Inadequate security can make you liable when a crime harms someone on your property. Here's how negligent-security claims work and how to reduce your exposure.
Negligent security is a form of premises liability: if inadequate security foreseeably lets a third party commit a crime that injures someone on your property, the victim can sue you — the owner or occupier — even though you did not commit the crime. Like any negligence claim, it turns on four elements: duty, breach, causation, and damages. Foreseeability is not a separate fifth element; it is the connective concept that runs through the analysis — it helps decide whether a duty exists at all and whether your failure was a proximate cause. Plaintiff's-bar summaries often "break out" foreseeability for emphasis because it is the most heavily litigated issue, usually shown through prior similar crimes and the property's environment. The strongest defense is documented, reasonable security, which both prevents incidents and becomes your best evidence of reasonable care.
For US business buyers, negligent security is one of the more expensive premises-liability exposures you can carry — because the underlying harm is a violent crime, damages can reach seven and eight figures. In one Georgia case, a jury awarded a shooting victim $42.75 million and assigned zero fault to the shooter (more on that below). Unlike a slip-and-fall, the injury is inflicted by a criminal, but the claim is against you for failing to take reasonable steps to prevent a foreseeable attack. This guide explains how the doctrine works nationally, where your exposure concentrates, how the defenses and the apportionment math actually play out, and the concrete measures that reduce risk while building a paper trail of reasonable care. It is general information, not legal advice; the specific rules vary by state, so confirm your standard with local counsel.
What negligent security means
Negligent security is a subset of premises liability. Standard premises liability deals with a dangerous physical condition — a broken stair, a wet floor. Negligent security deals with harm from a third party's criminal act: an assault, robbery, sexual assault, shooting, or similar attack that occurred because the property owner or occupier failed to implement reasonable security measures. The theory is that an owner is often in a better position than a visitor to know about — and guard against — a known risk of crime on the premises.
The duty is not automatic. As a general rule, the law does not make one person an insurer against the criminal acts of unknown third parties. The duty arises out of the relationship between the property owner and the person on the property (an invited business customer, a tenant, a guest) and out of the owner's knowledge that crime is reasonably foreseeable. That is why the same incident can produce liability at one property and none at another — it depends on what the owner knew or should have known, and what a reasonable owner would have done about it.
A customer was shot during an armed robbery in a CVS parking lot in a high-crime part of Atlanta. Employees had testified that they escorted each other to their cars, that the lot was poorly lit, and that CVS had previously used — then dismissed — security guards over staff objections. The Georgia Supreme Court applied a totality-of-the-circumstances test and held that prior crimes need not be identical to be relevant evidence of foreseeability. The jury awarded $42.75 million, apportioning 95% fault to CVS, 5% to the victim, and 0% to the shooter — and the judgment was affirmed. One case, three lessons: how foreseeability is proven, why the totality test is hard to escape at summary judgment, and how apportionment can land nearly the entire loss on the owner.
The elements a plaintiff must show
Negligent security is ordinary negligence applied to a criminal act, so a plaintiff must prove the same four black-letter elements — duty, breach, causation, and damages. Many plaintiff's-side summaries list "foreseeability" as a separate element for emphasis, but doctrinally (and under the Restatement (Third) of Torts) foreseeability is not a standalone element; it operates inside duty and proximate cause. Here is how the four elements work, with foreseeability shown where it actually lives:
- Duty. That you owed a duty to provide reasonably safe premises to this person, based on your relationship to them and your control of the property. Foreseeability helps decide whether this duty exists at all — a duty to guard against crime generally arises only when crime was reasonably foreseeable.
- Breach. That you failed to take the security measures a reasonable owner would have taken under the circumstances. The factfinder weighs the likelihood and severity of the foreseeable harm against the cost and feasibility of additional security.
- Causation. That your failure was a proximate cause of the harm — i.e., adequate security more likely than not would have prevented or reduced it. Foreseeability reappears here as part of the proximate-cause analysis.
