturbance, dysregulation, and medical disability.8 #9. Second generation behavioral intervention teams are technologically advanced and are supported by comprehensive databases that allow the team to have a longitudinal view of a student’s behavior patterns and trends. Teams that pre-dated Virginia Tech frequently did not track individuals longitudinally, or from what W. Scott Lewis calls “the 50,000 foot view.” While there is a need to problem solve for the behavior the individual is exhibiting now, there is also a need to see how that individual is doing over time. How are they responding to the intervention? Is medication helping? Is parental involvement effective? The sheer volume of student issues and the need for complex recordkeeping has conspired to create the need to make a behavioral intervention team database a best practice. A spreadsheet will not be sufficient for you to track reports and behaviors adequately. Lobby to allocate some of the money being spent on door locks, multi-modal text message systems, sirens, public address systems, National Incident Management System (NIMS) training, or security cameras for a welldeveloped database. Database providers like Maxient and RiskAware build reasonably priced databases specific to behavioral intervention. Maxient has the most flexibility, because of its ability to interact with other campus information systems and populate data from those systems. It also allows for greater customization and provides extensive product support. RiskAware’s “Red Flag” platform is more affordable and is really a single-purpose product. Both have their relative merits, and both will cost you less than building a comparable system in-house. #10. Second generation behavioral intervention teams focus not only on student-based risks but on faculty and staff as well. Rebecca Griego was shot and killed in her office at the University of Washington in April of 2007 by an ex-boyfriend.9 In October 2008, a librarian at Northeast Lakeview College in San Antonio, Texas, shot and killed another librarian in the college library.10

URMI A Journal 2009

We cannot continue to live under the illusion that it is management programs and risk mitigation strateonly students who perpetrate campus violence. Theregies. fore, we must ask whether our behavioral intervention A key advantage of a second generation behavioral teams need a broader scope to include non-students. intervention team is that its formality and defined A team at the University of Washington could have incorporation into the campus fabric make it possible been informed of the restraining order Rebecca had for advanced team capacities to come into play. We against her ex-boyfriend. Northeast Lakeview Colrecommend that you integrate your second generarmed of and tracked lege’s team might have been informed tion behavioral intervention in team with pre-existing or any conflict or aberrant behaviorr by new newly forming campus and community the aggressor librarian before it hapreso resources, such as crisis management arily pened. While we do not necessarily plan plans, emergency response procedures, You can integrate recommend that every team havee a and critical incident stress debriefing epcampus-wide scope from its incepteam teams protocols. For example, the NIMS team protocols n tion, a broad scope should be an Incid Incident Command System (ICS) with existing train eventual goal. However, gradual imtraining that all colleges are using to pus ensu plementation may enhance campus ensure the quality of emergency response campus risk mbers requ buy-in, especially as faculty members requires us to clearly define who has rack incid learn of a team that intends to track incident command jurisdiction in a given management ntial situa their behaviors. There is a potential situation. Thus, you can integrate campus programs any eme political minefield there, and many emergency and crisis protocols with beha campuses elect to implement thee behavioral intervention team protocols addressing to ensure en student-focused team first and allow that when the Team Chair and pect the E it to gain credibility and the respect Emergency Incident Commander sex offenders, both arrive on site, there is clarity about of the community. criminal ether their roles in handling the incident. We are asked frequently whether Y an employee-focused team can overYou can also integrate team protocols background m in with existing campus risk management lap with a student-focused team prog terms of membership, records, and programs addressing sex offenders, crimichecks, and swer nal background b intervention techniques. The answer checks, and admissions admissions ne scree is that your campus could use one screenings. For example, if your admisoyee sion team for both student and employee sions staff admits a known sex offender, screenings. erthat fact should be logged and tracked in intervention, though the memberclude the behavioral b ship would have to expand to include intervention team database human resources representativess and base. If your campus has a felony review d union i f admissions, d i potentially employee assistance programs and process for you may also explore the level representatives. In some states, you cannot comingle of training that committee has received in threat asemployee and student records, which may impact resessment and pattern violence. It may make sense to cordkeeping. While the main techniques of intervenuse your intervention team to train that committee or tion are common, it may also make more sense to have to actually have team members serve on this commitone student-focused team and one faculty/administee because of its knowledge and expertise. tration/staff-focused team. No clear best practice has While it makes sense to ask admissions screening emerged on this question yet. questions, it is only useful if you have the capacity to do something when an applicant indicates a criminal #11. Second generation behavioral intervention history. A behavioral intervention team can ensure teams intentionally integrate with campus risk that you have the capacity to react when and if you

