Transcript CORPORATE SECURITY and THE LAW

How Corporate Security Changed After 9/11
John M. McCarthy
Managing Partner
Business Security Advisory Group
www.bsag-cso.com
The Business Security Advisory Group (BSAG)
specializes in a broad range of corporate security
consulting services including :
 Business continuity,
 Risk assessment and management,
 Regulatory compliance,
 Strategic security planning and policy
development.
Getting Ahead of the Problems
www.bsag-cso.com




Corporate Security’s responsibilities prior to
9/11
Corporate Security’s responsibilities post 9-11
Laws and regulations regulating the security
industry post 9/11
Corporate Security in the 21st Century



Investigations – violation of corporate policy and
other corporate crimes
Physical security – gates, guards, guns
Executive protection – ensuring top executives
and families were secure



Corporate Security generally a middle
management responsibility
Corporate Security generally thought of as the
“Corporate Cop”
Corporate Security plans and programs generally
responsive or reactive to immediate incidents –
no long term planning



Mostly reactive-incident happens, security
responds – fire house mentality
Stove Pipe thinking – Security programs
sometimes contrary to Business Unit’s business
plans and goals
Law Enforcement Driven – security goal must be
attained at all costs – no priorities
September 10, 2001
September 11, 2001

Three thousand civilians murdered

$80 Billion dollars in losses

11 Million people in developing countries pushed
into poverty.

Financial markets closed

Air transportation system grounded





*
Mail Processing –
86%
Travel – 85%
Protection of
Employees – 79%
Protection of
Infrastructure – 75%
Risk Assessment –
71%
3 Booz, Allen, Hamilton Survey – 11/01





Protection of Offices
and Physical
Plants – 69%
Employee Morale –
69%
Supply Chain
Distribution – 51%
Customer Security –
50%
Productivity – 47%



Corporate Security gets the attention of
Executive Management
Corporate Security seen as a resource to the
company not as a necessary evil
Corporate Security an advisor to Executive
Management and Business Units concerning
comprehensive security programs for personnel
and corporate asset protection



Corporate Security reports to the “C” suite in
many companies and is no longer a mid-level
executive responsibility
Corporate security executives become more
business oriented in management style and
program content
Corporate Security becomes an enterprise
function of the company




Emergency plans include crisis management,
disaster recovery and business continuity
developed in a proactive environment
Corporate Security executives now craft strategic
and tactical security plans for business units.
Plans and programs consider business goals and
budgets
All corporate security plans and programs are
more proactive and include prevention of
terrorist attack



The Public Sector recognizes its greater
responsibility to protect its citizens and assets
Corporate Security deals more with federal, state
and local officials as security regulations
exponentially increase
Public and private partnerships flourish as both
attempt to craft meaningful emergency proactive
plans, protective processes, security laws and
regulations