- Damages. That the victim suffered actual injury (medical costs, lost income, pain and suffering, and in extreme cases wrongful-death damages).
Because foreseeability shapes both the first and third elements, plaintiffs and defendants fight over it harder than anything else — which is why the rest of this guide treats it as the center of gravity even though it is not, technically, its own element.
Foreseeability — how prior crimes and the environment establish it
The core question is simple to state: should the owner have reasonably anticipated that a crime like this could happen here? Courts answer it with evidence such as police calls-for-service, crime reports, and the property's own incident and security logs. Prior similar crimes on or immediately near the property are among the strongest proof — a pattern of robberies in a parking lot makes the next robbery more foreseeable.
States are split on how foreseeability must be shown, and the difference materially changes your exposure and your odds of an early dismissal:
| Test | What the plaintiff must show | Example jurisdictions | Effect on early dismissal |
|---|---|---|---|
| Prior similar incidents (stricter) | Earlier, substantially similar crimes on or near the property that put a reasonable owner on notice; some states demand prior violent crime before any duty to hire guards arises. | Historically New York and Texas lean toward requiring prior similar/violent crime; several states apply demanding "imminent harm" or notice thresholds. | Easier for owners to win summary judgment — no comparable prior crime can end the case early. |
| Totality of the circumstances (broader) | All relevant factors weighed together — property type and location, high-crime area, lighting, prior incidents (not necessarily identical), hours and manner of operation, and any known volatile situation. | Georgia (post-Carmichael, 2023), Tennessee (balancing), Louisiana (balancing/Posecai), and other "balancing"-approach states. | Harder for owners to win summary judgment — foreseeability usually becomes a jury question. |
The picture is genuinely fragmented: some states have moved toward the totality approach, others apply (or have reverted to) the stricter prior-similar-incidents rule, and a few are split internally across appellate districts. Two cautions cut in the owner's favor: evidence that a property merely sits in a high-crime area, standing alone, is usually not enough to create a duty against every conceivable crime; and courts often discount prior non-violent crimes when the incident at issue was violent. The practical lesson: assume your own crime history and neighborhood data are discoverable, and manage the property as if a jury will see them.
Which properties carry the most exposure
Exposure concentrates where a foreseeability driver — cash on hand, isolation, late hours, transient access, or alcohol — meets a steady flow of people. The highest-frequency negligent-security venues:
- Apartments and multifamily housing — landlords owe tenants reasonably safe common areas; a classic defendant. See our apartment and multifamily security guide. (Driver: controlled-access failures, isolation.)
- Retail, convenience, and late-night stores — cash registers plus late hours; see our retail loss-prevention overview. (Driver: cash, late hours.)
- Gas stations and ATMs — cash, 24-hour access, and a lone attendant or customer make these recurring robbery-and-assault venues. (Driver: cash, isolation, late hours.)
- Parking lots and structures — isolated, poorly lit, and hard to observe; see our parking lot and structure security guide. (Driver: isolation, poor sightlines.)
- Bars, nightclubs, and entertainment venues — alcohol, crowds, and conflict; see our bar and nightclub security guide and event security resource. (Driver: alcohol, crowds.)
- Student and off-campus housing — dense, transient, party-adjacent populations with predictable break-and-enter and assault patterns. (Driver: transient access, late hours.)
- Self-storage facilities — sprawling, low-staff, after-hours access sites where trespass, theft, and assault recur. (Driver: isolation, unattended access.)
- 24-hour gyms and fitness centers — unstaffed overnight blocks with keycard-only entry create a foreseeable lone-occupant risk. (Driver: late hours, no staff on site.)
- Shopping-center common areas — lots, walkways, and food courts controlled by the landlord rather than individual tenants, where duty and foreseeability often attach to the property manager. (Driver: transient crowds, shared control.)
- Hotels and hospitality — duty runs to guests in rooms, corridors, and lots; see our hotel and hospitality security guide. (Driver: transient access, 24-hour operation.)