U R M I A Jou r n a l 2 0 0 9

move to ask these important admissions screening questions. Campus risk managers should build communication with the intervention team to discover how both offices can work together to reinforce risk management and risk mitigation initiatives that may parallel behavioral intervention team initiatives. #12. Second generation behavioral intervention teams have a mechanism for “minding the gap.” In London, there is a space between the platform and the train in the Tube (subway) stations. A soothing voice cautions you to “mind the gap” as you board, lest you misstep and wind up in the gap. We have adapted this caution for behavioral intervention team purposes, and encourage teams to mind their gaps. Gaps for these teams are periods of time in which a problematic student goes inexplicably quiet, as Seung-Hui Cho largely did at Virginia Tech after the fall of 2005. Using the database to remind you, the key is to monitor those who have fallen off the radar screen. This is a huge distinction between first generation and second generation teams. If a student was causing problems, a first generation team would just spray on the carpet stain remover and move on to another student. No one would ask why the spot was gone; everyone was just relieved that it was, freeing up time to move onto the next one. However, do stains come back faintly over time, depending on the nature of the stain? Having a mechanism for “minding the gaps” means monitoring periods where a student in distress goes dormant. The role of a behavioral intervention team is determining whether such quietude calls for increased or decreased monitoring needs and acting accordingly. Team members should debrief interventions as a team. Once support structures are in place and resources are deployed, the team should determine how long a period of quietude has been sustained. The team then needs to question whether the gap is explained by the effective deployment of supports and resources or whether the gap is unexplained: • Is the student continuing in a course of therapy? • Are parental supports ongoing? • Are friends helping to monitor?

• •

Is a medical regimen working? Are other inhibitors to harm or self-harm in place?

If the answers to the above questions are yes, quietude is not necessarily cause for alarm. However, if follow-up and check-in reveals a student who is untethered from the mechanisms of intervention, the gap may be an indicator of a greater need for observation or further intervention. What might that quiet student be planning? A second generation BIT asks and acts on that question rather than focusing on treating the next stain.

About the Authors

Brett. A. Sokolow, J.D., is the B P President of the National Center for H Higher Education Risk Management ((NCHERM) (www.ncherm.org), a n national multidisciplinary consulting ﬁrm dedicated to helping colleges and u universities manage risk by advancing sstudent health and safety. NCHERM serves 19 campuses as outside counsel/advisor and serves as a consultant to hundreds of other colleges and universities. Mr. Sokolow is the author of 10 books and more than 50 articles on student aﬀairs law and policy topics. He is the Editor Emeritus of the Report on Campus Safety and Student Development. He serves on the Board of Trustees of the Council on Law in Higher Education (CLHE). Mr. Sokolow is on the Directorate Body of the American College Personnel Association’s (ACPA) Commission on Student Conduct and Legal Issues. He has recently coauthored, “A Model Approach to Behavioral Intervention and Threat Assessment,” and co-authored an article for the Journal of College and University Law, “College and University Liability for Violent Campus Attacks” (April 2008). Mr. Sokolow is one of the founders of the National Behavioral Intervention Team Association (NaBITA) (www. nabita.org). This membership association is dedicated to the support and professional development of campus, corporate, and school behavioral intervention teams and models.

URMI A Journal 2009

UW,” The Seattle Times, April 3, 2007, http://seattletimes.nwsource.com/

W. Scott Lewis, J.D., is a partW n ner with the National Center for H Higher Education Risk Management ((NCHERM) (www.ncherm.org), ccurrently serves as Associate General C Counsel for Saint Mary’s College in IIndiana, and has served as an Assisttant Vice Provost, Director of Judicial Aﬀairs, and faculty member. He is a frequent keynote and plenary speaker, nationally recognized for his work on behavioral intervention for students in crisis and distress. He is also noted for his work in the area of classroom management and dealing with disruptive students. He presents regularly throughout the country, assisting colleges and universities with legal, judicial, and risk management issues, as well as policy development and implementation. He has recently co-authored an article for the Journal of College and University Law, “College and University Liability for Violent Campus Attacks” (April 2008). Mr. Lewis is one of the founders of the National Behavioral Intervention Team Association (NaBITA) (www.nabita.org). This membership association is dedicated to the support and professional development of campus, corporate, and school behavioral intervention teams and models.

