Legal Issues Report Resources April 2017GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-04-01T04:00:00Z, Megan Gates<p><strong>​Surveillance.</strong> European Union (EU) member states may not impose general obligations on electronic communications services to retain data, the <a href="" target="_blank">EU Court of Justice recently ruled</a>. The decision was a blow to the recently enacted U.K. Investigatory Powers Law, which allows the U.K. Home Department secretary of state to require public telecommunications operators to retain all data related to communications for no more than 12 months.</p><p><strong>Privacy.</strong> U.S. agencies <a href="" target="_blank">published a final rule</a> that requires contract employees who handle personally identifiable information (PII) or work with a system of records to complete privacy training. </p><p><strong>Corruption.</strong> Brazilian global construction conglomerate Odebrecht S.A. and petrochemical company Braskem <a href="" target="_blank">pleaded guilty</a> and agreed to pay penalties of at least $3.5 billion to resolve U.S., Brazilian, and Swiss charges of bribery.</p><p><strong>Cheating. </strong>Volkswagen <a href="" target="_blank">will plead guilty</a> to three U.S. criminal felony counts and pay a $2.8 billion penalty to resolve a U.S. federal criminal investigation into its cheating on emissions tests. The plea is the result of Volkswagen’s long-running scheme to sell roughly 590,000 diesel vehicles in the United States by using a defeat device to cheat emissions tests mandated by the Environmental Protection Agency and the California Air Resources Board.</p><p><strong>Wildlife trafficking. </strong><a href="" target="_blank">China will ban all ivory commerce</a> by the end of the year following years of growing pressure to shut down the world’s largest ivory market. The shutdown will occur in phases, and the first step was the closure of legal ivory processing factories and businesses by March 31.</p><p><strong>Email. </strong>U.S. lawmakers reintroduced legislation that would update privacy protections for electronic communications information stored by third-party service providers. <a href="" target="_blank">The Email Privacy Act (H.R. 387)</a> would updated the Electronic Communications Privacy Act to require all U.S. government agencies obtain a warrant to search Americans’ online communications, regardless of when the email was written.</p><p><strong>Firearms.</strong> <a href="" target="_blank">A U.S. appeals court found</a> that California’s 10-day waiting period to purchase a firearm is a reasonable safety precaution for all individuals seeking to purchase a gun, regardless of if they have purchased a gun in the state before. </p><p><strong>Breaks.</strong> Employees on rest breaks must be relieved of all of their duties, <a href="" target="_blank">the California Supreme Court ruled</a>, finding that a security firm violated state law by requiring security guards to carry phones and radios and remain on call during rest breaks.</p>

Legal Issues Report Resources April 2017 Report March 2017 Online March 2017 Report March 2017 Report February 2017 Review: Litigation Report January 2017 Report Resources 2017 2016 Legal Report Online December 2016 Report Resources December 2016 and Security: The Risks of Arming Security Officers of Threats Report November 2016 Online November 2016 Report Resources November 2016 Report October 2016 Report Resources October 2016 Report September 2016 Trends

 You May Also Like... Report January 2017<h4>u.s. LEGISLATION<br></h4><p class="p1">114th U.S. Congressional Wrap-up. This month’s “Legal Report” is a round-up of the major security-related legislation considered by the 114th U.S. Congress, which concluded at the beginning of this month. Included in this summary are public laws that went into effect and legislation that was introduced but failed to pass. The bills that failed to pass will be nullified, and members of Congress will have to reintroduce them when they reconvene early in January as part of the 115th Congress.</p><p class="p2"><br></p><p class="p1"><b>Terrorism. </b>Congress reauthorized the Terrorism Risk Insurance Program, which allows the federal government to repay business costs following a catastrophic attack that costs more than $200 million in damages. </p><p class="p1">The law (P.L. 114-1) extends the program through December 31, 2020, and includes measures absent from the Terrorism Risk Insurance Act (TRIA) of 2002, such as new provisions increasing the original trigger amount from $100 million to $200 million and requiring the secretary of treasury to create a “reasonable timeline” to determine whether to certify an event as an act of terrorism.