- Hospitals and healthcare — a recognized workplace-violence hazard with its own regulatory overlay, covered in our healthcare security guide. (Driver: volatile visitors/patients, 24-hour operation.)
Employers should note a parallel regulatory duty. There is no dedicated federal OSHA workplace-violence standard, but OSHA cites employers under the General Duty Clause, Section 5(a)(1) of the OSH Act, for failing to protect workers from recognized, foreseeable violence hazards where a feasible means of abatement exists. In February 2026 the Tenth Circuit reaffirmed that authority in two companion decisions — Cedar Springs Hospital v. OSHRC and UHS of Delaware v. OSHRC (10th Cir., decided Feb. 13, 2026) — arising from patient-on-staff violence at a Colorado psychiatric hospital. Notably, the court held that CMS/Medicare oversight of patient safety does not displace OSHA's authority to protect employees, and upheld abatement measures such as reconfigured nurses' stations, panic devices, adequate staffing, and specialized security personnel. A negligent-security failure can therefore generate both a civil suit and an OSHA citation from the same incident.
The apportionment trap — why naming the criminal often does not help you
Buyers assume that because the actual attacker is the "real" wrongdoer, a jury will assign most of the fault to them and shrink the owner's share. In practice, the opposite frequently happens. Most states use comparative fault, and the jury fills out a verdict form apportioning percentages among the parties. But the criminal is usually unidentified, judgment-proof, or absent — and juries routinely load fault onto the solvent defendant who is actually in the courtroom.
Carmichael is the cautionary example: the jury put 95% of the fault on CVS and 0% on the shooter, and the Georgia Supreme Court let it stand, reasoning (on that record) that the jury could treat the criminal as an intentional — not negligent — actor and decline to apportion negligence to them. The takeaway for exposure planning: do not assume the criminal's presence on the verdict form will meaningfully reduce your payout. Depending on your state's comparative-fault rules (pure vs. modified, and whether intentional actors are included in apportionment), the owner can end up bearing nearly the entire award even when someone else pulled the trigger.
The defenses an owner can raise
The plaintiff's checklist is only half the ledger. A well-run defense typically argues one or more of the following — and each maps to a documentation or operational step you can take now:
- No duty / visitor status. That no duty to protect this person against this crime existed — often framed around the plaintiff's legal status (invitee, licensee, or trespasser). Many states still calibrate the duty by status: a business invitee is owed the most protection, a licensee (social guest) less, and a trespasser generally the least (bare no-willful-harm duty). Establishing who the plaintiff was, and why they were there, can narrow or eliminate the duty.
- Lack of foreseeability. That no prior similar crime or totality of factors put you on notice — the core battleground, often won or lost on the CAP Index score and crime history.
- Superseding / intervening cause and "targeted" attacks. That the criminal act was so unforeseeable, or so specifically targeted at the victim (e.g., a personal dispute, a planned hit), that it broke the causal chain — the attack would have happened regardless of any security. Courts have reversed large verdicts on this ground when the data showed the specific crime was not foreseeable.
- Failure of causation. That better security would not have prevented this attack — a determined or armed assailant would have succeeded anyway.
- Open and obvious / assumption of risk. That the danger was apparent and the plaintiff proceeded anyway (availability varies sharply by state).
- Documented reasonable care. The affirmative story: that your risk-based security program met the standard a reasonable owner would apply. This is the defense you build in advance, with the records described below.
What "adequate security" looks like (and how it doubles as evidence of reasonable care)
"Adequate" is measured against the foreseeable risk — the higher the risk, the more that reasonable care demands. There is no universal checklist, but reasonable programs typically layer these elements, most of which track the well-established Crime Prevention Through Environmental Design (CPTED) principles of natural surveillance, natural access control, and territorial reinforcement:
- A written security assessment matched to your crime data and property type, updated periodically.
- Lighting with uniform illumination across entrances, walkways, and parking — the cheapest, highest-yield deterrent.
- Access control — fewer entry points, functioning locks, gates, key-card or fob systems, and controlled after-hours access.
