November 2018 Legal Report

Strategic Security
November 2018 Legal Report
 

​Judicial Decisions

HARASSMENT. Employers—in some circumstances—can be held liable for a nonemployee's behavior that exceeds expected norms, a U.S. appellate court ruled.

Kymberli Gardner was a certified nursing assistant at an assisted living facility operated by CLC of Pascagoula from 2012 until she was fired in 2015. Gardner was trained in tactics to handle aggressive patients who were sometimes physically combative or sexually aggressive.

Patient J.S. lived at the facility between 2006 and 2014, and was diagnosed with several physical and mental illnesses, including dementia, traumatic brain injury, personality disorder with aggressive behavior, and Parkinson's Disease. He also had a reputation for groping female employees and becoming physically aggressive when he was reprimanded for his behavior.

This behavior included sexually assaulting female caregivers by grabbing and attempting to grab their private areas, according to court documents.

Gardner became responsible for J.S.'s care and reported that he would grab her while making repeated sexual comments and requests. Gardner and other employees documented the behavior in J.S.'s chart and through complaints to supervisors.

When Gardner attempted to discuss her concerns about J.S.'s behavior, her supervisor—Brandy Gregg—laughed and Administrator Teri Reynolds told Gardner to "put [her] big girl panties on and go back to work," court documents said.

Gardner continued to care for J.S. until one day when she was trying to help him attend a therapy session. While helping J.S. out of bed, he attempted to grope her and touched her left breast. When Gardner tried to move out of the way, J.S. punched her in the side of the breast.

Gardner put J.S. back in bed and then left the room for help. Another nursing assistant came to her aid, during which time J.S. punched Gardner another time. Gardner moved away from J.S., who began to grab the other nursing assistant's private area.

Gardner then sought help from the nurse on duty, who helped the other two female staffers get J.S. into a wheelchair. Gardner then attempted to make J.S.'s bed, but he punched her a third time.

There are disputes about whether, during the altercation, Gardner attempted to hit J.S. back. However, all parties agreed that Gardner spoke to her supervisors after the incident and told them she refused to care for J.S. in the future due his continued harassment. She asked to be reassigned, but her request was denied.

Gardner left work and later went to the emergency room due to injuries she sustained during the incident. She did not return to work for three months and was paid workers' compensation during that time.

After she returned, Gardner was fired for insubordination, violating J.S.'s resident rights by swearing in front of him, and attacking the patient.

J.S. was not punished for the incident with Gardner. But—after another incident with a resident later that same day—he was sent for a psychiatric evaluation and moved to an all-male lockdown unit.

Gardner filed suit against CLC alleging it had allowed a hostile work environment based on sex and had engaged in retaliation against her for reporting it. A district court dismissed the case, Gardner appealed, and the U.S. Court of Appeals for the Fifth Circuit ruled in her favor that a jury must decide whether CLC is liable.

"Inappropriate comments and incidental contact are sufficiently common behaviors among patients with reduced cognitive ability that it is not objectively reasonable for a caregiver to expect they will never happen," the appellate court wrote in its opinion. "In contrast, the facility must take steps to try to protect an employee once there is physical contact that progresses from occasional inappropriate touching or minor slapping to persistent sexual harassment or violence with the risk of significant physical harm."

The appellate court said a jury could find such a situation in Gardner's case because a jury could reasonably conclude that a caregiver would not expect a patient to grope her repeatedly and injure her while the administration dismissed complaints about the patient.

"CLC did not undertake measures to try to remedy the harassment," the appellate court explained. "This violated its duty to take reasonable steps to protect its employees once it knows that they are subject to abusive behavior. That obligation to at least try to protect employees exists even in the most challenging environments for controlling behavior, such as prisons." (Gardner v. CLC of Pascagoula, U.S. Court of Appeals for the Fifth Circuit, No. 17-60072, 2018)​

Regulations

CYBERSECURITY. U.S. President Donald Trump reversed an Obama administration executive order, changing how the United States can use cyberweapons against adversaries.

Trump signed an executive order that reversed Presidential Policy Directive 20, which created an interagency process that the U.S. government needed to complete before using a cyberattack. The exact details of this process were classified but were leaked by former National Security Agency contractor Edward Snowden in 2013.

The changes the Trump administration is adopting are also classified, with U.S. officials only confirming that the previous process was rescinded.​

Legislation

CYBERSECURITY. U.S. President Trump signed legislation into law to create new requirements for agencies addressing cybersecurity risks.

Under the NIST Small Business Cybersecurity Act (P.L. 115-236), the National Institute of Standards and Technology (NIST) will be required to consider small businesses when it creates and supports the development of voluntary, industry-led guidelines and procedures to reduce cyber risk to critical infrastructure.

As part of this process, NIST must publish on its website—and disseminate—resources that small business can voluntarily use to identify, assess, manage, and reduce cybersecurity risks. These resources must be consistent with national cybersecurity awareness and education programs, technology neutral, based on international standards, and able to vary with the size and nature of the business adopting them.