</p><p class="p1">Congress overrode President Barack Obama’s veto, allowing legislation to become law that gives terrorism victims and their families the ability to sue foreign states and officials for their role in an act of terrorism.</p><p class="p1">The veto override enacted the Justice Against Sponsors of Terrorism Act (P.L. 114-222), which removes sovereign immunity in U.S. courts from foreign governments that are not designated state sponsors of terrorism. It authorizes U.S. courts to hear cases involving claims against a foreign state for injuries, death, or damages that occur inside the United States as a result of a tort—including an act of terrorism—committed anywhere by a foreign state or official.</p><p class="p1">Legislation that would have created a U.S. Department of Homeland Security (DHS) Office for Countering Violent Extremism failed to advance in Congress.</p><p class="p1">The bill (H.R. 2899) would have authorized $10 million for the DHS secretary to establish the office through 2020 to coordinate DHS’s efforts to counter violent extremism by identifying risk factors and populations targeted by propaganda and recruiters. Managing DHS outreach and engagement efforts to at-risk communities was also included.</p><p class="p1">House Homeland Security Committee Chair Michael McCaul (R-TX) introduced the bill, which did not advance in the House.</p><p class="p1">The House also failed to pass a bill that would have encouraged banks to tip off federal investigators about terrorism financing. H.R. 5606 would have enhanced Section 314 of the Patriot Act to allow financial institutions to report to the federal government if they suspected funds were being used for “terrorist acts, money laundering activities, or a specified unlawful activity.” </p><p class="p1">The bill also would have shielded financial institutions from civil litigation for filing these reports. </p><p class="p2"><br></p><p class="p1"><b>Cybersecurity. </b>As part of an omnibus spending bill in 2015, Congress passed the Cybersecurity Information Sharing Act (P.L. 114-110).</p><p class="p1">The act allows private entities to share and receive cyberthreat indicators and defensive measures with other entities and with the federal government. Threat indicators are defined as information that is “necessary to describe or identify malicious reconnaissance.”</p><p class="p1">Companies, however, must remove personal identifying information not related to cybersecurity threats before sharing data under the act.</p><p class="p1">It also allows the director of national intelligence and the U.S. Departments of Homeland Security, Defense, and Justice to share cyberthreat indicators with private companies and state, tribal, or local governments.</p><p class="p1">Congress failed to advance legislation that would have directed the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to create federal standards to secure vehicles.</p><p class="p1">The bill (S. 1806) would have created vehicle performance standards that required all access points in vehicles to be equipped with reasonable measures to protect against hacking attacks, all collected information from the vehicle to be secured to prevent unwanted access, and all vehicles to be equipped with technology that can detect, report, and stop hacking attempts in real time.</p><p class="p2"><br></p><p class="p1"><b>Aviation. </b>Congress passed legislation (P.L. 114-50) that verifies that airports have working plans in place to respond to security incidents inside their perimeters. </p><p class="p1">The law directs the assistant secretary of homeland security to verify at all U.S. airports that the Transportation Security Administration (TSA) performs or oversees implementation of security measures and that airports have working plans in place to respond to active shooters, acts of terrorism, and incidents that target passenger-screening checkpoints.</p><p class="p1">The assistant secretary must then report his or her findings to Congress to identify best practices and establish a mechanism to share those with other airport operators.</p><p class="p1">Congress failed, however, to pass a bill that would limit airport employees’ access to secure areas within airport facilities. </p><p class="p1">The bill (H.R. 3102) would have directed the TSA to create a risk-based, intelligence-driven model for screening airport employees based on the level of employment-related access to Secure Identification Display Areas, Airport Operations Areas, or secure areas at U.S. airports. </p><p class="p1">Additionally, it would have required TSA to create a program to allow airport badging offices to use E-Verify, create a process to transmit applicants’ fingerprint data to a federal office for vetting, and assess credential application data received by DHS to ensure that it’s complete and matches data submitted by airport operators.