What recourse may a library board take, if a former director removes all library files from a library owned computer that relate to the running of the public library?
Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.
Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters. But what if someone in a position of trust simply abuses their access? What if a scenario like the member's question should arise?
There is a process to address this type of scenario. In order to ease an adrenalized mind, it is presented below in grid form.
Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:
Why you do this
1. Upon suspicion that files have been removed, if possible, do not take further steps alone.
Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper.
If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.
Organizing a time-line and take photos or screenshots of information showing the potential problem.
The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer.
At this stage, however, you'll just be documenting what appears to be missing. No deep-dive investigation. It should only take an hour or two.
Initial Response Team formed and responsibilities of team members made clear.
Note-taker assembling information.
2. Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were. This will be your "Initial Inventory."
You need to have a foundation for your next steps, so you're creating a quick description of the possible situation.
An Initial Inventory you will use in the next few steps.
Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.
3. Look over the Initial Inventory. Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records?
If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory.
This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality implications of the situation.
4. Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee."
If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information."
If your initial contact is by phone, confirm the notice via a letter or e-mail.
Depending on your library's insurance type, you may be covered for this type of event.
Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event.
Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event.
NOTE: If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier.
5. With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter.
This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board.
In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days.
Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information.
This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement.
Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery.
6. Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.
It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies.
Attorney-client privileged input to help assess response options in the best interests of the library.
7. The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered.
This should be done within 3 days of discovery and before there are any changes to the system. Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer.
A contract with a qualified firm;
A certificate of insurance from the professional firm;
A written Incident Report from the firm.
8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach.
Depending on what went missing, the library could have concerns under any number of laws.
The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed).
9. Based on the complete Incident Report's assessment of what is missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action.
For more on this aspect, see the rest of this RAQ.
What happens as part of number "9," is the actual answer to the member's question. But until a library follows steps "1" through "8," it can't fully know its options under "9."
And what can happen as part of "9"? The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies. And if considered with solutions for how a library can recover from the loss, there are further possibilities.
If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:
By demanding solid, well-documented and qualified answer to these questions (What happened? how does it impact the library? What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.
Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information). Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:" How to organize the courier manifest. The templates for the volunteer letters and community meeting notices. The budget template and calendar for strategic planning. Their own emails on their library account. Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.
This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is. First, only a professional can say when data is truly "lost" (especially emails). And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.
The budget for such response, if planned carefully, can be very modest (under $1500). Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).
Why am I adamant about this follow-through, even for a "small" incident? Because sometimes a "small" incident is only the tip of a much larger iceberg. Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office. But it might not be. The right response, and the fair response, can only be formulated through careful documentation and analysis.
This is what positions the board to know what recourse it can take, when presented with such a serious situation.
Thank you for trusting "Ask the Lawyer" with this sensitive question.
 If you are reading this while working on this type of issue, take a deep breath. You've got this.
 There are too many types of IT supply/support arrangements out there for me to be more precise than this. Some systems are essentially the IT department for their member libraries. Others are not. This aspect will be governed by the System's member contract…but generally, a good place to start is on the phone!
 In keeping with the question, this chart addresses what to do if the person involved is former employee. If the person is a current employee, the Response Team should include someone qualified to assess an appropriate response that ensures 1) due process for the employee; 2) security for the investigation; and 3) stability for ongoing operations of the library.
 Is this a low-ball figure? Could it be much bigger? Yes. But if it gets much bigger, that should be because it's actually a big problem that needs to be solved.
ResearchGate is often a place individuals will go to snag PDFs which are typically provided by authors, not publishers. It refers to itself as a community and network for researchers to share and discuss their research with others from around the globe. ResearchGate explicitly states that they are not liable for any copyright infringement, and that the responsibility rests with the individual; it is entirely up to the individual to either post the PDF to be downloaded freely, or to send the PDF to individuals upon request.
I have multiple questions surrounding the use of ResearchGate. Number one, should libraries be directing individuals to ResearchGate to ask authors for copies of their articles? Number two, should our document delivery service be providing copies of PDFs from ResearchGate to our library patrons? I am personally very hesitant to refer anyone to ResearchGate as I find most faculty researchers are not aware of who truly holds the copyright to their published articles. Thank you!
I first heard about “ResearchGate” at a copyright training I was conducting for librarians.
There I was, holding forth about Section 108 and Fair Use, when out of the blue, an academic librarian asked me: “What do you think of Researchgate?”
This question triggered my number one rule for lawyering: never assume you know an answer; always do your research. So even though my brain figured that “Researchgate” was a new scandal involving falsification of data, I instead replied: “I have to admit, I am not familiar with that.”