"As businesses rely more and more on the Internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said U.S. Senator Brian Schatz (D-HI), who introduced the original bill. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

 

INDENTIFICATION. U.S. President Trump signed into law legislation that prevents the U.S. Coast Guard from implementing previous identification requirements.

Under the law (P.L. 115-230), the military branch will not implement previously required Transportation Worker Identification Credential (TWIC)-Reader Requirements for the time being.

TWIC cards are tamper-resistant and contain integrated circuit chips with the holder's biometric information.

They are used by personnel who require extra clearance to perform their jobs, such as truckers, contractors, maintenance personnel, and others who need unescorted access at ports and to vessels regulated by the Maritime Transportation Security Act.

The law also requires the secretary of homeland security to report to the U.S. House Committee on Homeland Security, the Committee on Transportation and Infrastructure, and the Committee on Commerce, Science, and Transportation about the effectiveness of the TWIC program.

Once the secretary has reported on the effectiveness of the program, the U.S. Department of Homeland Security (DHS) may propose a new rule to implement TWIC readers.

"The bipartisan measure passed through the House yesterday evening will ensure greater transparency from DHS and enable a more responsive and collaborative process in eliminating any future rule," said U.S. Representative John Katko (R-NY), who sponsored the original legislation.

 

VIOLENCE. Domestic violence is now a crime under the U.S. Uniform Code of Military Justice under the annual defense authorization act that U.S. President Trump signed into law.

In the past, instances of domestic violence by military personnel have been prosecuted as assault. By making domestic violence a specific criminal offense, authorities will be better able to record and track individuals who have committed offenses.

The law also requires the U.S. Department of Defense (DOD) to standardize policies for transferring victims away from accused military personnel.

U.S. Representative Jackie Rosen (D-NV) introduced the changes as an amendment that was added to the final law after former U.S. airman Devin Kelley shot 26 people at a church in Sutherland Springs, Texas, in 2017.

Kelley was previously convicted of assaulting his wife and child while serving in the military, but authorities were not notified of his conviction—which would have prevented him from purchasing the guns he used in the mass shooting.

"Congress has a responsibility to keep guns out of the hands of people who shouldn't have them and take meaningful action to prevent the senseless gun violence that has claimed so many innocent lives," Rosen said in a statement.

Also included in the act are changes to how the United States handles cyberattacks. For instance, the act authorizes parts of the DOD to respond to cyberattacks by China, Iran, North Korea, and Russia with a proportional response to disrupt, defeat, and deter future attacks.

The act also directs the DOD to create a plan to researchthe potential regulation of artificial intelligence. A portion of the act creates a National Security Commission on Artificial Intelligence for two years to review the full range of national security issues related to artificial intelligence and machine learning.​

Elsewhere in the Courts

 Ransomware. Former Microsoft employee Raymond Odigie Uadiale, 41, was sentenced to 18 months in prison for conspiring to commit money laundering in connection with spreading ransomware. Uadiale pleaded guilty to the charge, admitting that he helped "cash out" payments of victims whose computers were infected with ransomware.

     "By cashing out and then laundering victim payments, Raymond Uadiale played an essential role in an international criminal operation that victimized unsuspecting Americans by infecting their computers with malicious ransomware," said U.S. Assistant Attorney General Brian A. Benczkowski in a statement. (U.S. v. Uadiale, U.S. District Court for the District of Washington, No. 2:18-mj-00149; 2018).

Discrimination. The City of Jacksonville, Florida, will pay $4.9 million to settle an employment discrimination lawsuit brought by the U.S. Department of Justice (DOJ). Jacksonville's Fire and Rescue Department allegedly violated Title VII of the U.S. Civil Rights Act of 1964 by failing to promote applicants based on their race. Under the settlement, Jacksonville will develop new promotional examinations for the selection of certain positions within the department and offer settlement promotions to qualified African Americans. (U.S. v. City of Jacksonville, Smith v. City of Jacksonville, EEOC v. Jacksonville; U.S. District Court for the Middle District of Florida Jacksonville Division, No. 3:12-cv-00451-TJC-MCR, 2018)

Retaliation. Murphy Oil USA, Inc., will pay a former store manager $100,000 to settle a disability discrimination and retaliation lawsuit brought by the U.S. Equal Employment Opportunity Commission (EEOC). The EEOC charged that Murphy violated work restrictions placed by the manager's physician, who was treating him for a back impairment. The EEOC also claimed that Murphy fired the manager in retaliation for complaining to management about failing to accommodate his medical restrictions—a violation of the Americans with Disabilities Act. (EEOC v. Murphy Oil USA, Inc., U.S. District Court for the Western District of Texas, Del Rio Division, No. 2:16-CV-00048-AM-CW, 2018).