Cybercrime

 

 

https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked AgainGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-02-01T05:00:00Z<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspx2017-02-01T05:00:00ZRise of the IoT Botnets
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Yahoo-Confirms-Hackers-Stole-at-Least-500-Million-Users’-Data-in-2014.aspx2016-09-22T04:00:00ZYahoo Confirms Hackers Stole at Least 500 Million Users' Data in 2014
https://sm.asisonline.org/Pages/Book-Review---Cyber-Physical-Attacks.aspx2016-09-01T04:00:00ZBook Review: Cyber-Physical Attacks
https://sm.asisonline.org/Pages/Cyber-Trends.aspx2016-09-01T04:00:00ZCyber Trends
https://sm.asisonline.org/Pages/A-Conversation-with-the-FBI.aspx2016-09-01T04:00:00ZIlluminating Going Dark: A Conversation with the FBI
https://sm.asisonline.org/Pages/Patient-Zero.aspx2016-07-01T04:00:00ZPatient Zero
https://sm.asisonline.org/Pages/Book-Review--Beyond-Cybersecurity.aspx2016-06-01T04:00:00ZBook Review: Beyond Cybersecurity
https://sm.asisonline.org/Pages/LinkedIn-Invalidates-Millions-of-Passwords-in-Response-to-2012-Data-Breach.aspx2016-05-25T04:00:00ZLinkedIn Invalidates users' Passwords in Response to 2012 Data Breach
https://sm.asisonline.org/Pages/Book-Review---The-Rise-of-the-Military-Internet-Complex.aspx2016-05-01T04:00:00ZBook Review: @war: The Rise of the Military-Internet Complex
https://sm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind
https://sm.asisonline.org/Pages/High-Stakes-Cyber.aspx2016-03-01T05:00:00ZHigh Stakes Cyber
https://sm.asisonline.org/Pages/A-Chinese-New-Year.aspx2016-01-21T05:00:00ZA Chinese New Year
https://sm.asisonline.org/Pages/Former-Cardinals-Official-Pleads-Guilty-to-Hacking-Into-Astros’-System.aspx2016-01-11T05:00:00ZFormer Cardinals Official Pleads Guilty to Hacking Into Astros’ System
https://sm.asisonline.org/Pages/Held-Hostage.aspx2015-12-14T05:00:00ZHow Criminals Made $18 Million By Holding Our Data Hostage
https://sm.asisonline.org/Pages/Decoding-Digital-Evidence.aspx2015-10-22T04:00:00ZDecoding Digital Evidence
https://sm.asisonline.org/Pages/FBI-Investigating-St.-Louis-Cardinals-for-Hacking-Astros.aspx2015-06-16T04:00:00ZFBI Investigating St. Louis Cardinals for Hacking Astros
https://sm.asisonline.org/Pages/Book-Review-Investigating-Internet-Crimes.aspx2015-06-01T04:00:00ZBook Review: Investigating Internet Crimes
https://sm.asisonline.org/Pages/Lawyers-Get-Schooled-on-Cyber-Threats.aspx2015-06-01T04:00:00ZLawyers Get Schooled on Cyber Threats

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspxRise of the IoT Botnets<p>​There are many doomsday cyber scenarios that keep security professionals awake at night. Vint Cerf, one of the fathers of the Internet and current vice president and chief Internet evangelist for Google, speaking at an event in Washington, D.C., in 2015, shared his: waking up to the headline that 1,000 smart refrigerators were used to conduct a distributed denial of service (DDoS) attack to take down a critical piece of U.S. infrastructure.</p><p>Cerf’s nightmare scenario hasn’t happened, yet. But in 2016 thousands of compromised surveillance cameras and DVRs were used in a DDoS attack against domain name server provider Dyn to take down major websites on the East Coast of the United States. It was a massive Internet outage and, for many, a true wake-up call.</p><p> At approximately 7:00 a.m. on October 21, Dyn was hit by a DDoS attack, and it quickly became clear that this attack was different from the DDoS attacks the company had seen before. </p><p>It was targeting all of Dyn’s 18 data centers throughout the world, disrupting tens of millions of Internet Protocol (IP) addresses, and resulting in outages to millions of brand-name Internet services, including Twitter, Amazon, Spotify, and Netflix.</p><p>Two hours later, Dyn’s Network Operations Center (NOC) team mitigated the attack and restored service to its customers. </p><p>“Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the United States were unable to reach some of our customers’ sites, including some of the marquee brands of the Internet,” Dyn Chief Strategy Officer Kyle York wrote in a statement for the company. </p><p>A second attack then hit Dyn several hours later. Dyn mitigated the attack in just over an hour, and some customers experienced extended latency delays during that time. A third wave of attacks hit Dyn, but it successfully mitigated the attack without affecting customers.</p><p>“Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system,” York explained. “We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like this.”</p><p>The attacks caused an estimated lost revenue and sales of up to $110 million, according to a letter by U.S. Representative Bennie G. Thompson (D-MS) sent to former U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson.</p><p>“While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware exploiting tens of thousands of Internet of Things (IoT) devices, but also because they were carried out against a firm that provides services that, by all accounts, are essential to the operation of the Internet,” the letter explained.