Good thing I followed rule number one!
But first, here’s what I have learned:
Notably, as the member points out, ResearchGate’s “Terms” for submitters reinforces the rights of authors:
As a member, when you post full-text articles or supplementary materials on ResearchGate, you do not transfer or assign copyright to us. Rather, you make the content available to the public through ResearchGate.
…about encourages users to respect the rights of others:
If you choose to privately archive or publicly post content, we encourage you to first confirm your rights before doing so. … As we do not have any information about rights you may hold, or any license terms or other restrictions which might apply to such content, we necessarily rely on you to understand your rights and act accordingly.
ResearchGate’s relationship with users is also governed by clauses on “Liability” and “Indemnification”—with ResearchGate attempting to pass all liability for a copyright infringement onto the users who supply content.
And finally, as also shown in their policies, ResearchGate also takes advantage of the “notice and takedown” provisions under the Digital Millennium Copyright Act to assure itself “safe harbor,” in the event a user posts infringing content.
What I found at ResearchGate.com was what looks like a thorough attempt to dot all the “i”s and cross all the “t”s to respect intellectual property. They probably have a very good lawyer.
But as I said, “always do your research,” so in addition to visiting their site, I also visited PACER to see if ResearchGate is being sued by anyone for copyright infringement. And boy, are they ever.
ResearchGate GmbH (its corporate name in Germany, where it appears to be based) is being sued by Elsevier, Inc., Elsevier Ltd., Elsevier B.V. and the American Chemical Society (“ACS”). The basis for the suit, as set forth in paragraph “three” of the plaintiff’s complaint, is the ResearchGate’s use of “Published Journal Articles” (which the suit calls “PJA”s):
This lawsuit focuses on ResearchGate’s intentional misconduct vis-à-vis its online
file-sharing / download service, where the dissemination of unauthorized copies of PJAs
constitutes an enormous infringement of the copyrights owned by ACS, Elsevier and other
journal publishers. The lawsuit is not about researchers and scientists collaborating; asking and
answering questions; promoting themselves, their projects, or their findings; or sharing research
findings, raw data, or pre-prints of articles.
And, just in case that doesn’t sound too bad, here’s the next paragraph:
ResearchGate’s infringing activity is no accident. Infringing copies of PJAs are a
cornerstone to ResearchGate’s growth strategy. ResearchGate deliberately utilizes the infringing
copies to grow the traffic to its website, its base of registered users, its digital content, and its
revenues and investment from venture capital. ResearchGate knows that the PJAs at issue
cannot be lawfully uploaded to and downloaded from the RG Website. Nevertheless, in violation of the rights of ACS, Elsevier, and others, ResearchGate uploads infringing copies of
PJAs and encourages and induces others to do so. ResearchGate finds copies of the PJAs on the
Internet and uploads them to computer servers it owns or controls. In addition, ResearchGate
lures others into uploading copies of the PJAs, including by directly asking them to do so,
encouraging use of a “request full-text” feature, and misleadingly promoting the concept of “selfarchiving.”[sic] ResearchGate is well aware that, as a result, it has turned the RG Website into a focal point for massive copyright infringement.
Yikes, that sounds dire, right? And very akin to the member’s concerns.
So, with all that established, I’ll share my thoughts, and address the member’s questions.
Number one, should libraries be directing individuals to ResearchGate to ask authors for copies of their articles? Number two, should our document delivery service be providing copies of PDFs from ResearchGate to our library patrons?
Questions like this may be informed by law (and risk management), but must always start with ethics.
The ALA Statement of Ethics has very clear language regarding intellectual property: We respect intellectual property rights and advocate balance between the interests of information users and rights holders.
When it comes to a source like ResearchGate—ostensibly trying to operate within the bounds of the law, but alleged to have a seamier side—the ALA’s further musings on this statement on copyright are also instructive:
Library workers are increasingly critical resources for copyright information in their communities. Consequently, they should be informed about copyright developments and maintain current awareness of all copyright issues. Library workers should develop a solid understanding of the law, its purpose, and the details relevant to library activities. This includes the ability to read, understand, and analyze various copyright scenarios, including fair use and other copyright limitations, using both good judgment and risk mitigation practices.
Library workers should use these skills to identify their rights and the rights of their users. Further, they should be ready to perform outreach surrounding copyright topics and refer users with questions pertaining to copyright to reliable resources. However, library workers should avoid providing legal advice. They may provide information about the law and copyright, but should recommend that patrons consult an attorney for legal advice. [emphasis added]
I can’t answer the member’s questions for any particular library. But based on the ALA Statement of Ethics, its further comments on copyright, and risk management principles drawn from the law, I can suggest a methodology for a library to apply when asking them.
