Our library offers a variety of business services such as copying, scanning, emailing, and faxing, and we also have staff on hand to assist patrons with these services. We often have patrons request assistance with scanning and emailing or faxing sensitive documents including checks (with banking/routing numbers), driver’s licenses, Social Security cards, or other financial/legal documents.
I am wondering:
a) What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer? How do we protect our patrons from scams/fraud while also respecting their privacy?
b) How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?
This question tugged at my heart, because lawyers face issues like this, too.
Maintaining confidentiality while addressing concerns that a person is being victimized creates terrible tension. The need to maintain a trusting relationship, governed by professional ethics, makes the tension all the more acute.
It is those professional ethics, however, that will carry the day.
What is the basis of a librarian's obligation of confidentiality? Confidentiality of library records is, of course, protected by state law, but it starts in item "III" in the ALA Code of Ethics:
III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.
But this issue also related to item "I" from that Code:
I. We provide the highest level of service to all library users through appropriate and usefully organized resources; equitable service policies; equitable access; and accurate, unbiased, and courteous responses to all requests. [emphasis added]
So, here we are: iron-clad confidentiality, coupled with "unbiased" responses to all service requests. From within those ethical boundaries, the member has asked:
There are information management professionals far more qualified than I to discuss the professional nuances of these questions. But from the legal perspective, and to address the legal questions about obligations, protection, and liability, here are my answers.
What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer?
There is no legal duty to inform a patron of this suspicion. Further, I see nothing in the ALA Codes of Ethics that makes it an ethical duty of the profession.
How do we protect our patrons from scams/fraud while also respecting their privacy?
We have reviewed that there is no legal or ethical obligation to "protect" a patron in these circumstances, and there can even be concerns related to trust, confidentiality, and perceived bias that mean a librarian should keep their suspicions to themselves.
However, neither the requirement to be confidential, nor the obligation to provide services without bias, stop a librarian from doing what they do best: sharing information. And nothing stops a library from pre-assembling a compilation of available resources the library can use to empower a patron to assess if they are being scammed.
Here is a scenario showing how such a "compilation" could be used:
PATRON: I need to print an email.
LIBRARIAN: Sure, the computer in over here. Let me know if you need instructions on how to print.
PATRON: Can you also help me find the email? It has instructions to wire money. It's from my grandson, Michael. Normally I would ask his mother to help me but this is a real emergency and I can't tell her what's happening, it would just kill her.
LIBRARIAN: I am happy to help; there, it's printing. [pauses] You know, this request reminds me of something I read/heard about. Do you want to know about it?
LIBRARIAN [searches for "bail the grandchild" scam]: Here it is. [Retrieves list of information.] And here is a resource about who to call when there is a concern about the type of thing on this website. [Hands patron list of resources]
Here is a template for this type of "list of resources":
"Trust but Verify"
A guide to checking the legitimacy of
requests and correspondence.
Compiled by the [insert name of library].
Have you been told you suddenly owe money?
□ YES □ NO
Has there been a request for account or personal information from a new or unusual source?
□ YES □ NO
Has someone told you a family member is in danger?
□ YES □ NO
Is someone pressuring you to make a quick decision about money?
□ YES □ NO
Does something about outreach to you just not feel right? Or does it seem "too good to be true"?
□ YES □ NO
These days, scammers can pretend to be from the IRS, Social Security, or even your religious organization or family.
There are resources to help you let the good guys in, while keeping the bad guys out. Here in [library location by county or municipality], the following resources can help you make the right call:
Free for anyone 55 or older, there is also:
Your banker, lawyer, or accountant will also be able to help you confirm the source of requests for wire transfers and other financial transactions.
...Or you can ask a librarian to help you find a resource suited to a particular document or situation. We can't tell you what's legit, but we can help you find the people who can.
Don't feel bad asking, even data security specialists have to "Trust, but Verify" these days!
A simple offer of information, and a plain-language resource like this can be a handy way to raise concerns without having to tell someone "You're being scammed."
At the end of the day, not all patrons will be receptive to this offer of information, and not all patrons will believe they are being scammed--even if their story matches a scam-scenario.
But no matter what the patron's reaction, by taking this approach, the librarian will have done the only thing the librarian is ethically obligated to do in this type of situation: provided unbiased services, and granted access to information, while maintaining the confidentiality of same.
How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?
If the librarian suspects that the scenario could be an illicit scam, but doesn't know this is phishing, social engineering, or another type of activity that can lead to fraud, there is no responsibility for what happens next (unless the library has adopted an internal policy stating otherwise, in which case there could be some employer-imposed consequences).
On the other hand, if the librarian somehow knows that the scenario is an illicit scam, and actively helps with the commission of what they know to be a crime, then yes, there could be liability. But once such a scam is known, not merely suspected, this becomes a whole other question.
A few more comments
Another aspect I want to address is if the librarian is concerned not that the person is being duped, but that they don't have the mental capacity to comprehend and/or remember they are being duped.
People with Alzheimer's and other conditions impacting cognitive ability may rely heavily on an established routine of visiting their local library. Further, people with that impairment still may be able to function independently for most aspects of their day. However, a librarian detecting a possible scam could be on the front line of a legitimate concern that they don't have the function to assess the situation.
There are too many permutations of this situation for me to give general guidance, except to say: if there is a concern that a person can be vulnerable to harm due to a medical condition or disability, but their condition is not so extreme that there is clearly a justification to call medical services, call an expert.
If the person is over 55, the Center for Elder Law and Justice is a great resource; they address these types of issues every day, and their hot line is there to help assess a situation and identify possible next steps. If the person is not over 55, a good resource could be the local Social Services agency.
When it comes to this issue, my overall advice is to remember that as a resource to the community, library employees are there to provide access to information and resources, not to protect people from harm. The good news is, by providing that access in a manner consistent with library ethics, library employees can help patrons protect themselves from harm. And that is how a library can help stop a person from being scammed.
Speaking from experience, I can say that not every person will take information when it is offered. There are times when the only comfort that can be taken from a situation is to know that you tried your best. But by focusing on the ethics, and the provision of information, a librarian can help a person identify a scam, and avoid legal entanglements.
I wish you strength on this one. Your patrons are very fortunate.
 And if there are any accountants, athletic trainers, or mental health counsellors who (for some reason) read an "Ask the Lawyer" column for libraries, museums, and historical societies, I bet it sounds familiar to them, as well.
 CPLR 4509
 Which is replicated in the New York Library Association Code of Ethics.
 Don't worry, we'll also address what you can do if the patron says "No, just help me scan my driver's license," and what to do if you are concerned the person doesn't have the capacity to make an informed decision.
 It is interesting to contemplate if there could be a policy for the use of information transmission equipment (phones, faxes, scanners, email, etc.) that included a provision that "Library employees who suspect a patron is falling prey to or contributing to a criminal enterprise must immediately report their concerns to the director for appropriate action under the relevant policy;" linked with a provision in a Code of Conduct "Patrons using library resources.”
 I struggled to come up with a scenario where the librarian knows the scam is on, but here goes: A librarian is a personal friend of Jeff Bezos. A patron comes in and says Jeff Bezos wants to give $50,000.00 to the patron and 5,000 other lucky people; they just need to wire Jeff $5,000. While helping to print the wire instructions, the librarian calls their friend Jeff Bezos to ask: "Hey, Jeff, are you giving fifty thousand dollars each to five thousand people?" at which point Jeff Bezos laughs and says, "No way, but can you believe some people are actually wiring me money? Now I can repaint my third yacht. Best scam ever. Hey, want to go fishing?" Now the librarian knows it's a scam; if they help in any way after that, they are arguably complicit.