December 2017 Legal Report

Strategic Security
December 2017 Legal Report
 

​Judicial Decisions.

FITNESS FOR DUTY. A nuclear power plant did not discriminate against a security guard when it fired him for failing a fitness for duty examination because he was not able to perform essential functions of his job, a U.S. court of appeals ruled.

Pennsylvania Power and Light (PPL) Susquehanna operates a nuclear power plant and is required to comply with regulations issued by the Nuclear Regulatory Commission (NRC).

One of those regulations is to implement a fitness for duty program to ensure that "individuals are not under the influence of any substance, legal or illegal, or mentally or physically impaired from any cause, which in any way adversely affects their ability to safely and competently perform their duties," according to court documents. "If an employee's fitness is 'questionable,' the employer 'shall take immediate action to prevent the individual from' continuing to perform his duties."

Another regulation PPL must comply with is maintaining an access authorization program to monitor employees who have access to sensitive areas of the plant. Before employees can be granted unrestricted access, they must undergo a psychological assessment to evaluate the "possible adverse impact of any noted psychological characteristics" of their "trustworthiness and reliability," court documents said.

After employees are granted unrestricted access, they are subject to constant monitoring as part of a behavioral observation program PPL must have to identify aberrant behaviors. If employees are reported for suspicious behavior, PPL must reassess them and terminate them if their "trustworthiness or reliability is questionable."

Daryle McNelis was hired as a PPL nuclear security officer in 2009. This role gave him unrestricted access to the plant and made him responsible for protecting its vital areas and preventing "radical sabotage." He was authorized to carry a firearm.

In April 2012, however, McNelis began experiencing personal and mental health problems. He became paranoid about surveillance, believing household items were listening devices, and telling his wife he would kill the people following him. McNelis also had problems with alcohol and coworkers began to suspect he was using recreational drugs—something he had previously admitted to, court documents said.

While this was going on, McNelis's wife moved out of their home with their children. At the same time, local police received an anonymous call warning that McNelis might attempt to come to his children's school to retrieve them, that he might be under the influence, and possibly be armed, causing the school to go into a lockdown.

After the incident, McNelis went to a psychiatric facility for treatment where an evaluation noted he suffered from "paranoid thoughts, sleeplessness, and questionable auditory hallucinations," court documents said. He spent three days there, and was later discharged with instructions to discontinue or reduce his use of alcohol.

A coworker of McNelis who was aware of the situation became concerned and reported him to a supervisor. McNelis's unrestricted access was placed on hold, pending a medical clearance. He then met with a third-party psychologist, underwent testing as required by PPL policies and NRC regulations, and was found not fit for duty "pending receipt and review of a report from the facility where he receives an alcohol assessment and possibly treatment," according to court documents.

PPL then revoked McNelis's unescorted access authorization and fired him. McNelis filed an internal appeal, which was denied, and then filed suit against PPL, alleging discrimination under the Americans with Disabilities Act (ADA) for alcoholism, mental illness, and illegal drug use.

His case reached the U.S. Court of Appeals for the Third Circuit, which ruled in PPL's favor because McNelis could not perform the essential functions of his job—maintaining an unescorted security clearance—and was not protected under the ADA.

"Although we are the first court of appeals to address the interplay between the ADA and these NRC regulations, our opinion is supported by a broad consensus among district courts that nuclear power plant employees who have lost security clearance or have been deemed not fit for duty are not qualified employees under the ADA," the court wrote. (McNelis v. Pennsylvania Power & Light Company, U.S. Court of Appeals for the Third Circuit, No. 16-3883, 2017)

Regulations

United States

EQUIPMENT. U.S. President Donald Trump issued an executive order to restore a controversial program that allows local police departments to obtain military weapons and supplies.

The program, the U.S. Department of Defense's 1033 program, takes military-grade equipment that's already been purchased and repurposes it for the use of local law enforcement. The program allowed police, sheriff, and tribal law enforcement departments to apply for equipment, including rifles, armored vehicles, and body armor, that could be used by their officers.

Former U.S. President Barack Obama curbed the use of the program in 2015 after criticism about police militarization and response to protests following the shooting of Michael Brown by a police officer in Ferguson, Missouri. Obama issued an executive order to prohibit the 1033 program from being used to transfer grenade launchers, high-caliber rifles, and armored vehicles to local law enforcement.