Corporate security plans and programs develop a
legal compliance component as corporations
comply with the new mandated legislation
Corporate Security’s programs are more
restrictive and costly as both terrorism and
legislative compliance are emphasized
Legislation*
Access to Information Act
Arming Pilots Against Terrorism Act
Aviation and Transportation Security Act
Bank Protection Act of 1968
Canadas Bill C-6
Childrens Online Privacy Protection Act (COPPA)
Corporate Manslaughter and Corporate Homicide Act 2007(UK)
Customs Modernization Act
Cyber Security Enhancement Act of 2002
CyberCrime TreatyE-Signature Act
European Union Data Protection Directive
Executive Order 12958 –
Information SharingExecutive Order 13224 –
Doing Business w/ Terrorists
Executive Order 13231 –
Infrastructure Protection
Executive Order 13234 –
Legislation (Continued)
Citizen Preparedness
Family Educational Rights and Privacy Act
Federal Anti-Tampering Act
Federal Computer Security Bill –
H.R. 1259Federal Hazardous Materials Law
Foreign Corrupt Practices Act
Homeland Security Act
International Emergency Economic Powers Act
Maritime Transportation Security Act of 2002
National Information Infrastructure Protection Act
Notification and Federal Employee Anti-Discrimination and Retaliation Act
Patriots Act
Personal Information Protection and Electronic Documents Act
Legislation (Continued)
Presidential Directive 2
Presidential Directive 3
Presidential Directive 7
Presidential Directive 8
Public Health Security and Bioterrorism Preparedness & Response Act
Robinson-Patman Anti-Trust Act
Safe Explosives Act
Safe Harbor Act
The Occupational Safety and Health Act
The Currency and Foreign Transactions Reporting Act
Title 18 - Federal Sentencing Guidelines
Trade Act of 2002
US Global Anti-Corruption Policy
US The Currency and Foreign Transactions Reporting Act
USA PATRIOT Act
Voluntary Private Sector Preparedness Accreditation and Certification Program
*Above information furnished by Security Executive Council
Executive Orders*1
Common Name
Brief Description
Citation
Effective
Date
Website
Executive Order 12958 - Information Sharing
Prescribed a uniform system for
classifying, safeguarding and
declassifying national security
Information
EO12958
Apr. 2001
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=1995_register&docid=fr20
ap95-135.pdf
Executive Order 13224 - Doing Business w/
Terrorists
Blocks property and prohibits
transactions with persons who commit,
threaten to commit, or support
terrorism
EO13224
Sept. 2001
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=2001_register&docid=fr25
se01-133.pdf
Executive Order 13231 - Infrastructure
Protection
Establishes a protection program to
safeguard information systems for
critical infrastructure
EO13231
Oct. 2001
http://www.whitehouse.gov/news/orders/
Executive Order 13234 - Citizen
Preparedness
Establishes a Presidential Task Force
on citizen preparedness in the war on
terrorism
EO13234
Nov. 2001
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=2001_register&docid=fr15
no01-130.pdf
Presidential Directive 2
Seeks to combat terrorism through
Immigration Policies; creates the
Foreign Terrorist Tracking Task Force
NSPD-2
Oct. 2001
http://www.whitehouse.gov/news/releases/2001/10
/20011030-2.html
Presidential Directive 3
Design system to create a common
vocabulary, context, and structure for
ongoing national discussion about the
nature of the threats to US and the
appropriate measures that should be
taken in response
HSPD-3
Presidential Directive 7
Established national policy for Federal
departments and agencies to identify
and prioritize US critical infrastructure
and key resources and to protect them
against terrorist attacks
HSPD-7
Dec. 2003
http://www.whitehouse.gov/news/releases/2003/12
/print/20031217-5.html
Presidential Directive 8
Established policies to strengthen
preparedness of US to prevent and
respond to threatened or actual
terrorist attacks--requires national
domestic all-hazards preparedness
goal
HSPD-8
Dec. 2003
http://www.whitehouse.gov/news/releases/2003/12
/print/20031217-5.html
http://www.whitehouse.gov/news/releases/2002/03
/print/20020312-5.html
Statutes*1
Common Name
Brief Description
Responsible Government
Department
Citation
Effective
Date
Website
Homeland Security Act (incorporated Executive
Orders above)
Establishes new
Department of
Homeland Security,
reorganization plan
Dept. of Homeland
Security
H.R. 5005;
Pub.L. 107-296
Nov. 2002
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ296.107.pdf
Foreign Corrupt Practices Act (FCPA)
Prohibits corrupt
payments to foreign
officials for the purpose
of obtaining or keeping
business.
Dept. of Justice
15 U.S.C. §
78dd-1, 78dd-2
1977
(amended
1998)
http://www.usdoj.gov/criminal/fraud/fcpa.html
Cyber Security Enhancement Act of 2002
Established stronger
sentencing guidelines
and policy statements
to reflect the serious
nature of certain
computer crimes
Dept. of Homeland
Security
6 U.S. C. § 145
Nov. 2002
http://www4.law.cornell.edu/uscode/6/145.html
Federal Anti-Tampering Act (FAT)
Establishes criminal
penalties for tampering,
or attempting to
tamper, with any
consumer product that
affects interstate or
foreign commerce
Dept. of Health and
Human Services (FDA)
18 U.S.C. §
1365
Nov. 2003
http://www4.law.cornell.edu/uscode/18/1365.html
Statutes*1
Common Name
Brief Description
Responsible
Government
Department
Citation
Effective
Date
Website
International Emergency Economic Powers Act
(IEEPA)
Incorporates multiple
executive orders re:
economic actions
against adverse
countries (Burma,
Sudan, Iraq, etc.)
Dept. of Homeland
Security
50 U.S.C. §
1701 et seq.
Nov. 2003
http://www4.law.cornell.edu/uscode/50/1701.html
National Information Infrastructure Protection Act
Provides for stricter
penalties to protect
confidentiality, integrity
and availability of
systems and
information
Dept. of Homeland
Security
18 U.S.C. §
1030
Jan. 1997
http://www4.law.cornell.edu/uscode/18/1030.html
Public Health Security and Bioterrorism
Preparedness & Response Act (PHSBPR)
Establishes national,
state and local
preparedness and
response strategies,
and procedures to
protect US food, water,
and drug supplies
Dept. of Homeland
Security (DHHS)
H.R. 3448
Pub. L. 107188
Jan. 2002
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ188.107
USA PATRIOT Act (a.k.a. Anti-Terrorism Act)
Enhances powers to
both domestic law
enforcement and
international
intelligence agencies to
deter and punish
terrorism
Dept. of Homeland
Security
H.R. 3162
Pub.L. 107-56
Oct. 2001
http://www.eff.org/Privacy/Surveillance/Terrorism/hr
3162.php
Statutes*1
Common Name
Brief Description
Responsible
Government
Department
Citation
Effective
Date
Website
Maritime Transportation Security Act of 2002
(MTSA)
Requires sectors of
maritime industry to
complete security
assessments, develop
security plans and
implement security
measures and
procedures.
Dept. of Homeland
Security (U.S. Coast
Guard)
46 U.S.C. §
2101 et seq.
Pub.L. 107-295
Nov. 2002
http://www4.law.cornell.edu/uscode/46/2101.html
Federal Hazardous Materials Law
Establishes regulations
for transport of
hazardous materials via
all modes
Dept. of Homeland
Security (DOT)
49 U.S.C. §
5101 et seq.
Jan. 1983
(amended
last in
1999)
http://www4.law.cornell.edu/uscode/49/stIIIch51.ht
ml
Trade Act of 2002
Gave the president
increased authority to
make it easier to trade
with other countries;
also sought to protect
workers displaced by
jobs moving abroad
Dept. of Homeland
Security (Customs)
Public Law
107-210
Aug. 2002
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ210.107
Notification and Federal Employee AntiDiscrimination and Retaliation Act (No FEAR
Act)
Mandates that Federal
Agencies be more
accountable for
violations of antidiscrimination and
whistleblower
protection laws
Dept. of Homeland
Security
5 U.S.C. §
2302 et. seq.
Pub.L. 107-174
Oct. 2003
http://www4.law.cornell.edu/uscode/5/2302.html
Statutes*1
Common Name
Brief Description
Responsible
Government
Department
Citation
Effective
Date
Website
Customs Modernization Act (Mod Act) (Passed
as part of NAFTA)
Sets out specific rules
and requirements for
importers, brokers, and
others regarding
recordkeeping
Dept. of Homeland
Security (Customs)
H.R. 3450
Pub. L 103-182
Jan. 1993
http://thomas.loc.gov/cgibin/query/C?c103:./temp/~c103xXsW4u
Arming Pilots Against Terrorism Act (Sec. 1401
of Homeland Security Act)
Establishes a program
to deputize pilots
Dept. of Homeland
Security (DOT)
Pub.L 107-296
Nov. 2002
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ296.107.pdf
Aviation and Transportation Security Act (ATSA)
Established
Transportation Security
Association and
centralized security
system for the
transportation industry
Dept. of Homeland
Security (DOT)
S. 1447
Pub. L 107-71
Nov. 2001
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ071.107.pdf
Safe Explosives Act (Sec. 1122 of Homeland
Security Act)
Amended section 18
USC 842(i) by adding
several categories to
list of person who may
not lawfully ship,
transport, or receive
explosives in/out of US
Dept. of Homeland
Security (DOT)
PL 107-296
Nov. 2002
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&do
cid=f:publ296.107.pdf
*1Above information furnished by the Security
Executive Council