First, if a librarian, using their own observations, and applying ALA ethics, believes a source to be dubious, it is clear that they are ethically obligated to “us[e] both good judgment and risk mitigation practices” about “relevant to library activities,” and to work with decision-makers at their institution to develop a clear position on that source.
This is not a simple nor easy exercise. Further (and frustratingly, for some) it may vary from institution to institution. Some libraries dance on the cutting edge of copyright. Others err on the side of caution. The decision to do either should be based on an informed assessment that considers the library’s mission, insurance, tolerance of risk, and its comfort level with the status quo.
The member is already applying personal experience and modeling this balancing. Remember the last part of the question: I am personally very hesitant to refer anyone to ResearchGate, as I find most faculty researchers are not aware of who truly holds the copyright to their published articles.
To that type of informed concern, there are two considerations I would add for libraries making this type of determination:
1) Under Section 108 of the Copyright Act, a library’s exemption from infringement can turn on their lack of awareness of a scheme to make exploitive commercial copies. Your library’s insurance may also deny coverage if a library is knowingly referring users to an infringer. So, if your institution is aware that a source is an infringer (which is different from suspecting a source is an infringer), that is a factor to balance.
2) On the flip side, libraries should not be willing (and generally have not been willing) to roll over to support the unchecked dominance of traditional commercial publishers. Without pushback, rates will continue to go up, while terms will get more onerous. But there is a difference between thoughtful pushback (like the current, organized fight against the McMillan Embargo), and systematic copyright infringement (like Napster).
Questions like this one show that librarians are thinking about the difference.
Thanks for a great question. It will be interesting to see if the case against ResearchGate goes the distance, and to see libraries decide where they stand.
 When this question first put the name in my brain, the “g” was lowercase.
 For over ten years, I was in-house counsel at a university, and had a reason to read “The Chronicle of Higher Education,” every week. Every year the Chronicle reported on one research-based scandal after another; it’s a miracle I didn’t hear the term “ResearchGate” before this!
 Am. Chem. Soc'y v. ResearchGate GmbH, 2019 U.S. Dist. LEXIS 98372, 2019 WL 2450976.
 Yes, this is one monster paragraph within the law suit.
What, if any, are the ramifications if a school district public library board of trustee member refuses to sign the code of ethics and/or the conflict of interest/whistleblower policy?
I am sure there is a very interesting set of facts, personal convictions, and conversations behind the stark facts presented in this question (there always is). But we’ll address just the stark facts.
Because a library’s Code of Ethics, Conflict of Interest Policy, and Whistleblower Policy are rooted in different areas of the law, a refusal to sign these documents creates an array of ramifications. We’ll explore each type in turn.
But first, it’s important to establish certain base factors.
In New York, most libraries (unless they are part of a larger institutions like a college or museum) are not-for-profit corporations chartered by the New York Education Department’s Board of Regents. This means that, just like other not-for-profit corporations registered with the New York Department of State, libraries are subject to the Not-for-Profit Corporations Law (the “NFPCL”). This includes school district public libraries.
Without getting too technical, this means that all libraries in New York are governed in accordance with not only their charters and bylaws, but the applicable parts of the Education Law and the NFPCL, too.
This governance structure impacts questions related to conflicts of interest, whistleblowing, and codes of ethics. With the basic features established, let’s look at the different type of policy in the member question.
Conflict of Interest Policy
Here is what the law says about a refusal to participate in the “Conflict of Interest” policy, as governed by the NFPCL:
The conflict of interest policy shall require that prior to the initial election of any director, and annually thereafter, such director shall complete, sign and submit to the secretary of the corporation or a designated compliance officer a written statement identifying, to the best of the director’s knowledge, any entity of which such director is an officer, director, trustee, member, owner (either as a sole proprietor or a partner), or employee and with which the corporation has a relationship, and any transaction in which the corporation is a participant and in which the director might have a conflicting interest.
So, to give a stark answer to the member’s question, per the law, no person should actually be elected to serve as a trustee until the nominee’s Conflict of Interest statement (the “COI”) is completed and submitted. In other words, if the COI is not turned in, that person should never initially be elected as a trustee (we’ll pick that back up in a few paragraphs when we discuss the election criteria for school district public library trustees).
A requirement to “sign” the Whistleblower Policy is a slightly different matter. Unlike the law related to conflicts of interest, the law requiring any not-for-profit with over 20 employees (or revenue in excess of one million dollars) to have a Whistleblower Policy does not come with a requirement for trustees to sign any document.
