How Protective Intelligence and Forensic Rigor Prevent Disruption from Escalating into Liability.
Contributed by Jim Brigham, LCG VP of Risk Management, Former Operations Chief, State of Vermont, Office of Safety & Security
Series context. Part 1 of After Utah examined elevated vantage risks and digital disruptions at public events. Part 2 broadens the perspective: violence prevention requires not only situational security but also structured behavioral threat assessment (BTA) and defensible forensic practices that can hold up in court. [1]
From “Profiles” to Pathways
The modern approach to threat management shifts away from static “profiles” and emphasizes behavioral pathways. The U.S. Secret Service’s National Threat Assessment Center (NTAC) has shown that grievances often lead to ideation, “leakage” of threats, fixation, and identification with previous attackers. Recognizing these behaviors enables intervention without criminalizing lawful protest. [2][3]
In Utah, the lesson was clear: early reporting channels and multidisciplinary triage teams could have separated protected speech from genuine threats. Without such a structure, risk escalates until law enforcement has no choice but to react under pressure.
LCG perspective. Protective intelligence is not prediction; it is disciplined management. Documenting observable behaviors and interventions provides defensibility in both public safety decisions and later discovery. [4]
The Evidence Dimension: Why Process Matters
When incidents occur, evidentiary defensibility is the second half of risk management. Courts apply standards such as FRE 901 (authentication) and FRE 702 (expert testimony) when reviewing digital evidence. [5][6]
- Every day, IT exports (SharePoint, mailbox downloads, mobile device managers) often omit hashes and alter metadata. These shortcuts fracture chain of custody. [7]
- Courts scrutinize tool validation. NIST’s Computer Forensics Tool Testing (CFTT) program evaluates forensic utilities, such as EnCase and Magnet. Generic IT tools rarely meet Daubert’s reliability test. [8]
- Documentation is non-negotiable. Case notes must survive Daubert review, meaning they should clearly record who collected what, when, how, and with what verification. [6][9]
LCG perspective. Security without defensibility is fragile. An incident managed safely but documented poorly still exposes organizations to sanctions, adverse inference, or reputational harm.
Playbook for Part 2
- Build and train a Threat Assessment & Management Team. Include security, HR, legal, law enforcement, and behavioral health. [2]
- Create secure intake channels. Collect and triage tips, direct messages, and flyers systematically before and during events. [3][5]
- Validate your tools. Use NIST-tested forensic platforms with hash verification and logging, not ad-hoc admin utilities. [7][8]
- Drill and document. Run short, repeatable scenarios, record decisions and outcomes in language suitable for court review. [6]
- Audit for resiliency. Periodically test whether your threat management and evidence workflows would survive discovery and FRE scrutiny. [9]
Framework and Pitfalls
A layered framework integrates BTA with forensic defensibility:
- Threat identification. Track grievances, online chatter, and fixation patterns. [2]
- Mitigation and intervention. Combine security responses with supportive referrals where appropriate. [3]
- Crisis response. Ensure drills distinguish between disruption and imminent risk.
- Forensic preservation. Apply ISO/IEC 27037’s four pillars—identification, collection, acquisition, and preservation. Avoid shortcuts that undermine admissibility. [7]
The pitfall is overconfidence: IT staff assuming preservation equals forensics, or security staff assuming observation equals evidence. Both errors collapse under Daubert scrutiny.
Quick Checklist
- Build multidisciplinary threat assessment and evidence teams
- Validate tools and hash every handoff
- Document in court-ready language [6]
Final thought
After Utah, prevention must be two-dimensional: managing behavior before it escalates, and preserving defensibility should an incident end up in litigation. BTA structures prevent violence, while validated forensics protect credibility. The risk/reward balance is clear—process discipline now avoids liability later. [9]
References (endnotes)
[1] After Utah: Part 1, Digital Threats and Protective Security, LCG Discovery & Governance (2025). https://lcgdiscovery.com/the-ediscovery-zone/
[2] United States Secret Service, Enhancing School Safety Using a Threat Assessment Model (2018). https://www.secretservice.gov/reports/2018/school-safety-guide
[3] U.S. Secret Service, NTAC, Mass Attacks in Public Spaces (2023). https://www.secretservice.gov/reports/2023/mass-attacks-in-public-spaces
[4] The Sedona Conference, Commentary on Protecting Children from Targeted Violence (2020 Edition). https://thesedonaconference.org
[5] Federal Rules of Evidence 901 (Authentication). https://www.law.cornell.edu/rules/fre/rule_901
[6] Federal Rules of Evidence 702 (Testimony by Expert Witnesses). https://www.law.cornell.edu/rules/fre/rule_702
[7] ISO/IEC 27037, Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence (2012). https://www.iso.org/standard/44381.html
[8] NIST Computer Forensics Tool Testing Program (CFTT), Overview and Reports (2024). https://cftt.nist.gov
[9] Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993). https://supreme.justia.com/cases/federal/us/509/579/
This article is for general information and does not constitute legal advice.