</p><p>These devices were part of the Mirai botnet, which is made up of at least 500,000 IoT devices, including DVRs and surveillance cameras, that are known to be in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, among other nations.</p><p>The botnet, which was created in 2016, has been used to conduct high-profile, high-impact DDoS attacks, including the attack on security researcher Brian Krebs’ website, Krebs on Security—one of the largest DDoS attacks known to date. </p><p>“Mirai serves as the basis of an ongoing DDoS-for-hire…service, which allows attackers to launch DDoS attacks against the targets of their choice in exchange for monetary compensation, generally in the form of Bitcoin payments,” according to Arbor Networks’s Security Engineering and Response Team (ASERT) threat intelligence report on Mirai. “While the original Mirai botnet is still in active use as of this writing, multiple threat actors have been observed customizing and improving the attack capabilities of the original botnet code, and additional Mirai-based DDoS botnets have been observed in the wild.”</p><p>This is because shortly after the Dyn attack, Mirai’s source code was published on the Internet, and “everyone and their dog tried to get their hands on it and run it in some form or another,” says Javvad Malik, a security advocate at AlienVault, a cybersecurity management provider.</p><p>Mirai is “out there and the problem is, there isn’t any easy mitigation against it,” Malik explains. “A camera or a webcam, there’s no real, easy way to patch it or update it, or there’s no non-technical way your average user could patch it. And most users aren’t even aware that their device was part of the attack.”</p><p>There are more than 25 billion connected devices in use worldwide now, and that amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices, according to the U.S. Federal Trade Commission.</p><p>But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.</p><p>The Mirai botnet—and others like it—take advantage of these insecurities in IoT devices. Mirai constantly scans devices for vulnerabilities and then introduces malware to compromise them. Once compromised, those devices scan others and the cycle continues. These devices can then be used by an attacker to launch DDoS attacks, like the one on Dyn.</p><p>Some manufacturers have sought to remedy vulnerabilities in their devices by issuing voluntary recalls when they discover that they’ve been used in a botnet attack. But for many other manufacturers, there’s not enough incentive to address the problem and most consumers are unaware of the issue, says Gary Sockrider, principal security technologist at Arbor Networks.</p><p>“Consumers are largely unaware. Their devices may be compromised and taking part in a botnet, and most consumers are completely oblivious to that,” he explains. “They don’t even know how to go about checking to see if they have a problem, nor do they have a lot of motivation unless it’s affecting their Internet connection.”</p><p>DHS and the U.S. National Institute of Standards and Technology (NIST) both recently released guidance on developing IoT devices and systems with security built in. In fact, NIST accelerated the release of its guidance—Special Publication 800-160—in response to the Dyn attack.</p><p>But some experts say more than guidance is needed. Instead, they say that regulations are needed to require IoT devices to allow default passwords to be changed, to be patchable, and to have support from their manufacturers through a designated end-of-life time period.</p><p>“The market can’t fix this,” said Bruce Schneier, fellow of the Berkman Klein Center at Harvard University, in a congressional hearing on the Dyn attack. “The buyer and seller don’t care…so I argue that government needs to get involved. That this is a market failure. And what I need are some good regulations.”</p><p>However, regulations may not solve the problem. If the United States, for instance, issues regulations, they would apply only to future devices that are made and sold in the United States. And regulations can have other impacts, Sockrider cautions.</p><p>“It’s difficult to craft legislation that can foresee potential problems or vulnerabilities,” he explains. “If you make it vague enough, it’s hard to enforce compliance. And if you make it too specific, then it may not have the desired effect.”</p><p>Regulations can also drive up cost and hinder development if they are not designed to foster innovation. “Compliance does not equal security, necessarily,” Sockrider says. “Part of compliance may mean doing things to secure your products and services and networks, but there could always be vulnerabilities that aren’t covered…. You’ve got to be careful that you’re covering beyond just compliance and getting to true security as much as possible.” </p><p>So, what steps should organizations take in the meantime to reduce the risk of their devices being compromised and used to launch attacks on innocent parties?