</p><p class="p1">The House passed the bill, which stalled in the Senate Commerce, Science, and Transportation Committee.</p><p class="p1">In a Federal Aviation Administration (FAA) extension act, Congress created a variety of new security measures to enhance aviation security.</p><p class="p1">Under the law (P.L. 114-190), the number of government “viper teams” increased from 30 to 60. These teams stop and search suspicious passengers in public places outside the airport.</p><p class="p1">Another measure requires new passenger airlines to create secondary barriers to keep unauthorized individuals from gaining access when a pilot opens the cockpit door. It also requires the FAA to consider whether to implement additional screening for mental health conditions as part of a comprehensive medical certification process for pilots.</p><p class="p1">Additionally, the law requires TSA to use private companies to market and enroll more individuals in its PreCheck program. It also requires the FAA to authorize package deliveries by drones within two years of its passage.</p><p class="p2"><br></p><p class="p1"><b>Drones. </b>Congress failed to pass legislation that would address the security implications of drones. </p><p class="p1">The bill (H.R. 1646) would have required DHS to assess the security risks associated with commercially available small and medium unmanned aerial systems (drones). The measure would also have required DHS to develop policies, guidance, and protocols to prevent or mitigate the risks if drones are used in an attack.</p><p class="p1">The House passed the legislation, which later stalled in the Senate.</p><p class="p2"><br></p><p class="p1"><b>Privacy. </b>Congress extended some rights under the U.S. Privacy Act to European Union citizens and other designated allies.</p><p class="p1">The Judicial Redress Act (P.L. 114-129) allows the U.S. Department of Justice—with the agreement of the U.S. Departments of State, Treasury, and Homeland Security—to designate countries or organizations whose citizens may pursue civil remedies if they have appropriate privacy protections for sharing information with the United States.</p><p class="p1">The law was enacted as part of an agreement between the United States and the European Union that allows the two to exchange more data during criminal and terrorism investigations.</p><p class="p2"><br></p><p class="p1"><b>Human trafficking. </b>Congress expanded the definition of child abuse under the Victims of Child Abuse Act of 1990 to include human trafficking and the production of child pornography.</p><p class="p1">The law (P.L. 114-22) also expands prosecution to include individuals who patronize or solicit people for a commercial sex act, “making traffickers and buyers equally culpable for sex trafficking offenses.”</p><p class="p2"><br></p><p class="p1"><b>Communications. </b>A new law requires DHS to achieve and maintain interoperable communications. The law (P.L. 114-29) requires a DHS undersecretary to submit a strategy to Congress to achieve and maintain communications for daily operations, planned events, and emergencies. </p><p class="p1">The strategy must include an assessment of interoperability gaps in radio communications among DHS groups, information on DHS efforts to achieve and maintain interoperable communications, and information about the adequacy of mechanisms available to the undersecretary to enforce and compel compliance with interoperable communications policies and directives of DHS.</p><p class="p2"><br></p><p class="p1"><b>Screening.</b> Congress did not advance a bill that would require the FBI to ensure that select individuals applying for U.S. refugee admission receive full background investigations before being admitted to the country.</p><p class="p1">DHS already conducts such screenings, but the bill (H.R. 4038) would have required the FBI to perform background investigations on nationals or residents from Iraq or Syria, individuals with no nationality whose last residence was in Iraq or Syria, and individuals present in Iraq and Syria at any time on or after March 1, 2011. </p><p class="p1">The House passed the bill, which stalled when it reached the Senate floor.</p><p class="p2"><br></p><p class="p1"><b>Disaster relief. </b>Congress passed legislation that requires the Federal Emergency Management Agency (FEMA) to develop and implement a plan to control and reduce administrative costs for delivering assistance for major disasters.