Trump's executive order revokes Obama's actions in full and restores the program to its original status. U.S. Attorney General Jeff Sessions said in a speech to the National Fraternal Order of Police that he supported Trump's actions.

"The executive order the president will sign today will ensure that you can get the lifesaving gear that you need to do your job and send a strong message that we will not allow criminal activity, violence, and lawlessness to become the new normal," Sessions said on the day the order was signed. "And we will save taxpayer money in the meantime."

 

SOFTWARE. The Acting U.S. Secretary of Homeland Security Elaine Duke issued a binding operational directive to the U.S. government to discontinue use of Kaspersky Lab products.

The directive called on departments and agencies to identify any Kaspersky products on their information systems within 30 days, craft plans to remove and discontinue using those products within 60 days, and implement those plans—unless directed otherwise—to discontinue using and remove those products from their systems.

"This action is based on the information security risks presented by the use of Kaspersky products on federal information systems," the U.S. Department of Homeland Security (DHS) said in a statement. "Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems."

DHS said it was especially concerned about ties between Kaspersky executives and Russian intelligence and government agencies. The department also expressed concern, in the statement, about Russian intelligence agencies' ability to request or compel assistance from Kaspersky to intercept communications transiting Russian networks.

"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," DHS said.

This is only the fourth binding operational directive DHS has issued, and the first done so publicly.​

Legislation

United States

EMERGENCY AID. U.S. President Donald Trump signed legislation into law to grant additional aid to Hurricanes Irma and Jose victims returning to the United States from abroad.

The law (P.L. 115-57) amends the Social Security Act to increase from $1 million to $25 million for temporary assistance, which includes money payments, temporary lodging, transportation, and other goods and services necessary for the health and welfare of U.S. citizens and their dependents returning from a foreign country without available resources.

U.S. Representative Dave Reichert (R-WA) sponsored the legislation, which was passed by both chambers of Congress and signed into law in a three-day period.

"Hurricane season has left countless Americans stranded and in need of medical care or other assistance," Reichert said in a statement. "This includes American individuals and families living outside our borders who are struggling to rebuild after the destruction of Hurricane Irma and are preparing for the potential impact of Hurricane Jose."​

CALIFORNIA. California legislators failed to pass legislation that would have restored broadband privacy rules once issued by the Obama administration and discontinued under the Trump administration.

The California Broadband Privacy Act (A.B. 375) mirrored the Federal Communications Commission (FCC) broadband privacy rule and would have prohibited Internet service providers from reselling or using consumer data without consumer consent. The bill would also prohibit providers from charging consumers more for service if they choose not to provide private information.

Assemblyman Ed Chau introduced the measure, which was shelved in the state's Senate chamber following opposition from tech firms, including Google.

Elsewhere in the Courts

​Software. Lenovo agreed to implement a comprehensive software security program for its laptops for the next 20 years to settle charges by the Federal Trade Commission (FTC) and 32 U.S. state attorney generals. They alleged that, to deliver advertising, Lenovo preloaded software on laptops that compromised security protections without notifying consumers. Under the settlement, Lenovo is prohibited from misrepresenting any software features on its laptops, subject to third-party audits, and must get consumers' affirmative consent before preinstalling a similar type of software. (In the Matter of Lenovo, FTC, No. 152 3134, 2017).

 Monitoring. A company violated an employee's right to privacy when it fired him after monitoring and accessing his electronic communications, the European Court of Human Rights ruled. The court found that the employer violated the former employee's rights because it did not give him prior notice that his communications might be monitored—or the degree to which they could be monitored—while at work. The court also found that Romanian authorities, whom the employee appealed to, "failed to strike a fair balance between the interests at stake," according to a press release. (Barbulescu v. Romania, European Court of Human Rights Grand Chamber, No. 61496/08, 2017).

Data Breach. Yahoo! must face litigation brought on behalf of more than 1 billion users who claim their personal information was compromised in three data breaches between 2013 and 2016. In her ruling, U.S. District Judge Lucy Koh wrote that the plaintiffs had standing to sue under breach of contract and unfair competition claims. "All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information," Koh wrote. (In Re: Yahoo Inc. Customer Data Security Breach Litigation, U.S. District Court for the Northern District of California, No. 16-md-02752, 2017).