- Video surveillance that is monitored, maintained, and retained long enough to be useful.
- Trained, licensed personnel where the risk warrants them — security guards, mobile patrols for larger or multi-building sites, armed officers where the threat profile justifies it (weigh the tradeoffs in our armed vs. unarmed guide), and dedicated event security for gatherings.
- Documented policies and records — incident logs, post orders, guard tours, maintenance tickets, and training records.
Here is the point buyers miss: the same measures that prevent an attack are your best evidence of reasonable care if one still occurs. A defensible file — a dated assessment, lighting and camera maintenance records, guard-tour logs, and a documented response to prior incidents — lets you argue you did what a reasonable owner would do. Conversely, broken cameras, burned-out lights, ignored complaints, and unlicensed guards become the plaintiff's exhibits. Verify that any guard firm you engage is properly licensed for your state before you rely on it (our license-verification guide and state license lookup show how).
How "reasonable" is measured — security experts and industry standards
Negligent-security cases are usually decided on dueling security-expert testimony. Each side hires an expert to opine on whether your conduct met the standard of care, and they measure it against recognized, published benchmarks rather than the expert's personal opinion. Know the names, because they define "reasonable":
- ASIS International — the leading professional body for security management; its voluntary consensus standards and guidelines (and the Certified Protection Professional, or CPP, credential) are the most-cited general benchmark. Note that ASIS itself frames these as voluntary guidance with no regulatory force, which is often central to the "reasonable care is facility-specific" argument on both sides.
- IAHSS (International Association for Healthcare Security & Safety) — the healthcare-specific counterpart; its Healthcare Security Industry Guidelines (13th ed.) and the CHPA credential are the go-to standard in hospital and clinic cases, and dovetail with the OSHA General Duty Clause exposure discussed above.
- CAP Index / CRIMECAST — the crime-forecasting score both plaintiffs' and defense experts use to establish or rebut foreseeability at your specific address. It is the practical data source in modern cases — more than the raw police calls-for-service the doctrine talks about.
- CPTED — the environmental-design framework cited above, frequently invoked by experts assessing lighting, sightlines, and access control.
Because these standards are risk-based and facility-specific, the expert fight usually comes down to whether your documented security matched your measured risk. That is one more reason the paper trail — assessment, CAP score, and the decisions you made in response — is your central defense asset.
The other direction of risk — liability for your own guard's conduct
Guards reduce risk, but hiring them also creates new exposure. As principal, you can be sued when a guard uses excessive force, wrongfully detains a patron (false imprisonment), or assaults someone — under vicarious liability for acts within the scope of employment, and under negligent hiring, training, retention, or supervision for putting the wrong person in the role or failing to control them. Ironically, this is often the very assault-and-battery scenario that insurance policies exclude (see below), so the owner can face a claim with no coverage. Manage it by hiring firms with rigorous vetting, use-of-force and detention policies, and documented training, and by confirming how their insurance responds to a guard's own misconduct. Our armed vs. unarmed guide covers the use-of-force tradeoffs; escalating to armed officers raises this exposure and should match the threat profile.
How to reduce your negligent-security exposure
Turn the elements into an operating program:
- Baseline your foreseeability. Document current crime data — including your CAP Index score — and known risks so your security level is demonstrably proportionate.
- Fix the cheap, high-impact basics first — lighting, locks, and landscaping (the "three L's") before spending on staffing.
- Respond to notice. The moment you learn of a crime, threat, or volatile situation, act and record what you did. Ignored notice is where cases are won and lost.
- Right-size staffing. Use guards and patrols where foreseeability is high; budget realistically using our security cost calculator and cost breakdowns for 24/7 coverage and armed officers.
- Vet and document your vendor. Hire a licensed, insured firm and keep the paperwork — our guides on hiring a guard company and what security costs cover the diligence.
- Preserve evidence on notice. Have a litigation-hold and footage-retention protocol ready before you need it.
- Keep the file. Assessments, logs, maintenance, and training records are both risk reduction and litigation defense.