</p><p class="p1">Under the law (P.L. 114-132), FEMA must compare the costs and benefits of tracking administrative cost data for major disasters by public assistance, individual assistance, hazard mitigation, and mission assignment programs. </p><p class="p1">FEMA must then submit to Congress by November 30 each year—until 2023—a report on the total amount spent on administrative costs. </p><p class="p2"><br></p><p class="p1"><b>Prisons.</b> Congress authorized legislation that requires the director of the Bureau of Prisons to issue oleoresin capsicum spray (pepper spray) to designated individuals.</p><p class="p1">The law (P.L. 114-133) requires the director to issue the spray to any bureau officer or prison employee who may respond to an emergency situation in the prison. The law also allows the director to distribute the spray to other prison officers and employees as appropriate. Minimum and low-security prisons are excluded from the requirement.</p><p class="p1">Officers and employees designated to use the spray must first be trained on how to use it, and are required to under­­­go annual training on using the spray. </p><p class="p1">Equipment. The Senate failed to pass legislation that would have allowed DHS to give excess nonlethal equipment and supplies to foreign governments.</p><p class="p1">Under the bill (H.R. 4314), DHS would have provided these supplies to foreign governments if doing so furthered U.S. homeland security interests and enhanced the recipient government’s capacity to mitigate the threat of terrorism, infectious disease, or natural disaster; protect lawful trade and travel; or enforce intellectual property rights.</p><p class="p1">The House passed the bill, which stalled in the Senate Foreign Relations Committee.</p><p class="p2"><br></p><p class="p1"><b>Sexual assault. </b>Congress established rights for sexual assault survivors that clarify what basic services sexual violence victims are entitled to.</p><p class="p1">Under the law (P.L. 114-236), victims may not be prevented from obtaining a medical forensic examination. They may not be charged for the examination. They have the right to have sexual assault evidence collection kits and their contents preserved—without charge—for the duration of the maximum statute of limitations or 20 years (whichever is shorter). They also have the right to be informed of any result of a collection kit if the disclosure would not impede or compromise an ongoing investigation.</p><p class="p1">Victims also have the right to be informed—in writing—of policies governing the collection and preservation of collection kits, and the right to receive written notification from officials no later than 60 days before their collection kit is to be destroyed or disposed of.</p><h4>Elsewhere in the Courts</h4><p class="p1"><b>POLICING. </b>The Massachusetts Supreme Judicial Court found that the behavior of a young, black, male suspect who tried to avoid the police did not justify law enforcement to stop and search him. “Rather, the finding that black males in Boston are disproportionately and repeatedly targeted for Field Interrogation Observations encounters suggests a reason for flight totally unrelated to consciousness of guilt,” the court explained in its ruling. “Such an individual, when approached by the police, might just as easily be motivated by the desire to avoid the recurring indignity of being racially profiled as by the desire to hide criminal activity.” (Commonwealth v. Warren, Supreme Judicial Court of Massachusetts, No. 11956, 2016)</p><p class="p1"><b>Excessive Force. </b>The U.S. Supreme Court did not take up a case where police officers challenged restrictions on the use of Tasers on individuals who are resisting arrest. The Court’s decision leaves in place a lower court opinion, which ruled that police should not use stun guns on individuals trying to evade custody if they do not pose a threat to officers or others. The decision stems from a court case brought after the 2011 death of Ronald Armstrong, a mentally ill man who was tased by police five times for refusing to let go of a sign post to avoid being taken to a hospital. The lower court found that police used excessive force because Armstrong did not pose a safety risk. (Estate of Ronald H. Armstrong v. Village of Pinehurst, U.S. Court of Appeals for the Fourth Circuit, No. 15-1191, 2016) </p><p class="p2"><br></p><p class="p1"><b>Sexual harassment. </b>The owner/operator and management company for a Columbus, Ohio, Texas Roadhouse restaurant will pay $1.4 million to settle a class sexual harassment suit filed by the U.S. Equal Employment Opportunity Commission (EEOC). The EEOC charged that East Columbus Host, LLC, and management company Ultra Steak, Inc., victimized a group of female employees by subjecting them to sexual harassment and then retaliating against them for complaining about it. The restaurant manager allegedly made humiliating remarks about victims and other females’ bodies and sexuality, and pressured them for sexual favors in exchange for employment benefits or as a condition of avoiding adverse employment action. The consent decree resolving the lawsuit requires the companies to offer reinstatement to injured women in agreed locations and positions. The companies are also prohibited from rehiring the offending manager. (EEOC v. East Columbus Host, LLC, U.S. District Court for the Southern District of Ohio, Eastern Division, No. 2:14-cv-1696, 2016).