Of course, a refusal to abide by the Whistleblower Policy (for instance, a trustee failing to keep a report confidential), could result in a violation of the law, and the libraries’ bylaws, as well.
Code of Ethics
Public school boards must have Codes of Ethics, but libraries—even school district public libraries—do not. There is no requirement in the NFPCL, nor the Education Law, nor any applicable regulations, that a public library have such a code.
That said, to clearly express and enforce a library’s values, a Code of Ethics is often built into a library’s bylaws or adopted as a stand-alone policy of a library’s board. The bylaws, or policy itself, could also require that it be signed. Once it is a requirement of the bylaws or policy, it does not have the force of law, but it can be enforced by the board.
Refusal to Sign
Which brings us to: whether it a requirement of law or policy, the refusal to sign of a board member must be addressed under the library’s charter, bylaws, and the NFPCPL.
Under NFPCL §706, a board is empowered to remove a board member per the procedures in its bylaws. Therefore, if a board determines that failure to sign the Code of Ethics or Whistleblower Policy is unacceptable, or that a failure to sign a Code of Ethics makes the library non-compliant with the law, then that board member can be removed, provided the remaining trustees are careful to follow the bylaw’s procedures for doing so.
This can be a divisive issue, since I imagine someone could present a debatable reason for not signing a Code or other policy, but since a Code of Ethics or mission statement is something every board member must support as part of their service to the library, the root cause of the refusal might be just as serious as the refusal, and in any event, must be resolved. And that is, except for one wrinkle, the lay of the land.
School District Public Library
At school district public libraries, board members are elected per the requirements of Education Law §260.
§260, and by reference, §2018 of the Education Law, include very precise conditions for the nomination and election of a school district public library board member—none of which is a pre-vote signature on a COI, or a signed acceptance of a Whistleblower Policy or Code of Ethics.
Of course, per Public Officers Law §10, all school district public library trustees must take and file an oath of office “before he shall be entitled to enter upon the discharge of any of his official duties.” This means, somewhere in the “pre-term” area after the election but before the newly elected trustee starts working, there is a zone where they can, based on a refusal to take the oath of office, not be qualified to start the term.
The consequences of a refusal to sign a COI are a little less well-defined, but it is clear that if a board tolerates a refusal, the organization is not in compliance with the NFPCL. The refusal to sign a Whistleblower Policy is not controlled by law, but the failure to actually follow it is. And the failure of a board member to sign a Code of Ethics is a matter to be decided by the rest of the governing board.
What Happens Next?
The refusal to sign and participate in critical board policy cannot simply be ignored. It has to be addressed, and the rest of the board has to follow the rules as they address it.
Barring any obvious provision in the bylaws or wording in a particular policy, what does the board use as a playbook for dealing with this type of challenge? Upon confirming the factors leading to the refusal, a board’s executive committee, consulting with the library’s lawyer and working from copies of the charter and bylaws, must consider the facts, could develop a solution. The solution could be a revision of a policy to address a particular concern, or, in the case of an incomplete COI, removal of the member. In no event should this be done without the input of an attorney, since the stakes are high, and feelings may be strong.
Thank you for an important question.
 In their quest to impose order on the universe, lawyers often use capitalization to express when a “thing” is a “Thing.” For purposes of this answer, the various policies the member references are each Things, and so while certain style guides may disapprove, the capitals are there to stay!
 The way corporations are created in New York is a type of legal conjuring. For more information on this particular type of conjuring, check out the New York State Education Department’s Division of Library Development Guide at http://www.nysl.nysed.gov/libdev/charter/index.html, and Education Law §255.
 This application of the NFPCL is set forth in NY Education Law §216-a, which is a fun read on a rainy day.
 Intricate arrangements like this are why people like me have jobs!
 In the law, “director,” “board member” or “trustee member” all refer to elected members of the board of trustees.
 This is from NFPCL §715-a (c). This language, or something substantially similar, should be in every library’s Conflict of Interest Policy.
 NFPCL §715-b.
 §806 Section 1(a) of NY’s General Municipal Law.
 Boards of museums and other cultural agencies chartered by the Regents are required to have a code of ethics; see 8 NYCRR § 3.30.
 I cannot imagine a good reason for not signing a COI, unless the policy was badly worded, there is confusion about the policy, or the director really does believe they should be allowed to vote for their wife’s company to install the new library floor.
 It’s 2019. We really need to work on the pronouns in our legislation.
 As but one example of this, see 2001 Op Comm Ed No. 14,710
 Or the trusteeship committee, or the board, working as a committee of the whole…whatever group will ensure thorough assessment and the preparation for, if needed, a removal vote.