Security Management’s Legal Report is a monthly column that highlights the instances where legal matters intersect with the security industry. Our team tracks court cases, new and developing legislation, and regulatory decisions or investigations that affect private organizations and security professionals worldwide.

To share a tip or notify Security Management about emerging legal issues, email Associate Editor Sara Mosqueda at [email protected].

Judicial Decisions

United Kingdom

Knife attack. A British court sentenced Axel Rudakubana, the teenager who killed three girls and injured 10 more people during a knife attack on a children’s dance class, to at least 52 years in prison.

On 29 July 2024, Rudakubana walked into a studio in Southport, England, and began stabbing children and adults. Bebe King, 6, Elsie Dot Stancombe, 7, and Alice Dasilva Aguiar, 9, died from their injuries. Eight more children were injured, as well as two adults who tried to protect the children.

At the time of the attack, Rudakubana was 17 years old. He pled guilty to three counts of murder, 10 counts of attempted murder, as well as other charges.

Now 18, Rudakubana was sentenced to life in prison, but because he was a minor at the time of the attack, the judge could not sentence him to a whole life order. He could be eligible for parole after serving 52 years; however, the judge speculated that it is unlikely Rudakubana will ever be released. (R v. Axel Rudakubana, Liverpool Crown Court, 2025)

United States

Customer protections. A U.S. federal judge decided that a lawsuit alleging Citibank failed to protect customers from online scammers and denied reimbursements to victims can proceed.

In January 2024, New York Attorney General Letitia James filed the suit against Citibank, the third-largest bank in the United States, alleging that it violated the Electronic Fund Transfer Act (EFTA). Citibank asked the court to dismiss the case, claiming that the 1978 law excluded wire transfers.

In his opinion, U.S. District Judge Paul Oetken rejected Citibank’s argument and stated the EFTA was meant to protect consumers from sophisticated frauds because banks are better situated to carry the risks of fraud.  

The suit against Citibank was originally filed after scammers stole millions of dollars from customers. The suit accused Citibank of failing to prevent the theft because the bank’s security systems did not spot concerning elements and methods used by the scammers, including phishing, unrecognized devices, and changes to customers’ usernames and passwords. The bank was also accused of forcing customers to sign testimony that limited their ability to recover stolen funds, which in turn allowed Citibank to reject reimbursement claims.

The next court date has not yet been set as of the time of publication. (New York v. Citibank NA, U.S. District Court for the Southern District of New York, No. 24-00659, 2025)

Utility security. A federal jury found Brandon Russell guilty of conspiring with Sarah Beth Clendaniel to attack electrical substations around Baltimore, Maryland.

Russell, the founder of neo-Nazi group Atomwaffen Division, and Clendaniel, who was previously romantically involved with Russell, hoped the attack would result in chaos and terror in Baltimore, where the majority of the population is Black, according to prosecutors. The two were arrested before they were able to carry out their plan—a succession of sniper attacks on the substations that would have significantly damaged the regional power grid.

The jury found Russell guilty of one count of conspiracy to damage an energy facility. His sentencing is scheduled for 17 June.

Although Clendaniel and Russell were charged together, Clendaniel previously pled guilty to planning the attack. In September 2024 she was sentenced to 18 years in prison. (USA v. Clendaniel et al., U.S. District Court for the District of Maryland, No. 23-mj-00401-MJM, 2025)

Gun control. A three-judge panel found that a federal ban on handgun sales to individuals aged 18 to 20 years old is unconstitutional.

The suit was filed by Caleb Reese and Emily Naquin (who at the time of filing were both between the ages of 18 and 21), who were joined by the Firearms Policy Coalition, the Second Amendment Foundation, and the Louisiana Shooting Association. The plaintiffs challenged the constitutionality of the ban, which is enforced by the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF).

The judges for the U.S. Fifth Circuit Court of Appeals said that the ban violates the Second Amendment, rejecting the government’s arguments that the restrictions were similar to restrictions on the same ages in the 18th and 19th centuries.