Endnotes 1

Brett A. Sokolow, J.D. and Stephanie F. Hughes, Ph.D., “Risk Mitigation through the NCHERM Behavioral Intervention and Threat Assessment Model,” The National Center for Higher Education Risk Management, 2008, http://www.ncherm.org/pdfs/2008-whitepaper.pdf.

Abbie Boudreau, “Campus Rage: Mom Saw Warning Signs in Son,” CNN, AC360q, April 11, 2008, http://ac360.blogs.cnn.com/2008/04/11/campusrage-a-mother-stops-her-son/.

These terms are the intellectual property of the Center for Aggression

Brett A. Sokolow, J.D., W. Scott Lewis, J.D., Carolyn Reinach Wolf, Esq., Brian

Management. They are used here with permission. Van Brunt, Ed.D., and John D. Byrnes, “Threat Assessment in the Campus Setting,” National Behavioral Intervention Team Association (NaBITA), 2009, http://www.nabita.org/docs/2009NABITAwhitepaper.pdf. 5

“Fact Sheet: Your Rights Under Section 504 of the Rehabilitation Act,” United States Department of Health and Human Services, June 2006, http://www.hhs.gov/ocr/civilrights/resources/factsheets/504.pdf.

Sokolow and Hughes, “Risk Mitigation through the NCHERM Behavioral Intervention and Threat Assessment Model.”

Sokolow, et. al, “Threat Assessment in the Campus Setting.”

National Center for Higher Education Risk Management, “Campus Safety 101,” MAGNA, http://www.magnapubs.com/courses/cs101.html?view=1.

Jim Brunner and Nick Perry, “Months of Stalking End with Two Dead at

U R M I A Jou r n a l 2 0 0 9

html/localnews/2003648679_uwshooting03m.html. 10

Melissa Ludwig, “Gunman Kills Librarian at College,” San Antonio ExpressNews, October 13, 2008, http://www.mysanantonio.com/news/Shooting_ reported_at__Northeast_Lakeview_College.html.

Coming together is a beginning. Keeping together is progress. Working together is success. —HENRY FORD (1863–1947), FOUNDER OF THE FORD MOTOR COMPANY AND FATHER OF THE MODERN ASSEMBLY LINE

When written in Chinese, the word “crisis” is composed of two characters. One represents danger and the other represents opportunity. —JOHN F. KENNEDY (1917–1963), U.S. PRESIDENT (1961–1963)

URMIA Members Emeriti Robert Beth, CPCU, CSP, DRM 905 Mears Court Stanford, CA 94305 E-mail: rbeth101@comcast.net

Thomas Henneberry, JD, DRM 46 Lancaster Avenue Revere, MA 02151 E-mail: trhen@alum.mit.edu

Isaac Charlton 4027 Birch Lane Fairbanks, AK 99709

*William Hustedt DeForest, WI

*Ernest L. Conti Moon Township, PA Mary Donato, ARM 1801 Tucker NE Bldg 233 University of New Mexico Albuquerque, NM 87131 E-mail: mdonato@unm.edu Gerald Duncan 1639 1st Street SW Minneapolis, MN 55112 Murray C. Edge, ARM, CSSD, WSO, DRM 518 Shalamar Place Irving, TX 75061 E-mail: murrayedge@email.msn.com *Charles D. Emerson Lexington, KY Patricia J. Fowler, CPCU, ARM 9489 SW 66th Loop Ocala, FL 34481 James R. Gallivan 1517 Waverly Drive Champaign, IL 61821 Thomas C. Halvorsen, ALCM, ARM, AU, CPCU, BBA, DRM

24415 Amberleaf Court Leesburg, FL 34748 E-mail: tomjoy9@comcast.net George Harland 6248 Willow Avenue Williamson, NY 14589 Alice Horner, ARM 138 CO, Route 14 Fulton, NY 13069 E-mail: a_f_horner_2000@yahoo.com