</p><p>If a company already has IoT devices, such as security cameras or access control card readers, in its facilities, the first step is segmentation, says Morey Haber, vice president of technology for security vendor BeyondTrust. </p><p>“Get them off your main network,” he adds. “Keep them on a completely isolated network and control access to them; that’s the best recourse.”</p><p>If the organization can’t do that and it’s in a highly regulated environment, such as a financial firm subject to PCI compliance, it should replace the devices and reinstall them on a segmented network, Haber says.</p><p>Organizations should also change all default user accounts and passwords for IoT devices, Sockrider says. “Disable them if possible. If you can’t, then change them. If you can’t change them, then block them.”</p><p>For organizations that are looking to install IoT devices, Haber says they should plan to install them on a segmented network and ask integrators about the security of the devices. </p><p>Sample questions include: Do they maintain a service level agreement for critical vulnerabilities? What is the lifespan of the device? How often will patches be released? </p><p>“And the last thing that becomes even more critical: What is the procedure for updating?” Haber says. “Because if you have to physically go to each one and stick an SD card in with a binary to do the upload, that’s unfeasible if you’re buying thousands of cameras to distribute to your retail stores worldwide. There’s no way of doing that.”</p><p>Organizations should also look at their policies around allowing employees to bring in their own devices to the workplace and allowing them to connect to the network. </p><p>For instance, employers should be wary when an employee who brings in a new toaster connects it to the company Wi-Fi without anyone else’s knowledge. “That type of Shadow IT using IoT devices is where the high risk comes from,” Haber explains. </p><p>And organizations should also look to see what they can do to block inside traffic from their network getting out. </p><p>“Think about it in the reverse; normally we’re trying to keep bad stuff out of our network, but in this case, we want to keep the bad stuff from leaving our network,” Sockrider says. “Because in this case, if an IoT device on your network is compromised, it’s not necessarily trying to attack you, it’s trying to attack someone else and you can be a good citizen by blocking that outbound traffic and preventing it from doing so.”</p><p>While companies can take steps to reduce the likelihood that their devices will be compromised by a botnet and used to attack others, attacks—like the Dyn attack—are likely to continue, Malik says.</p><p>“We’ll probably only see more creative ways of these attacks going forward,” he explains. “At the moment, it’s primarily the webcams and DVRs, but you’re probably going to see different attacks that are more tailored towards specific devices and maybe even a change of tactics. Instead of going after Dyn…taking down a smaller competitor.”</p><p>Malik also says he anticipates that cyber criminals will conduct these more creative attacks through purchasing DDoS as a service, a growing industry over the past few years. </p><p>“Some providers are just as good, if not better than, professional legitimate services,” Malik says. “It’s very easy; they offer support. You just go there, you click buy, send the Bitcoins, enter your target, and job done. You don’t even need any technical expertise to do this. It’s very, very convenient.”   ​ ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/SM-Online-March-2017.aspxSM Online March 2017<h4>​DEFENSE UTILITIES</h4><p>There are nearly 2,000 electric, water, wastewater, and natural gas systems that help the U.S. Department of Defense (DoD) accomplish its mission. When these systems fail, military operations can be disrupted, and national defense can become a bit weaker. In recent years, these systems have failed thousands of times, according to a recent study conducted by the Government Accountability Office, which examined a representative sample of 453 DoD-owned utilities. The report, <em><a href="http://www.gao.gov/products/GAO-17-27" target="_blank">Defense Infrastructure: Actions Needed to Strengthen Utility Resilience Planning</a></em>, identifies factors that contributed to disruptions, such as equipment that was operating beyond its intended life, in poor condition, and not being properly maintained.</p><h4> FINANCIAL CYBER RULES</h4><p>U.S. regulators<a href="https://www.federalregister.gov/documents/2016/10/26/2016-25871/enhanced-cyber-risk-management-standards%E2%80%8B" target="_blank"> introduced a notice of proposed rulemaking</a> to address cyber risk management standards in the financial industry. The notice asked for a range of stakeholder feedback to help regulators craft a final rule.