Skip to content

Legal Report January 2009


PREMISES LIABILITY. A property management company is not liable for the death of a man who was shot and killed in a mall parking lot. Because there had been no prior similar crimes at the property, the murder was not foreseeable and the company had no duty to protect the man from harm, according to the Texas Supreme Court.

In February 2002, an off-duty police officer was working as a security guard at Quarry Market, a mall in San Antonio, Texas. At 11:00 p.m., the officer was patrolling the 53-acre property in an unmarked car when he noticed two individuals wearing black clothes and black hats standing near a bank of payphones outside a movie theater. The officer made eye contact with the two people and then drove on.

Shortly after the officer left, moviegoers began exiting the theater. Luis Gutierrez and his wife Karol Ferman were among the crowd. They were walking towards their car when Ferman heard gunshots. She turned to see a person dressed in black with a black ski mask pointing a gun towards her and Gutierrez. The gunman fired again and hit Gutierrez in the shoulder. Gutierrez and Ferman ran. Ferman fell and crawled under a car to hide. Gutierrez was shot four more times—once in the shoulder, twice in the back, and once in the back of the head. The assailants fled on foot.

The officer was nearby when shots were fired and was on the scene shortly after the incident. He secured the crime scene and called police. Gutierrez was taken to a nearby hospital, where he died.

Security guards in another part of the mall saw two people matching the descriptions of the assailants run through part of the mall, get into a green Jeep, and drive away. Security officers chased the men but gave up when the occupants of the Jeep shot at the officers. The killers were never apprehended.

Maria Gutierrez, mother of the victim, and Ferman filed a lawsuit against Trammell Crow, the mall’s property manager. Ferman alleged that Trammell Crow negligently failed to provide adequate security at the mall. A jury returned a verdict in favor of Gutierrez, awarding the plaintiffs more than $5 million in damages. Trammell Crow appealed the decision.

The Court of Appeals for the Fourth District of Texas upheld the court’s decision, finding in favor of Gutierrez. The defendants once again appealed the decision.

Arguing the case before the Texas Supreme Court, attorneys for Trammell Crow contended that the company could not be held liable for the death of Gutierrez because the assault was not foreseeable. As evidence, the company submitted crime reports for the two years prior to the shooting. In that time period, 227 crimes were reported at the mall. Of those, only 10 were classified as violent crimes, a category that includes aggravated assault, manslaughter, rape, and murder.

To determine whether the murder was foreseeable, the court first considered the frequency of crime at the mall and found that the rate of violent crime was low compared to the violent crime rate in the city at large. This, ruled the court, meant that the company was not on notice that it faced an excessive amount of violent crime on its property.

Next, the court studied the similarity of past crimes at the mall. While prior crimes do not have to be identical to the one in question to establish foreseeability, they must be sufficiently similar to place the company on notice that there is a specific danger, noted the court. The court found that there had been no murders and no incidents where a weapon had been fired.

Based on these factors, the court ruled in favor of Trammell Crow, finding that the company did not have a duty to prevent the attack. In the written opinion of the case, the court noted that: “Nothing about the previous robberies committed at the Quarry Market put Trammell Crow on notice that a patron would be murdered as part of a robbery on its premises.” (Trammell Crow v. Gutierrez, Texas Supreme Court, No. 07-0091, 2008)

WHISTLEBLOWERS. A bank employee who was fired after complaining about unorthodox accounting practices cannot pursue a claim against his employer for violation of the whistleblower provisions of the Sarbanes-Oxley Act. A federal appeals court ruled that violating standard accounting practices is insufficient to invoke whistleblower protection. The company must violate a specific statute under Sarbanes-Oxley for the employee to be protected.

David Welch began working for Cardinal Bankshares Corporation as a part-time accounting officer in 1999. In 2000, he was promoted to chief financial officer of the company. Welch’s responsibilities included preparing and reviewing ledger accounts, devising and implementing accounting procedures, and preparing reports and financial statements, including those required by the Securities and Exchange Commission (SEC).

Over the next two years, Welch told the court, he came to believe that Cardinal’s accounting practices were deficient. Welch complained that various unqualified Cardinal employees made entries in the bank’s ledgers without Welch’s knowledge. He further alleged that Cardinal reported $195,000 in loans that had been written off as income when they should have been listed in another section of the ledger. According to Welch, this caused Cardinal to overstate its income in its report to the SEC.

Welch complained about these issues repeatedly when they occurred in 2001. However, following the July 30, 2002, enactment of Sarbanes-Oxley, Welch told company executives in writing that he could not certify the company’s financial statements as being accurate because of the continued practice of allowing other bank employees to make ledger entries without his supervision. On August 12 of that year, Welch refused to approve Cardinal’s second quarter earnings report to the SEC as required under Sarbanes-Oxley for the same reason.

On September 13, Welch wrote a letter to company executives insisting that the bank change its accounting practices or he could not certify the pending third quarter report to the SEC. Welch demanded that the company issue a corrected report for the third quarter of 2001 to reflect the $195,000 that he felt had been reported incorrectly.

Cardinal’s CEO, Ronald Leon Moore, called a board meeting on September 17 to discuss Welch and his demands. Moore told the board that several errors had been evident on Welch’s last report and that much of the report, including graphs, charts, and spreadsheets were deemed “unnecessary and time-consuming” by federal and state examiners. Moore requested that an outside auditor investigate Welch’s claims of incorrect reporting and unauthorized ledger entries.

On September 20, Welch held what he called a “Sarbanes-Oxley briefing” for senior executives at Cardinal. Welch told the group that three Cardinal employees were “parties to fraudulent acts” and outlined his belief that the company’s accounting practices violated Sarbanes-Oxley. Then, Welch suggested that he leave the company quietly after receiving a generous severance package.