*Deceased

Benning F. Jenness, DRM 1077 Showalter Road Moscow, ID 83843 E-mail: mtnjenness@moscow.com Michael G. Klein, DRM 113 West Lytle Avenue University Park, PA 16801 E-mail: mgk1@psu.edu Sandra LaGro 230 Larchwood Drive Bowling Green, OH 43402 E-mail: dslagro@aol.com Jack Leavitt 24437 Cutsail Dr. Damascus, MD 20872 E-mail: jbleavitt@gmail.com Claudina Madsen, DRM 678 Arrowwood Court Los Altos, CA 94022 Eugene D. Marquart, DRM 11270 Crocker Grove Lane Gold River, CA 95670 William O. Park, MS, MBA, CPCU, ARM, DRM 111 Franklin Street Geneva, IL 60134 E-mail: wpark56683@aol.com Janet Parnell, ARM 178 Lindstrom Road Silverthorne, CO 80498 E-mail: japarnell01@direcway.com William A. Payton, DRM 9489 SW 66th Loop Ocala, FL 34481 E-mail: ambert@embarqmail.com Truman G. Pope, DRM 5400 South Burlington Drive Muncie, IN 47302

*Alex J. Ratka Vancouver, BC Canada Harry E. Riddell 8333 Seminole Boulevard, Apt 507B Seminole, FL 33772 E-mail: hhriddell@juno.com James R. Roesch 510 East Beaumont Road Columbus, OH 43214 William F. Ryan 2548 Cross Country Drive Port Orange, FL 32128 Martin Siegel 36 Country Club Drive Jericho, NY 11753 Stanley Tarr, DHL, DRM 19 Hedge Row Road Princeton, NJ 08540 E-mail: srtarr@verizon.net Donald Thiel, DRM 3660 Miller Road Ann Arbor, MI 48103 E-mail: dlthiel@comcast.net Kathy M. Van Nest, CPCU, DRM 32 Wes Sandling Road Franklinton, NC 27525 E-mail: kvannest@nc.rr.com Leo Wade, PhD, ARM, DRM 208 Montell Drive Georgetown, TX 78628 E-mail: lwade@caps.usc.edu John H. Walker, DRM 273 Zodiac Drive Alpine, AL 35014 Jerre Ward 1812 Tupelo Trail Holt, MI 48842 E-mail: jerreward3@juno.com Robert B. Williams, CPCU, ARM 7 North Shaffer Drive New Freedom, PA 17349 E-mail: rwcw6@aol.com Barbara M. Wolf 5216 Haskell Street La Canada Flintridge, CA 91011

URMI A Journal 2009

URMIA Presidents

2009–2010

Margaret Tungseth Concordia College (Minnesota)

1988–1989

Mary Breighner Columbia University

2008–2009

Vincent E. Morris Wheaton College (Illinois)