</p><h4>PRIVATE PRISONS</h4><p>A U.S. Department of Homeland Security advisory committee <a href="https://www.dhs.gov/sites/default/files/publications/DHS%20HSAC%20PIDF%20Final%20Report.pdf" target="_blank">issued a report</a> finding that federally run facilities used for the civil detention of immigrants during immigration hearings are more beneficial, but less cost effective. And nonprofit <a href="http://grassrootsleadership.org/reports/payoff-how-congress-ensures-private-prison-profit-immigrant-detention-quota%20%E2%80%8B" target="_blank">Grassroots Leadership reports</a> on the growth of the private prison industry over the past decade.</p><h4>WHISTLEBLOWERS</h4><p>Former U.S. Director of National Intelligence James Clapper <a href="https://www.dni.gov/files/documents/icotr/Whistleblower.PDF%E2%80%8B">released a new training curriculum</a> on whistleblower rights for all federal employees and contractors with access to classified information. </p><h4>MOBILE WORKFORCE </h4><p>There will be a projected 105 million mobile workers in United States by 2020, but that mobility poses security concerns, <a href="https://www.shredit.com/getmedia/b054427a-5b13-48ba-87b9-235268053745/Shred-it_Security_Tracker_6-0_Infographic_USA.aspx?ext=.pdf">according to a report from Shred-It</a>. Among the findings: of large businesses surveyed, only 47 percent use a professional destruction service to dispose of their obsolete electronic devices. </p><h4>CORRUPTION</h4><p>The United Kingdom House of Commons is <a href="http://services.parliament.uk/bills/2016-17/criminalfinances.html%20%20%20%20%E2%80%8B">considering legislation</a> that would allow law enforcement agencies to force suspected criminals to prove the source of their wealth. </p><h4>FIREARMS </h4><p>Ohio Governor John Kasich<a href="https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA131-HB-48"> signed a bill into law</a> that allows licensed gun owners to carry concealed weapons on college campuses. The law permits the board of trustees at Ohio's public universities to allow concealed-carry on campus and removes a state ban on carrying concealed weapons in public areas of airports and daycare centers.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Changing-of-the-Guard.aspxChanging of the Guard<p>​</p><p>COURTS ARE ADDRESSING whether companies should pay employees for time worked when they are changing in and out of uniforms or gathering equipment. Police and security officers have filed several cases against their employers in federal court seeking compensation for activities they conduct before and after officially clocking into work. Because clear guidelines on these issues have not previously been provided by the courts or the U.S. Department of Labor (DOL), the outcome of the lawsuits is far from clear. One of these cases is set to go to trial and the other was appealed to the U.S. Court of Appeals for the Ninth Circuit.</p><p>Laws<br>The cases were brought under state and federal labor laws. The statutes at issue include the Fair Labor and Standards Act (FLSA) and the Portal-to-Portal Act.</p><p>FLSA. The Fair Labor Standards Act (FLSA) was enacted by Congress in 1938. Under the FLSA, an employer must pay an employee for all hours that he or she works. An employer also must pay employees overtime for hours worked in excess of 40 hours in a work week.</p><p>The problem is that the FLSA does not define “work.” Consequently, courts are sometimes left to decide what activities are considered “work,” and thus require compensation. These activities can include donning and doffing uniforms, getting equipment, checking schedules, and loading and unloading weapons.</p><p>FLSA damages include unpaid overtime compensation, damages for willful violations, attorney fees, and court costs. (Willfulness is found when the employer knew, or should have known, that it was engaging in conduct that violated the FLSA.)</p><p>FLSA claims are the second largest segment of labor cases brought to federal court. The largest segment involves pension cases, which are brought under the Employee Retirement Income Security Act (ERISA). In the past 10 years, ERISA claims have not increased much—9,167 claims were brought in 2000 and 9,326 in 2010. However, FLSA claims have increased substantially, more than tripling over that time. From March 31, 2009, to March 31, 2010, more than 6,080 FLSA claims were commenced in federal court. For the same period 10 years ago, only 1,961 FLSA claims were brought in federal court.</p><p>Plaintiffs may also file a collective action under the FLSA. This is basically a class action lawsuit brought by a group of employees against their employer. An employee must agree to be included as a plaintiff in a collective action lawsuit under the FLSA. The group of employees must show that it was subject to the same employment policies that violated the FLSA.</p><p>Portal-to-Portal Act. In 1946, the U.S. Supreme Court held that the FLSA requires employers to compensate employees for preliminary work activities. In 1947, Congress responded to the Court’s ruling and passed the Portal-to-Portal Act to narrow FLSA’s coverage by exempting employers from paying for activities that are conducted before or after the principal work activity. Since the Portal-to-Portal Act was passed, however, courts and the DOL have struggled with the definition of “principal activities,” which has led to lawsuits against employers.