​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 the Pulse Nightclub Attack Means for soft Target Security<p>​<span style="line-height:1.5em;">After news broke of the <a href="/Pages/Orlando-Nightclub-Shooting.aspx" target="_blank">shooting at Pulse nightclub in Orlando</a> in the early hours of Sunday morning, many were left wondering what could have been done to prevent the attack that left 50 people dead—including the gunman—and wounded 53 others. </span></p><p><span style="line-height:1.5em;">To find out and to discuss what this latest attack on a soft target means for the security industry, <em>Security Management</em> Assistant Editor Megan Gates spoke with subject matter expert Kevin Doss, CPP, PSP. </span><br></p><p><span style="line-height:1.5em;">Doss is president and CEO of </span><span style="line-height:1.5em;">Level 4 Security, a security consultancy, and author of<a href="" target="_blank"> <em>Active Shooter: Preparing for and Responding to a Growing Threat</em>.</a> Below is a transcript of their conversation, which has been lightly edited for clarity.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: When you first heard about what was happening in Orlando, what was your initial reaction?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: I certainly was not surprised. I worked in nightclub security in my early 20s, and you just don’t think about venues like that being attacked by active shooters. </span><br></p><p><span style="line-height:1.5em;">So my first thought was, ‘Wow, someone decided to hit a nightclub, which changes the game.’ </span><span style="line-height:1.5em;">It changes the game for all the different businesses out there that are soft targets, that are open to the public. </span></p><p><span style="line-height:1.5em;">In the case of a nightclub, security typically does not carry a firearm, even if they’re off-duty police officers, because of the environment and fights. You wouldn’t want someone to take your weapon during a fight or if you’re breaking up a fight.</span><br></p><p><span style="line-height:1.5em;">So you typically have no firearms at a nightclub or a bar. Also, concealed weapons permits usually do not allow you to conceal carry into an establishment that sells alcohol, or sells more alcohol than it does food.</span><br></p><p><span style="line-height:1.5em;">So it was a venue that I thought, from an attacker’s point of view, is a target-rich environment with very little protection.</span><br></p><p><span style="line-height:1.5em;"><em>(Editor’s note: The off-duty police officer who was hired as security for Pulse nightclub was carrying a firearm.)</em></span><br></p><p><span style="line-height:1.5em;"><strong>Gates: As more details about the attack emerged, what did you as a security consultant begin thinking about?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: I started thinking about what should a nightclub do? If I’m the consultant coming in, how am I going to put a security program in place that would mitigate—maybe not stop, but mitigate—the risk of an active shooter or any act of violence, whether it’s a gun, whether it’s a knife. </span><br></p><p><span style="line-height:1.5em;">The first step in any security program is you need a plan. You have to have and develop a plan, and I think every nightclub in America and the world today is probably going out and looking at their security and going, ‘Wow, we need to do something. We need to make sure we have a better plan in place.’ Because I can assure you, many of them have probably never thought about security to that level.</span><br></p><p><span style="line-height:1.5em;">But you can’t just throw in a simple emergency action plan. You have to plan for specific threats. Pulse was a gay club, an alternative lifestyle club. We know there are threats from certain individuals who hate that lifestyle. They hate people based on their sexual orientations, so if you’re doing a threat assessment—which is part of a risk assessment—you already know that there’s a potential for violence.