Our library offers a variety of business services such as copying, scanning, emailing, and faxing, and we also have staff on hand to assist patrons with these services. We often have patrons request assistance with scanning and emailing or faxing sensitive documents including checks (with banking/routing numbers), driver’s licenses, Social Security cards, or other financial/legal documents.
I am wondering:
a) What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer? How do we protect our patrons from scams/fraud while also respecting their privacy?
b) How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?
This question tugged at my heart, because lawyers face issues like this, too.
Maintaining confidentiality while addressing concerns that a person is being victimized creates terrible tension. The need to maintain a trusting relationship, governed by professional ethics, makes the tension all the more acute.
It is those professional ethics, however, that will carry the day.
What is the basis of a librarian's obligation of confidentiality? Confidentiality of library records is, of course, protected by state law, but it starts in item "III" in the ALA Code of Ethics:
III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.
But this issue also related to item "I" from that Code:
I. We provide the highest level of service to all library users through appropriate and usefully organized resources; equitable service policies; equitable access; and accurate, unbiased, and courteous responses to all requests. [emphasis added]
So, here we are: iron-clad confidentiality, coupled with "unbiased" responses to all service requests. From within those ethical boundaries, the member has asked:
There are information management professionals far more qualified than I to discuss the professional nuances of these questions. But from the legal perspective, and to address the legal questions about obligations, protection, and liability, here are my answers.
What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer?
There is no legal duty to inform a patron of this suspicion. Further, I see nothing in the ALA Codes of Ethics that makes it an ethical duty of the profession.
How do we protect our patrons from scams/fraud while also respecting their privacy?
We have reviewed that there is no legal or ethical obligation to "protect" a patron in these circumstances, and there can even be concerns related to trust, confidentiality, and perceived bias that mean a librarian should keep their suspicions to themselves.
However, neither the requirement to be confidential, nor the obligation to provide services without bias, stop a librarian from doing what they do best: sharing information. And nothing stops a library from pre-assembling a compilation of available resources the library can use to empower a patron to assess if they are being scammed.
Here is a scenario showing how such a "compilation" could be used:
PATRON: I need to print an email.
LIBRARIAN: Sure, the computer in over here. Let me know if you need instructions on how to print.
PATRON: Can you also help me find the email? It has instructions to wire money. It's from my grandson, Michael. Normally I would ask his mother to help me but this is a real emergency and I can't tell her what's happening, it would just kill her.
LIBRARIAN: I am happy to help; there, it's printing. [pauses] You know, this request reminds me of something I read/heard about. Do you want to know about it?
LIBRARIAN [searches for "bail the grandchild" scam]: Here it is. [Retrieves list of information.] And here is a resource about who to call when there is a concern about the type of thing on this website. [Hands patron list of resources]
Here is a template for this type of "list of resources":
"Trust but Verify"
A guide to checking the legitimacy of
requests and correspondence.
Compiled by the [insert name of library].
Have you been told you suddenly owe money?
□ YES □ NO
Has there been a request for account or personal information from a new or unusual source?
□ YES □ NO
Has someone told you a family member is in danger?
□ YES □ NO
Is someone pressuring you to make a quick decision about money?
□ YES □ NO
Does something about outreach to you just not feel right? Or does it seem "too good to be true"?
□ YES □ NO
These days, scammers can pretend to be from the IRS, Social Security, or even your religious organization or family.
There are resources to help you let the good guys in, while keeping the bad guys out. Here in [library location by county or municipality], the following resources can help you make the right call:
Free for anyone 55 or older, there is also:
Your banker, lawyer, or accountant will also be able to help you confirm the source of requests for wire transfers and other financial transactions.
...Or you can ask a librarian to help you find a resource suited to a particular document or situation. We can't tell you what's legit, but we can help you find the people who can.
Don't feel bad asking, even data security specialists have to "Trust, but Verify" these days!
A simple offer of information, and a plain-language resource like this can be a handy way to raise concerns without having to tell someone "You're being scammed."
At the end of the day, not all patrons will be receptive to this offer of information, and not all patrons will believe they are being scammed--even if their story matches a scam-scenario.
But no matter what the patron's reaction, by taking this approach, the librarian will have done the only thing the librarian is ethically obligated to do in this type of situation: provided unbiased services, and granted access to information, while maintaining the confidentiality of same.
How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?
If the librarian suspects that the scenario could be an illicit scam, but doesn't know this is phishing, social engineering, or another type of activity that can lead to fraud, there is no responsibility for what happens next (unless the library has adopted an internal policy stating otherwise, in which case there could be some employer-imposed consequences).
On the other hand, if the librarian somehow knows that the scenario is an illicit scam, and actively helps with the commission of what they know to be a crime, then yes, there could be liability. But once such a scam is known, not merely suspected, this becomes a whole other question.
A few more comments
Another aspect I want to address is if the librarian is concerned not that the person is being duped, but that they don't have the mental capacity to comprehend and/or remember they are being duped.