Where security vendors, contracts, and insurance fit in
Hiring a guard firm reduces risk but does not, by itself, transfer your liability — as the property owner you generally retain a non-delegable duty to your invitees and tenants. Manage the gap through contract and insurance:
- Contractual indemnification. A direct promise by the vendor to defend and indemnify you, separate from and independent of insurance. Draft it broadly so it reaches claims involving your own alleged negligence where state law permits.
- Additional insured status. Get named as an additional insured on the vendor's policy, ideally on a primary and non-contributory basis. Watch for narrow "vicarious liability only" wording that may fail to cover your own direct negligence — some states, Florida among them, read additional-insured coverage narrowly unless the contract and policy clearly say otherwise, so how a claim is pleaded can decide whether coverage responds.
- The assault-and-battery exclusion trap. This is the sharpest hidden risk. Many commercial general liability policies contain an A&B exclusion that bars coverage for injury "arising out of" an assault or battery — and courts often apply it even when the claim is pleaded as negligent security or negligent hiring, because the underlying harm is still an assault. In Scaglione v. Acceptance Indemnity Insurance Co. (8th Cir., Aug. 1, 2023), an innocent bystander was struck by a stray bullet during a fight at a St. Louis bar, won a $2.5 million award on a negligent-security/failure-to-provide-adequate-security theory, and coverage was still barred — the court read "arising out of" broadly and held the exclusion was not limited to assaults by the insured's own employees or to the intended target. Confirm both your own CGL and the vendor's policy either lack a broad A&B exclusion or carry adequate sublimits and carve-backs; a low A&B sublimit can leave you fully exposed on a large claim, exactly when you need coverage most.
Our guide to security guard contracts and insurance walks through the clauses to demand. When you are ready to source a qualified provider, you can request competitive quotes or browse vetted security companies in your area — and have coverage counsel review the vendor's actual policy forms and your contract language before you sign.
One clock to watch — the statute of limitations
Negligent-security claims are personal-injury claims, so they run on your state's personal-injury statute of limitations — commonly two years (though a handful of states allow more, and some are shorter). That deadline matters to owners in two ways: after it lapses, a claim is time-barred; but until it lapses (and often longer for wrongful-death or minors' claims), you should preserve every relevant record from an incident. When in doubt, keep the file and the footage.
This article is general information about a doctrine that varies by state and is not legal advice. Case outcomes, comparative-fault rules, and limitations periods differ by jurisdiction. Consult a licensed attorney and a qualified insurance advisor about your specific property and jurisdiction.
Frequently asked questions
Is foreseeability really the fifth element of a negligent security claim?+
If a criminal attacked my customer, won't the jury blame the criminal instead of me?+
Will my commercial general liability policy cover a negligent security lawsuit?+
What data and standards do experts use to decide if my security was 'reasonable'?+
What should I do immediately after a security incident on my property?+
Share this guide
Sources
- Georgia CVS Pharmacy, LLC v. Carmichael, 316 Ga. 718 (2023) — FindLaw
- Georgia Supreme Court Issues an Important Decision on Negligent Security Claims — Freeman Mathis & Gary
- Cedar Springs Hospital, Inc. v. OSHRC (10th Cir. 2026) — FindLaw
- 10th Circuit Backs OSHA on Hospital Workplace Violence Citation — Safety Law Matters
- OSHA Authority to Cite Healthcare Employers for Workplace Violence Is Upheld — Healthcare Law Insights
- Scaglione v. Acceptance Indemnity Ins. Co., No. 22-2496 (8th Cir. 2023) — Justia
- Eighth Circuit Finds Assault & Battery Exclusion Bars CGL Coverage for Bar Patron's Gunshot Injury — Carlton Fields / JDSupra
- Security Lawsuits: The Best Defense is a Good Offense — CAP Index
- CRIMECAST Site Details — CAP Index
- Standards & Guidelines — ASIS International
- Healthcare Security Industry Guidelines, 13th Edition — IAHSS



