Skip to content

Photo by iStock; photo illustration by Security Management

Legal Report September/October 2021

Judicial Decisions

Sabotage. A pharmacist who admitted to tampering with COVID-19 vaccine vials at his work received a three-year prison sentence.

Steven Brandenburg pled guilty to two counts of attempting to tamper with consumer products with reckless disregard for intentionally removing a box of Moderna vaccine doses from an Aurora Medical Center refrigeration unit for hours during two of his overnight shifts in December 2020. To remain viable, the vaccine needs to be stored at specific cold temperatures, and this information—along with other specifications on proper storage and use—was available to Brandenburg and other employees.

“Brandenburg is skeptical of vaccines in general and the Moderna COVID-19 vaccine specifically,” according to court documents. Despite his education, the additional information provided by the U.S. Food and Drug Administration, and professional familiarity with the potential health consequences of improperly storing any vaccine, Brandenburg removed the doses and returned them to refrigeration. They were later distributed and administered to individuals at a clinic.

Besides admitting to coworkers that he was skeptical about vaccines, Brandenburg’s actions were at least partly detected by a pharmacy technician who discovered the vials outside of a refrigeration unit.

After the hospital invited the FBI and other federal and local authorities to investigate the issue, Brandenburg admitted to his actions.

Brandenburg’s sentence includes three years of supervised release and restitution of $83,829.05 to be paid to the hospital. (United States v. Steven Brandenburg, U.S. District Court of Eastern District of Wisconsin, No. 21-cr-0025-bhl, 2021)

Identity theft. To settle allegations of credit fraud and identity theft, smart home security and monitoring company Vivint Smart Home, Inc., agreed to pay $20 million to the U.S. Federal Trade Commission (FTC).

Vivint allegedly improperly used credit reports to qualify potential clients for financing and failed to set up and adhere to an identity theft program, according to an FTC press release. Sales representatives used various processes to approve others for loans for their services, including asking customers to give the name of someone known to them with a better credit rating and adding that person as a co-signer without his or her consent and “white paging”—where another customer with the same or similar name is found and used to qualify the hopeful customer. The customers whose identities were stolen were contacted by debt collectors about payments for additional products or services they never requested.

This settlement marks the largest financial settlement under the Fair Credit Reporting Act. Of the total fine, the civil fine amounted to $15 million, and the remainder was compensation to impacted customers. Beyond the financial penalties, Vivint must enact an identity theft prevention program, an employee monitoring and training initiative, and a customer service task force responsible for verifying that an account corresponds to the correct client before sending an account to a debt collector. (United States v. Vivint Smart Home, Inc., U.S. District Court of Utah, No. 2:21-cv-00267-TS, 2021)


U.S. States

Doxxing. Colorado Governor Jared Polis signed legislation into law that bans the sharing of personal information of public health workers or their families if the motivation is to harass or threaten them.

The Protections For Public Health Department Workers (formerly CO HB1107) expands protections for public health employees and contractors, allowing them to request their personal information—including addresses, photographs, and telephone numbers—be removed from online public records. Individuals who publish this information with malicious intent could face up to 18 months in jail and a $5,000 fine.

The new law was enacted after an increasing number of threats were made against public health employees and contractors in 2020 while the COVID-19 pandemic spread. The protections mirror those already in place for law enforcement officials, human services workers, and their families in Colorado.

Doxxing, the online search for or publishing of personal information, can lead to online and in-person harassment and attacks. Doxxing can have various motives and consequences, including celebrity doxxing, which focuses on a celebrity’s personal life; revenge or vigilantism; and erroneous doxxing, where the wrong person is linked to a group or situation.


Data security. The Data Security Law (DSL) of the People’s Republic of China went into effect on 1 September 2021.

The DSL regulates all activities in China that involve data processing, including collection, storage, use, transmission, disclosure, refining, and provision. It also regulates data activities of people and organizations outside of China considered a national security threat or public interest.

The law requires national security agencies to create a National Data Security Coordination Mechanism, which will promote data security risk information sharing between agencies. It also creates a new category of data—national core data—which includes information related to the country’s national security, economy, citizens’ livelihoods, and essential public interests.

United Kingdom

Domestic abuse. Queen Elizabeth II gave Royal Assent to allow the Domestic Abuse Act 2021 to become law. It widens the definition of domestic abuse to include coercive or controlling conduct, emotional abuse, and financial abuse, as well as physical violence.

The law also offers additional protections to domestic abuse victims in civil and family courts, including giving them protective screens, the option to testify through a video link, and prohibiting accused abusers from directly cross-examining their victims. Children who witness any abuse are now explicitly recognized as victims.

The act gives law enforcement additional powers, including being able to provide victims with immediate protection from abusers with Domestic Abuse Protection Notices and Orders. The latter requires offenders to seek either mental health support or rehabilitation for substance abuse.

Other changes created by the act include the banning of the “rough sex” defense, which allowed accused abusers to claim that violent acts were consensual; criminalizing threats of sharing private sexual photographs and films with the intent to cause distress, sometimes known as revenge porn; and making non-fatal strangulation a specific offense with attackers facing a maximum sentence of five years in prison.

Previously, incidents of non-fatal strangulation could result in attackers being charged with common assault, which carried a maximum jail sentence of six months.


United States

Discrimination. The U.S. Equal Employment Opportunity Commission (EEOC) clarified that companies may require employees to receive COVID-19 vaccines. The only stipulation is that the employer should not offer potentially coercive rewards for vaccination if it is administering the doses itself.

If an employee has a disability or sincerely held religious beliefs, practices, or observances that conflict with getting vaccinated, the employer must “provide reasonable accommodations,” according to the EEOC guidance.

The guidance was issued in response to questions about whether such a requirement was a form of discrimination.

Hazardous conditions. The U.S. Occupational Safety and Health Administration (OSHA) fined six construction contractors in New Jersey and Pennsylvania for four willful and 35 serious violations.

OSHA said the contractors exposed employees to falls more than 6 feet and failed to provide personal protective equipment to workers at a luxury single-family home construction site. The incidents, which were observed during three separate inspections of the site, were violations of federal requirements to prevent falls in the workplace.

The penalties amounted to more than $244,000, and the contractors were also ordered to correct or contest each violation within 15 working days of the citation.

Disclosure. First American Financial Corporation agreed to pay the U.S. Securities and Exchange Commission (SEC) a $487,616 to settle charges linked to a 2019 data breach.

The real estate title insurance company allegedly failed to disclose a weak point in its cybersecurity, which resulted in the compromise of more than 800 million images of documents. The data included Social Security numbers and bank account statements.

Although the firm’s information security staff detected the leak in January 2019, the SEC said the company waited roughly four months before disclosing it. Meanwhile, the problem remained, and company leaders were not informed. (In the Matter of First American Financial Corporation, U.S. Securities and Exchange Commission, No. 3-20367, 2021)