People with Alzheimer's and other conditions impacting cognitive ability may rely heavily on an established routine of visiting their local library. Further, people with that impairment still may be able to function independently for most aspects of their day. However, a librarian detecting a possible scam could be on the front line of a legitimate concern that they don't have the function to assess the situation.
There are too many permutations of this situation for me to give general guidance, except to say: if there is a concern that a person can be vulnerable to harm due to a medical condition or disability, but their condition is not so extreme that there is clearly a justification to call medical services, call an expert.
If the person is over 55, the Center for Elder Law and Justice is a great resource; they address these types of issues every day, and their hot line is there to help assess a situation and identify possible next steps. If the person is not over 55, a good resource could be the local Social Services agency.
When it comes to this issue, my overall advice is to remember that as a resource to the community, library employees are there to provide access to information and resources, not to protect people from harm. The good news is, by providing that access in a manner consistent with library ethics, library employees can help patrons protect themselves from harm. And that is how a library can help stop a person from being scammed.
Speaking from experience, I can say that not every person will take information when it is offered. There are times when the only comfort that can be taken from a situation is to know that you tried your best. But by focusing on the ethics, and the provision of information, a librarian can help a person identify a scam, and avoid legal entanglements.
I wish you strength on this one. Your patrons are very fortunate.
 And if there are any accountants, athletic trainers, or mental health counsellors who (for some reason) read an "Ask the Lawyer" column for libraries, museums, and historical societies, I bet it sounds familiar to them, as well.
 CPLR 4509
 Which is replicated in the New York Library Association Code of Ethics.
 Don't worry, we'll also address what you can do if the patron says "No, just help me scan my driver's license," and what to do if you are concerned the person doesn't have the capacity to make an informed decision.
 It is interesting to contemplate if there could be a policy for the use of information transmission equipment (phones, faxes, scanners, email, etc.) that included a provision that "Library employees who suspect a patron is falling prey to or contributing to a criminal enterprise must immediately report their concerns to the director for appropriate action under the relevant policy;" linked with a provision in a Code of Conduct "Patrons using library resources.”
 I struggled to come up with a scenario where the librarian knows the scam is on, but here goes: A librarian is a personal friend of Jeff Bezos. A patron comes in and says Jeff Bezos wants to give $50,000.00 to the patron and 5,000 other lucky people; they just need to wire Jeff $5,000. While helping to print the wire instructions, the librarian calls their friend Jeff Bezos to ask: "Hey, Jeff, are you giving fifty thousand dollars each to five thousand people?" at which point Jeff Bezos laughs and says, "No way, but can you believe some people are actually wiring me money? Now I can repaint my third yacht. Best scam ever. Hey, want to go fishing?" Now the librarian knows it's a scam; if they help in any way after that, they are arguably complicit.
It has come up at our Reference meetings that patrons are using our technology to alter documents such as doctor’s notes (extending days of medical excuse, for example) and our staff is increasingly uneasy about assisting patrons with this. We try our best to ignore what people have on the screen but sometimes they ask for our help with altering scanned documents, and it's impossible to pretend we don't see what they are doing. We are uncomfortable telling patrons we decline to help them based on ethical reasons, because that would show admitting we have read what is on the screen. We are somewhat concerned about liability and potential obligation to report illegal activity. What are some ways we can shield staff from having to help patrons commit fraud?
Wow. There is really just no hum-drum day for librarians, is there?
Okay, let’s take this in stages.
First, the member’s question starts with the premise that the alteration of certain documents is illegal. That premise is correct. And although there are any number of crimes such alteration could be (depending on the type of document), here in New York, the catch-all term would be “Forgery.”
Forgery is a crime that comes in many degrees, but whatever degree, it involves the act of falsely making or altering a document (meaning the forger invented it wholly, or—as in the scenario—somehow manipulates or alters the original). However, it is important to note that a critical element of Forgery, no matter what degree, is the intent to defraud, deceive, or cause injury.
Second, the member raises the concern that, if library staff assist a patron who turns out to be a forger, they could risk being implicated in the crime—or feel an obligation to report what they have seen. While I found no case law addressing this precise scenario, these are valid concerns.
We’ll start with some good news: for staff to be (legally) implicated, they would have to be aware of the forger’s criminal intent. In other words, the staff would have to know that the person was planning to defraud, deceive, or cause injury; the mere suspicion would not make them part of a crime.
That said, if the content visible on the screen makes it difficult to ignore a crime in progress (for instance, the manipulation of child pornography) or the possibility of imminent harm to another (someone changing the checkboxes on a Power of Attorney, for example), both library operational integrity, and staff well-being, may require removing personal service, removing privileges, and/or alerting law enforcement.