</p><p>Recent Cases <br>Over the past few years, there have been many cases addressing whether employees should be paid for changing in and out of uniforms and collecting equipment. Two recent lawsuits addressed whether security officers and police officers should be paid for these activities.</p><p>In Haight v. The Wackenhut Corporation (U.S. District Court for the Southern District of New York, 2010), the plaintiff and 75 other security officers sued the Wackenhut Corporation in federal court for violation of the FLSA and New York labor laws. The plaintiffs were employed by Wackenhut as security officers at the Indian Point Nuclear Facility in New York.</p><p>The security officers claimed that Wackenhut failed to compensate them for time spent on activities they performed before and after their shifts. The security officers claimed that they were not compensated for a number of activities, including donning and doffing uniforms, preparing weapons, traveling to work sites, and doing paperwork.</p><p>Wackenhut sought to dismiss the security officers’ claims regarding donning and doffing, and so-called “gun-up” and “gun-down” activities. Donning included badging into protected areas, proceeding to locker rooms, and putting on uniforms. Gun-up activities included proceeding to a command post building; checking mail, shift schedules, and notices; obtaining radios and batteries, keys, and post duties binders; and waiting to enter the gun room. Gun-down activities included badging into the command post, putting batteries into chargers, entering the lieutenant’s office to turn in patrol sheets, going to the gun locker to unload weapons, and badging out of secure areas. Doffing included proceeding to locker rooms and taking off protective equipment.</p><p>The district court found that the security officers should not be compensated for time taken to badge into protected areas because ingress and egress security procedures were not integral to the security officers’ principal activities. The court found that the same security procedures applied to visitors and other employees. The plaintiffs also were not entitled to compensation for the time taken to walk to locker rooms, as time spent walking or waiting before the principal activity is excluded from compensation.</p><p>The court further said that officers should not be compensated for obtaining radios and batteries, waiting to enter the gun room prior to actually obtaining a gun, and the concomitant task conducted at the end of their shift after the plaintiffs had returned their guns. The court ruled that hardhats, safety glasses, steel-toed boots, gun holsters, and inclement weather gear were generic protective gear and not integral to the job and, therefore, time taken to don those items was not compensable.</p><p>Also, the security officers admitted that they were not required to change on the employer’s premises and that they had the option of changing at home. Furthermore, some of the gear was optional.</p><p>Interestingly, the court found that checking mail, shift schedules, and notices while in the command post building were generic activities that were not essentially linked to the principal activity of providing security to the power plant. While they were required by the employer, they were not integral to the employee’s work and were not compensable.</p><p>Furthermore, the court found that even if the equipment was integral and indispensable, the time spent on such activities was de minimus and was not compensable. Under the de minimus doctrine, otherwise compensable time could still be found to be not compensable by a court.</p><p>Factors to be considered are the practical administrative difficulty of recording the additional time, the size of the claim in aggregate, and whether the claimants perform the work on a regular basis. In this case, the trial court found that the plaintiffs claimed to spend seven minutes donning and doffing uniforms. The court found that seven minutes was an insignificant amount of time and that the practical administrative difficulty of recording the additional time would outweigh the size of the claim in the aggregate.</p><p>Although the district court dismissed all of the security officers’ claims that were related to donning and doffing and gun-up and gun-down, the case is still pending on whether Wackenhut should have paid the security officers for activities conducted after the security officers were armed but before they arrived at their work post. That particular issue is scheduled to be presented to a jury later this year.