</span><br></p><p><span style="line-height:1.5em;">Your local neighborhood bar my not have that same threat, versus a nightclub that caters to the alternative lifestyle. That’s going to have additional threats. That’s going to determine what type of security measures you need. You can’t go out to one club and go, ‘OK, every club should do this.’ That’s just not realistic and it’s not going to work.</span><br></p><p><span style="line-height:1.5em;">What you need to do is look at the club, look at the social environment, look at the economic environment, and look at the geographic area around it. What are the threats? What are the things that could possibly happen? And then you start building your plan to mitigate those risks.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: With that said, what are some plans a nightclub could put in place to mitigate the risk of an active shooter?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: In this case, with an active shooter, did they compartmentalize? Oscar Newman in his book called it defensible space. What that is, is taking the environment and breaking it down into more manageable areas so you can secure those areas and not focus on the macro environment where you’re trying to secure the entire facility at one time. You break it down into more manageable zones.</span><br></p><p><span style="line-height:1.5em;">In this case, maybe they could have put a vestibule in and had it secured so that when you go through the checkpoint, you don’t get into the main hall until you’ve been let in through a secondary checkpoint. You create a lobby or vestibule area, so you don’t have full access from the street to run right in and start shooting.</span><br></p><p><span style="line-height:1.5em;">Also, you have loud music, you have flashing lights, and you have a lot of darkness in a nightclub. It was evident from seeing some of the TV and reports that came out that people [inside Pulse] heard the gunshots, but thought they were part of the show. Until they saw bodies falling, they were under the impression that those gunshots were just part of the party.</span><br></p><p><span style="line-height:1.5em;">So that’s something that needs to be addressed—an awareness of if this happens, how do we turn the lights on? How do we cut the music? How do we have a public announcement to everybody that ‘Hey, you need to take cover’? There has to be a way to communicate with everybody in that facility, very rapidly, because that’s going to save lives.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: That’s a good point, and is something I’ve heard and seen in coverage of the Orlando attack over and over again—that when the gunman started shooting, people didn’t know what was happening. Those were crucial moments for some people to respond, or not to respond.</strong></span><br></p><p><span style="line-height:1.5em;">Doss: Absolutely. You also wonder how many medical supplies [Pulse] had. So if they have a normal group of 300 people, do they have just standard Band Aids? Or do they have tourniquets? Do they have bandages? Do they have things that could be used in a medical emergency where you have a high number of casualties?</span><br></p><p><span style="line-height:1.5em;">If I had to make an assumption, my assumption would be they probably did not. So some of the wounded may have succumbed to their wounds because there were no tourniquets, there were no bandages, and they couldn’t get medical care in quickly.</span><br></p><p><span style="line-height:1.5em;">Coordination with law enforcement and first responders is critical. But also having medical supplies that they can immediately administer to the wounded is critical to saving lives because it doesn’t take long to bleed out when you’ve been shot, depending on where you’ve been hit.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: Do you think these kind of soft target attacks are going to continue in the United States—especially because we have easier access to firearms here than citizens do in other countries?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: Yes, I think these shootings, these unnecessary acts of crime will continue. I think you’ll see more of a focus put on how do we plan better—how do we prevent. </span><br></p><p><span style="line-height:1.5em;">My focus as a consultant has changed from response programs that focus on after the shooter gets there, how do we respond. Those are important programs, because it saves lives if there is a response plan.</span><br></p><p><span style="line-height:1.5em;">But my goal as a consultant is to focus on the behavior indicators and to be proactive. Let’s not wait until the person shows up at the front door, because when that happens, somebody’s getting injured. Somebody’s going to die.