Skip to content

Illustration by Security Management

Legal Report November/December 2021

Judicial Decisions

Vaccine mandates. The U.S. Supreme Court denied a request from eight Indiana University students to bar the school from requiring that all faculty, staff, and students receive the COVID-19 vaccine.

The students claimed that the university’s requirement was a “violation of their constitutional rights to bodily integrity and autonomy and medical treatment choice.” The case was the first to reach the Court that dealt with universities mandating COVID-19 vaccinations, with exceptions for people with legitimate medical or religious exemption requests.

Associate Justice Amy Coney Barrett declined the students’ request for an emergency injunction without comment and without presenting the request to the full Court for a vote.

The decision upheld a ruling from the U.S. Court of Appeals for the Seventh Circuit, which also denied an injunction against the mandate while the case continues to be argued. (Klaassen et al v. Trustees of Indiana University, U.S. 7th Circuit Court of Appeals, No. 21-2326, 2021)

Insider threat. A U.S. district judge sentenced Daniel Hale, who leaked classified information about the use of drone warfare in Afghanistan to a reporter, to a 45-month prison sentence.

Hale, a former U.S. national security intelligence analyst, pled guilty to felony retention and transmission of national defense information—one of five charges he faced for allegedly violating the Espionage Act. The judge, Liam O’Grady, dismissed the remaining charges with prejudice.

Some of the information Hale disclosed revealed that during the course of a five-month operation in Afghanistan, almost 90 percent of people killed were bystanders or collateral damage. Hale also leaked the criteria used by military intelligence to place someone on a terrorism watch list.

O’Grady noted that Hale could have acted as a whistleblower without taking classified documents to his home. Hale printed out 36 documents, some of which included classified information, as part of his process of sharing them with the reporter.

Hale did receive some credit for time served, and the sentencing also noted that he will pay no fines. At the end of his imprisonment, he will be on supervised release for three years and will participate in programs for substance abuse and mental health treatment. (United States v. Daniel Everette Hale, U.S. District Court for the Eastern District of Virginia, No. 19-cr-00059, 2021)

Privacy. A New York resident was sentenced to three years in U.S. federal prison for hacking dozens of female college students’ email accounts to steal their private nude photographs and videos.

Nicholas Faber and a co-conspirator accessed without permission female State University of New York (SUNY) Plattsburgh students’ school email accounts between 2017 and 2019. Some of the accounts were accessed via the student’s university network account; Faber’s co-conspirator had the usernames and password information that corresponded to some of the targeted students.

Using the students’ email account information, he then accessed their social media and cloud accounts to steal nude photos and videos. Faber later traded the media with other unnamed individuals for nude photos and videos of other female students.

Faber pled guilty to one count of computer intrusion causing damage and another charge of aggravated identity theft.

The U.S. Department of Justice said that Faber will be subject to another 36 months of supervised release after he is released from prison. The federal judge also ordered Faber to pay $35,430 to SUNY Plattsburgh as restitution for the university having to dedicate money and other resources to identify which accounts were compromised, reviewing computer and server access logs, resetting passwords, and notifying students and parents. The court recommended Faber participate in sex offense specific treatment and mental health treatment. (United States v. Nicholas Faber, U.S. District Court for the Northern District of New York, No. 8:21-cr-00021-MAD, 2021)



Coronavirus passports. France enacted two laws in late July that further mandate vaccinations for French residents who wish to access or work in certain areas and sectors.

One of the new laws requires anyone aged 12 or older have a health pass to enter bars, restaurants, planes, trains, and some other public sites. To receive a pass, a person must provide either paper or digital proof of being fully vaccinated, having recently recovered from a coronavirus infection, or having recently tested negative for COVID-19.

Prior to the new law, all venues that could host more than 50 people—including museums, cinemas, and swimming pools—required proof of vaccination or a recent negative test.

The other law enacted in July mandated that anyone employed in the healthcare industry be fully vaccinated against COVID-19 or be suspended from employment. Healthcare workers were required to receive their first COVID-19 vaccine shot by 15 September.

United States

Physical security. U.S. President Joe Biden enacted an emergency law that provides additional funding—an estimated $1.9 billion—to security at the U.S. Capitol building after the riots on 6 January.

The Emergency Security Supplemental Appropriations Act (PL 117-31) provides funding to purchase security upgrades, make facility repairs for areas damaged during the riot, and address expenses related to the coronavirus pandemic.

The law will also support prosecutions against people involved in the attack and appropriate funds for the creation of a quick reaction force in the D.C. National Guard to assist U.S. Capitol Police.



Data protection. A German regulator formally warned the Senate Chancellery of the Free and Hanseatic City of Hamburg that use of Zoom Inc.’s on-demand version violates the European Union’s General Data Protection Regulation (GDPR).

The violation stems from the Senate Chancellery’s transmission of personal data to the United States when using Zoom, which failed to meet strict conditions under the European Data Protection Board and the GDPR.

The Hamburg Commissioner for Data Protection and Freedom of Information (DPA) issued the warning after the Senate Chancellery failed to respond to repeated concerns about its plans to use the platform. The chancellery also failed to submit additional information as part of a formal hearing with the commissioner that indicated Zoom would meet the necessary requirements. The regulator determined that Zoom does not meet GDPR standards regarding the transfer of personal data to a third country, such as the United States.

The commissioner recommended that the Senate Chancellery instead use Dataport, a video conference tool developed by a German company that adheres to the conditions concerning third-country transmission.

As of Security Management’s press time, the Hamburg DPA said it had no plans for additional formal steps.

United States

Overtime. The U.S. Department of Labor’s Wage and Hour Division recovered more than $70,000 in back wages for 71 Central New Mexico Community College security guards after uncovering overtime violations.

An investigation into the college revealed that guards were required to arrive 15 minutes before the beginning of their shifts for pre-shift briefings; however, they were not paid for that additional time and the time was not recorded by the college, violating the Fair Labor Standards Act.