Unfortunately, after looking at case law, guides from the ALA, and numerous policies in the field, I could find no graceful way for staff to simply discontinue service, without telling a patron why. Since staff assistance is in many ways as much of a right (once it is routinely provided) as access to your collection and technology, withholding it without a clear basis is a due process concern (for public libraries) and a professional ethics/best practices concern (for private libraries).
That said, I can offer the following steps to making sure staff are ready to address this difficult situation:
First, every employee and volunteer assisting patrons should have the phrase “service to patrons, in accordance with established policies and procedures” in their employee handbook, job description or volunteer letter (the wording doesn’t have to be precisely this, but the requirement of staff to follow library policies should be express).
Second, an institution providing access to “maker equipment” (computers, scanners, 3D printers, recording devices, tools, etc), should have a posted, public policy forbidding use of library equipment for illegal activity. Something like:
“Use of library equipment for illegal activity is forbidden. Examples of illegal activity include but are not limited to: manipulating illegal content, engaging in forgery (falsely altering documents), gaining unauthorized access to other computers or networks, and 3D printing of illegal devices. Staff assisting you, who suspect illegal activity, are authorized to discontinue assistance, and the library may discontinue your library access and contact law enforcement. Patrons using technology to alter official or signed documents should be aware that such activity may be perceived as potentially in violation of this policy.”
As with any library policy impacting access and privileges (including staff assistance), such a policy should have an established procedure, and at least one level of appeal.
Third, staff and volunteers should be trained on how to withdraw service while honoring the rights of patrons. A very simple policy (coordinated with current bylaws and other institutional policies before implementation), such as the generic one below, could assist with balancing staff well-being with patron rights:
It is the policy of the library that, to promote the integrity of operations, and the well-being of staff, use of library equipment and staff services in furtherance of illegal activity is forbidden.
Staff concerned that a patron’s use of library technology may violate the law shall withdraw their services and/or patron access to the technology, per the below procedure.
In making this policy, the library re-affirms that unless authorized by law, patron records, including those generated by the use of technology, are confidential, and that users of the library technology have a right to privacy.
In making this policy, the library re-affirms that all patrons are entitled to excellent service and access, and that such service and access shall not be removed without due process.
A staff member identifies a potential violation, withdraws from the patron, and consults a supervisor to confirm that withdrawing service and/or access is appropriate.
If the supervisor, upon further assessment, agrees that the use violates the policy, and that withdrawing service and/or access is appropriate, the supervisor will initiate the removal, and provide in writing to the patron:
On [DATE], your access to [/SERVICE/TECHNOLOGY] was removed, on the basis that the use was barred under our posted policy (copy enclosed). This removal may be appealed by sending a letter of appeal to [PERSON], at [ADDRESS] by [DATE]. The library respects your privacy and does not require you to appeal or to provide any further information regarding this matter, unless you choose to do so.
If an appeal is filed, the [PERSON TO WHOM APPEAL IS DIRECTED] shall consult leadership and legal counsel as needed, and shall notify the patron, in writing, as to the result of the appeal within [#] business days.
If there is concern that IMMINENT HARM may be caused by patron use of technology, staff shall immediately alert XXXX, who shall determine if law enforcement must be called, or if there are any additional immediate action take, per governing procedures.
I am sorry to not have a more graceful solution, but I cannot advise that staff simply withdraw services and not return to the patron. I have designed the above generic policy to provide a “uh-oh” moment for the patron, when they can remove themselves from a situation, and the supervisor can choose to not pursue the matter further. This is a delicate dance on the tightropes of confidentiality and operational integrity.
Further, I have added the final clause in bold so the person in charge at the time is reminded to use the “buddy system” when it comes to making tough calls about safety, inferring criminal intent, and assessing imminent harm. These are decisions that, whenever possible, should not be made in isolation.
This balancing, giving a situation time to breath, and due process, are the best way to shield library staff while honoring library principles. I hope you don’t have to use it too often! But with more and more people relying on libraries for service beyond the traditional quest for information, I suspect more institutions will be addressing this issue.
 NY Penal Law 170.00
 Of course, a prosecutor can pursue criminal charges if they believe they can prove such awareness…and they can try and prove it by using knowledge of the content. And for certain documents, merely altering them is a crime. So erring on the side of caution is wise.
 At the heart of this question is staff who don’t want to be implicated in wrongdoing, but honor their professional ethics, including the obligations to:
· Provide the highest level of service to all library users, and accurate, unbiased responses to all requests for assistance;
· Distinguish between personal convictions and professional duties;
· Strive for excellence via use of professional skills;
· Protect each patron’s right to privacy and confidentiality;
 This is advised by the ALA at http://www.ala.org/advocacy/intfreedom/guidelinesforaccesspolicies, and of course is required for municipal institutions.
 As part of this training, staff should be alerted to the library’s policies about any signs of activity posing a risk of imminent harm (which may be a result of illegal activity).
 This coordination is critical. Please don’t use any model language without considering your full suite of bylaws, manuals, policies, and procedures already in place.