Vicarious corporate executive liability for
violation of some of the criminal and
environmental laws
Civil liability in money damages for tort law
violations
Criminal liability for companies and employees in
foreign venues for violations of international
laws and regulations
Overarching federal statutes either mandate or
furnish guidelines for fines and/or punishment
for violation of statutes and regulations



Corporate Security executives will be law
enforcement and business qualified and also
possess some technical security and
management ability
Chief Security Officer will report to Executive
Management and have complete unfettered
access to the “C” suite
Corporate Security will have an enterprise
component and deal with security matters in a
manner business executives will understand


Corporate Security plans and programs will be
mostly pro-active and preventative anticipating
security challenges and emergencies before they
occur
Corporate Security will use the team concept and
interact with all the business units and service
departments to ensure cost effective corporate
security policy is practically implemented
company wide.


Corporate Security plans and programs will have
to deal with the reality of government regulation
and develop innovative methods to keep current
with the laws and effect compliance
Develop innovative methods to ensure security
solutions are as multi-faceted as possible so that
the cost and compliance components can be
spread among other business units
Corporate Security will re-orient its goals from
strictly law enforcement objectives to ones that
includes a business component e.g. provide
metrics for security services that:





Increase profitability
Reduce costs
Enhance the brand
Improve customer relationships
Reduce employee attrition









Drug Testing Programs
Employee Reduction Programs
Investigative and Interview Training
Background Inquiries
Expatriate Mobilization Programs
Workplace Violence Programs
Crisis Management Programs
Security Awareness Programs
Domestic and Global Evacuation Programs
QUESTIONS?