</span><br></p><p><span style="line-height:1.5em;">In almost every active shooter case there have been family members, friends, or coworkers who have said, ‘We knew something bad was about to happen. The person was acting erratically; the person was not acting like</span><span style="line-height:1.5em;"> a normal person should act.’</span><br></p><p><span style="line-height:1.5em;">It’s no different in the Orlando case. People are now coming out saying, ‘Yes, we think he was mentally ill. Yes, he had issues and we knew something bad was going to happen.’</span><br></p><p><span style="line-height:1.5em;">Usually someone is aware of the indicator, someone knows something is very wrong, and the question is, what do we do with that information? How do we get that information? Sometimes it’s as simple as sitting down with the person and saying, ‘Is everything OK? I know you’re under stress, you’re going through this, and this, and this. What can I do to help you?’</span><br></p><p><span style="line-height:1.5em;">And it may just be being a friend to these individuals. I think of it from this perspective—there are victims on both sides of the shooter. You have the shooter, and the family members of the shooter that just lost a son, brother, uncle, whatever it may be. So they’re mourning and they’re embarrassed; they’re embarrassed at a heinous act of crime that their family member just committed.</span><br></p><p><span style="line-height:1.5em;">Then you have the other victims that were shot, that were innocent victims, and you have their family members. So everybody loses in an active shooter event.</span><br></p><p><span style="line-height:1.5em;">That’s why I think our focus should be more on preventing and finding out what the accurate indicators are. And if we can intercept and intervene prior to someone buying a gun and starting to shoot, that’s when we win.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: Would it have made a difference if patrons in Pulse were armed?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: I’ll be the first to tell you that even if everybody in that club was carrying a gun, and pulled out a concealed weapon, you’d have just as many shot and killed. You would have people missing, people shooting erratically, and when alcohol is involved, you now have people who probably can’t see their sights.</span><br></p><p><span style="line-height:1.5em;">I have friends that will be like, ‘Hey, carry a gun and fire back. That’s the answer.’ And I respond, ‘I’m fairly highly trained at shooting a weapon. And I would not want to have to pull my weapon out in a crowd and make that shot while people are running by me and knocking me around.’</span><br></p><p><span style="line-height:1.5em;">Then, if you miss or the bullet penetrates through the person, now you’ve injured or killed an innocent person. It’s not as simple as ‘Give everyone a gun and fire back.’ It’s much more complicated, and very few people are capable of shooting under that type of stress accurately and effectively.</span><br></p><p><span style="line-height:1.5em;">I’m not anti-gun. I’m just stating that that’s not the simple answer when it comes to active shooter—that everyone should be armed. It can work in some cases, but in many cases it will probably be worse than some other options.</span><br></p><p><span style="line-height:1.5em;"><strong>Gates: What are some additional areas of security at Pulse that as a security professional, you’d want to know more about following this incident?</strong></span><br></p><p><span style="line-height:1.5em;">Doss: My question will be for the security officer on duty, was he trained on active shooter? If he was trained, on what type of protocols? What did he learn?</span><br></p><p><span style="line-height:1.5em;">From a security consultant perspective and a subject matter expert perspective, I’m interested in how your people are trained. And then, did they do what they were trained to do? And was that the right thing to do?</span><br></p><p><span style="line-height:1.5em;">Those are the questions that I think will be bouncing around as everything is analyzed, because this is a pretty impactful event. You have 103 people that have been either wounded or killed. Out of 300 people, that’s one-third of the people in the place. That’s a huge percentage. So I think this is, unfortunately, a lesson that every business is going to have to start taking seriously.</span><br></p><p><span style="line-height:1.5em;">And many do not. I’m out there—I wrote a book on active shooter. I’m out there​ preaching it, and I sit there and still see businesses that don’t invest in building a plan. They still don’t invest in training and awareness. They still don’t invest in training their people when it comes to active shooter or any act of violence.</span><br></p><p>  ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465