1987–1988

John H. Walker University of Alabama—Birmingham

2007–2008

Ellen M. Shew Holland University of Denver

1986–1987

Thomas C. Halvorsen University of Wisconsin

2006–2007

Allen J. Bova Cornell University

1985–1986

Eugene D. Marquart California State Universities

2005–2006

Mary Dewey University of Vermont

1984–1985

William O. Park Northwestern University

2003–2005

William A. Payton University of Missouri

1983–1984

Alex J. Ratka University of Southern California

2002–2003

Steven C. Holland University of Arizona

1982–1983

Truman G. Pope Ball State University

2001–2002

Larry V. Stephens Indiana University

1981–1982

Martin Siegel New York University

2000–2001

Leo Wade, Jr. University of Southern California

1980–1981

Charles D. Emerson University of Kentucky

1999–2000

Larry V. Stephens Indiana University

1979–1980

Dale O. Anderson University of Iowa

1998–1999

Glenn Klinksiek University of Chicago

1978–1979

David N. Hawk Kent State University

1997–1998

Gary H. Stokes University of Delaware

1977–1978

James A. White University of Illinois

1996–1997

George H. Meeker Cornell University Medical College

1976–1977

James McElveen Louisiana State University

1995–1996

Linda J. Rice Clemson University

1975–1976

George A. Reese Temple University

1994–1995

Gregory P. Clayton University of Nebraska

1974–1975

Irvin Nicholas University of California

1993–1994

Murray C. Edge University of Tennessee

1973–1974

Donald L. Thiel University of Michigan

1992–1993

Kathy M. Van Nest Duke University

1972–1973

Stanley R. Tarr Rutgers University

1991–1992

Benning F. Jenness Washington State University

1971–1972

Warren R. Madden Iowa State University

1990–1991

Leta C. Finch Champlain College

1970–1971

Robert M. Beth Stanford University

1989–1990

Thomas R. Henneberry Massachusetts Institute of Technology

1969–1970

James R. Gallivan University of Illinois

U R M I A Jou r n a l 2 0 0 9

Distinguished Risk Managers 2008

2007 2006

2005 2004

2003

2002 2001 2000

1999 1998 1997

1996

1995

1994

1993

Mike Bale Oklahoma State University Steve Holland University of Arizona Allen J. Bova Cornell University Linda Rice Clemson University Bill Payton University of Missouri Jill Laster Texas Christian University Christine Eick Auburn University Elizabeth Carmichael Five Colleges Paul Clancy Boston University Mary Dewey University of Vermont Larry Stephens Indiana University Rebecca L. Adair Iowa State University Glenn Klinksiek University of Chicago John E. Watson Pepperdine University George H. Meeker Cornell University Medical College Leo Wade, Jr. University of Southern California Kathy M. VanNest Duke University Charles Cottingham University of Missouri Michael G. Klein Pennsylvania State University Thomas R. Henneberry Massachusetts Institute of Technology James A. Breeding Rutgers University Donald Thiel University of Michigan Benning F. Jenness Washington State University Claudina Madsen CPSJ Insurance Group William J. Wilson, Jr. Howard University Truman G. Pope Ball State University Murray C. Edge University of Tennessee

1992

1990

1989

No Date

Leta Finch University of Vermont Mary Breighner Columbia University Charles Emerson University of Kentucky Thomas C. Halvorsen University of Wisconsin, Madison Stanley R. Tarr University of Evansville John Adams Robert M. Beth Stanford University William O. Park Northwestern University John H. Walker University of Alabama, Birmingham Eugene D. Marquart California State University System Lee Stenquist Utah State University

The URMIA Journal is published annually by the University Risk Management and Insurance Association (URMIA), P.O. Box 1027, Bloomington, IN 47402-1027. URMIA is an incorporated non-proﬁt professional organization. The 2009 URMIA Journal was edited by Christie Wahlert, URMIA, Bloomington, Indiana; the covers were designed by Ellen Rising Morris of Eighth Day Creations, Wheaton, Illinois; and printing was completed at Indiana University Printing Services, Bloomington, Indiana.

There is no charge to members for this publication. It is a privilege of membership, or it may be distributed free of charge to other interested parties. Membership and subscription inquiries should be directed to the National Office at the address above. © LEGAL NOTICE AND COPYRIGHT: The material herein is copyright July 2009 URMIA; all rights reserved. Except as otherwise provided, URMIA grants permission for material in this publication to be copied for use by non-profit educational institutions for scholarly or instructional purposes only, provided that (1) copies are distributed at or below cost, (2) the author and URMIA are identified, (3) all text must be copied without modification and all pages must be included, and (4) proper notice of the copyright appears on each copy. If the author retains the copyright, permission to copy must be obtained from the author.

Unless otherwise expressly stated, the views expressed herein are attributed to the author and not to this publication or URMIA. The materials appearing in this publication are for information purposes only and should not be considered legal or financial advice or used as such. For a specific legal or financial opinion, readers should confer with their own legal or financial counsel. URMIA would like to recognize the following contributors for their efforts in reviewing and publishing the 2009 URMIA Journal:

COMMUNICATIONS COMMITTEE: Donna Smith, Chair COMMITTEE MEMBERS: Regina Beer Allen J. Bova Michaele DeHart Gwen Drumgoole Harsh S. Dutia Anne N. Gregson Julie Groves

Lorna Jacobsen Corrinne Kjelstrom Fitzroy A. Smith Larry V. Stephens Nigel Wilson Jenny Whittington, Executive Director

Christie Wahlert, Communications and Marketing Associate

URMI A Journal 2009

We are told never to cross a bridge until we come to it, but this world is owned by men who have ‘crossed bridges’ in their imagination far ahead of the crowd. —ANONYMOUS

Back cover: Pittsburgh skyline from the river. (Photo courtesy of VisitPittsburgh) Pittsburgh: Host city for the 2010 URMIA Conference, October 9–13.

Conference Host City

Pittsburgh October 9â&#x20AC;&#x201C;13, 2010

Presorted Standard U.S. Postage PAID Bloomington, IN Permit No. 2

University Risk Management and Insurance Association

If undeliverable, return to: URMIA National OfďŹ ce P.O. Box 1027 Bloomington, Indiana 47402