</p><p>The second case is Bamonte v. City of Mesa (U.S. Court of Appeals for the Ninth Circuit, 2010). In this case, the plaintiffs are police officers employed by the City of Mesa, Arizona. The officers sued the City of Mesa, arguing that the city violated the FLSA and Arizona statutes by failing to compensate them for hours they spent donning and doffing their uniforms, protective gear, and equipment. The police officers sought unpaid overtime compensation for violation of the FLSA, an additional amount equal to the overtime, attorney’s fees, and additional costs.</p><p>The City of Mesa required its police officers to wear certain uniforms and related gear. However, like the security officers in Haight, the police officers had the option of getting in uniform at home (and similarly, going home to get out of uniform).</p><p>The police officers argued that they preferred to don and doff their uniforms and gear at the police station. The officers raised several reasons for their preference, such as potential access to their gear by family members, safety concerns with performing firearms checks at home, and increased risk of being identified as police officers. In light of the police officers’ concerns, the city provided each officer with a locker at the station but made it clear that the officers had the option to change at home.</p><p>The trial court found that since the officers had been given the option of changing into their uniforms at home, the specific activity of donning and doffing uniforms at the police station was not compensable. The officers appealed the case.</p><p>The federal appeals court agreed with the trial court and dismissed the police officers’ complaint. The court noted that the DOL and other courts have allowed compensation for donning and doffing only in situations where the employees were required by their employers—by law, by rules, or by the nature of their work—to don and doff their gear in the workplace.</p><p>The court also found that the DOL Field Operations Handbook notes that employees who dress to go to work in the morning are not working while dressing even though they are putting on required uniforms. The court found that although the police officers were logical in choosing to change at the police station, this was a preference and not a mandate.</p><p>One of the three justices, Justice Ronald Gould, disagreed and wrote a separate opinion dissenting in part. Although he agreed with dismissing the police officers’ complaint, Justice Gould’s opinion raises questions that may be raised by plaintiffs in another lawsuit.</p><p>Justice Gould argued that the U.S. Supreme Court uses a context-specific approach to collective action FLSA cases, and that the majority did not use this approach. He wrote that the proper analysis for determining compensability under the Portal-to-Portal Act entails an examination of more than a dozen factors to determine whether an activity is compensable. For example, one factor might be whether there was a written policy governing the changing of uniforms at the workplace.</p><p>The police officers have not appealed Bamonte v. City of Mesa to the U.S. Supreme Court, which would be the next step.</p><p>Avoiding Liability<br>A company should review all of the activities it requires employees to complete both before and after work. For example, management should be wary if employees are required to don and doff uniforms at the workplace without compensation for that time. After Bamonte v. City of Mesa, companies should be sure that a written policy explicitly spells out the rules if they allow employees to don and doff their uniforms at home—in other words, if doing so at work is optional, not required. They should ensure that employees are aware of this policy.</p><p>Employers need to review their policies on other duties undertaken before and after work as well as any mandatory training. They should review record keeping procedures and policies and ensure that overtime is properly calculated to include necessary compensation.</p><p>Employers must not plan on using precedent. Collective action cases are fact specific, and courts have held that activities anywhere from two minutes to 15 minutes were de minimus. There are no clear standards.</p><p>In any collective action case, companies should have an attorney investigate the matter. The attorney should identify potential exposure and risks, determine the scope of the complaint, and preserve all relevant records. Companies should also work with the attorney to identify and interview key personnel so that the information remains privileged.</p><p>Collective actions are on the increase and significant costs can be associated with such actions. But by being aware of the risk, attempting to avoid clear violations, and consulting attorneys when claims arise, companies can reduce the potential for problems.</p><p>Philip R. Kujawa is a partner and John C. De Koker III is an associate at Hinshaw & Culbertson LLP. Kujawa is a founder of the firm’s Alarm and Security Industry Practice Group, and specializes in representing security and alarm companies in catastrophic claims and contract matters. This article does not constitute legal advice.<br></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465