Following the meeting, Cardinal’s outside counsel and independent auditor asked to meet with Welch. He refused to meet with them unless his personal attorney could be present. On September 25, Cardinal suspended Welch without pay, pending the results of the auditor’s investigation.

The auditor presented the results of the investigation to the board on October 1. The investigation found that Welch’s concerns had no merit and that the company had not violated federal law. However, the investigators also concluded that Welch had breached his fiduciary duty to Cardinal by refusing to meet with them to discuss his concerns. The board unanimously voted to fire Welch.

After his termination, Welch filed a lawsuit with the Department of Labor (DOL) alleging that he was fired in violation of the whistleblower protections set out in Sarbanes-Oxley. The DOL dismissed the complaint finding that, although Welch engaged in protected activity, he was not fired for this reason. Instead, he was fired for refusing to meet with Cardinal representatives. The DOL determined that this was a legitimate reason for the firing. Welch appealed the decision, requesting a hearing before an administrative law judge (ALJ).

The ALJ found that Welch was fired for his whistleblower activities and that Cardinal had violated Sarbanes-Oxley. The ALJ found in favor of Welch and awarded him back pay and attorney’s fees. Cardinal appealed the decision to the DOL’s Administrative Review Board (ARB).

The ARB found in favor of Cardinal. The ARB ruled that none of the issues Welch complained about were illegal under Sarbanes-Oxley, so his activities were not protected. Welch appealed to the U.S. Court of Appeals for the Fourth Circuit.

The appeals court agreed with the ARB ruling. The court found that failure to adhere to accepted accounting procedures does not constitute an illegal act under Sarbanes-Oxley, therefore, whistleblower protections do not apply. While a whistleblower need not quote the letter of the law, noted the court, the employee must demonstrate that the alleged wrongdoing was “definitively and specifically related to one of the laws listed in the [Sarbanes-Oxley] whistleblower provision.” (Welch v. Chao, U.S. Court of Appeals for the Fourth Circuit, No. 07-1684, 2008)


As this issue of Security Management went to press, President-Elect Barack Obama was selecting top advisers who reflected the shifting priorities of his administration. The make-up of Congress was also shifting, with a Democratic majority in both the House of Representatives and the Senate. With this new focus in mind, following is a round-up of some of the issues Congress is likely to take up in the next session including chemical plant safety, data security, food safety, information sharing, and privacy.

CHEMICAL PLANT SAFETY. The Chemical Facility Anti-Terrorism Standards (CFATS), which took effect in 2007, are scheduled to expire at the end of 2009. Extension of the standards has strong bipartisan support and is expected to be taken up by the House Homeland Security Committee early in the session, according to Stephen Amitay, a security industry lobbyist. A bill introduced in the last session would have made the CFATS permanent and extended the regulations to lower-risk facilities such as those that deal with water and waste. During the campaign, Obama praised the legislation and urged that lawmakers include a requirement that facilities adopt inherently safer technology whenever feasible.

DATA SECURITY. Cybersecurity is likely to be on the agenda in the next session because the emerging patchwork of conflicting state laws is creating compliance problems and also because Obama has announced that he will have a national cybersecurity adviser reporting directly to him on data security issues. The result is expected to be laws or regulations focused on the steps companies must take to ensure that their information is protected, according to Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University and a senior policy adviser to the Centre for Information Policy Leadership, a Washington think-tank. “I don’t think we’ll see anything too dramatic,” Cate said at a briefing on data security issues. “But I do think we will see a greater concern for the underlying security of data.”

However, according to Lisa J. Sotto, head of the privacy and information management practice of Hunton and Williams in Washington, D.C., these measures will most likely require that companies adopt reasonable and appropriate security standards. It would be difficult, if not impossible, to mandate specific security technologies that would work across industries, she said.

FOOD SAFETY. The Government Accountability Office (GAO) included food safety on its list of the top 10 most urgent issues facing Congress and the administration in the upcoming session. Specifically, the GAO recommended that Congress require that the National Academy of Sciences or a blue-ribbon panel conduct a detailed analysis of the country’s food safety infrastructure and propose changes for Congress to enact as a part of comprehensive food safety legislation.

PRIVACY. Protections for workers are expected to be on the agenda in a Democratic Congress. Legislation was introduced late in the last Congress that would allow employees to see and challenge FBI information on convictions before that information could be used for employment background screening. This issue, along with other privacy measures, is likely to be revived.

INFORMATION SHARING. Congress is also looking at information sharing between federal agencies and the private sector. According to Amitay, staff members for the House Homeland Security Committee say that Congress is looking for ways to encourage companies to provide more infrastructure protection information with the government, especially in regards to risk management issues.



SEX OFFENDERS. A new law (formerly S.B. 14) approved by the Illinois General Assembly requires that sex offenders provide information about their Internet use when registering with authorities. Under the law, sex offenders must reveal all e-mail addresses, instant messaging identities, chat room identities, and URLs used as well as all blogs or other sites maintained by the offender or to which the offender has uploaded content or posted messages.


BACKGROUND SCREENING. Lawmakers in the Michigan Legislature have passed a law (formerly S.B. 1161) that requires healthcare facilities in the state to collect fingerprints from and conduct background checks on employees who have direct access to patients or residents. The facilities covered include hospitals, nursing homes, hospices, and home healthcare agencies.

Those convicted of a felony or misdemeanor involving violence, cruelty, sexual misconduct, abuse, neglect, or the use of a firearm would be barred from employment until 15 years after meeting all terms and conditions of the conviction including parole. Independent contractors must also comply with the law.

This column should not be construed as legal or legislative advice.