The case is likely to be appealed and then considered by the Supreme Court. (Reese v. Bureau of Alcohol, Tobacco, Firearms, & Explosives, U.S. Fifth Circuit Court of Appeals, No. 23-30033, 2025)

Discrimination. To settle a lawsuit filed by Students Against Antisemitism, Harvard University agreed to adopt a broader definition of anti-Semitism when dealing with discipline cases and its nondiscrimination policies. The amended definition will now align with that of the International Holocaust Remembrance Alliance.

The school also agreed to hire an administrator to advise on all complaints pertaining to anti-Semitism, prepare a public annual report that details Harvard’s response to discrimination or harassment, host an annual symposium focused on anti-Semitism at American universities, and provide training to students and staff on recognizing and combatting anti-Semitism. (Alexander Kestenbaum and Students Against Antisemitism, Inc., v. President and Fellows of Harvard College, US. District Court for the District of Massachusetts, No. 24-cv-10092-RGS, 2025)

Harvard entered into a separate confidential settlement agreement with the Louis D. Brandeis Center for Human Rights Law and the center’s Jewish Americans for Fairness in Education. The settlement was similar to the one with Students Against Antisemitism in that the university agreed to use the broader definition of anti-Semitism in the school’s nondiscrimination policies and will hire a consultant to assist with anti-Semitism complaints.

Excessive force. The city of Minneapolis, Minnesota, agreed to a $600,000 settlement with a woman who claimed that a former police officer pinned her to the ground and kneeled on her back in 2020.

Patty Day alleged that the former officer, Derek Chauvin, pulled her out of her minivan on 17 January 2020, after Chauvin and another officer were responding to a 911 call about an intoxicated driver. Day admitted that she had been intoxicated and argued with the officers (although the drunken driving charge against her was later dropped). After Chauvin pulled Day out of the vehicle, he forced her on the ground, pinned her down by pressing his knee against her back, and handcuffed her.

This agreement, which was reached in February 2025, means that the city has had to pay more than $36 million in settlements concerning Chauvin’s actions while he served as an officer.

Chauvin used a similar move on George Floyd, which resulted in Floyd’s death. Chauvin is currently serving out a 22-year and six-month prison sentence for Floyd’s murder. (Patricia Dawn Welch Day v. Derek Chauvin et al., U.S. District Court for the District of Minnesota, No. 24-cv-01862, 2025)

Legislation

United States

Deportation. President Donald Trump enacted the Laken Riley Act (PL 119-1) in January 2025. The law expands the list of people who can be arrested, detained, and deported by federal immigration enforcement.

The law instructs federal officers to hold and deport anyone charged with certain criminal offenses who also entered the United States illegally. These charges include minor theft or shoplifting, assaulting a law enforcement officer, or crimes that result in the death or serious injury of another. Previously, officials would wait until after someone is convicted of the crime before considering deportation.

The administration also reversed policies that had placed limits on where arrests of migrants could occur. Previously, immigration enforcement had avoided carrying out arrests at churches, hospitals, and schools. 

Regulations

U.S. States

Cybersecurity. New York’s Department of Financial Services (DFS) reached a $2 million settlement with PayPal. The financial technology company, which manages an online payment system, was accused of violating the state’s cybersecurity regulations, specifically in the company’s actions regarding a 2022 data breach.

Between 6 and 8 December 2022, cyber attackers conducted a large-scale credential stuffing attack, resulting in a breach of 35,000 accounts. The attack exposed users’ full names, birth dates, physical addresses, Social Security numbers (SSNs), and individual tax identification numbers. PayPal did not disclose the breach until 2023.

According to the DFS, PayPal exposed customer data through an error in how it distributed IRS Form-1099-Ks to its customers.

“The teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes,” the DFS said in a press release. “As a result, they failed to follow proper procedures before the changes went live. This allowed cybercriminals to leverage compromised credentials to access Form 1099-Ks, which included sensitive customer data, including SSNs.”

During the DFS’s investigation into the breach, it also determined that the company failed to implement and maintain written policies that address access controls, identity management, and customer data, as well as failing to require customers to use multifactor authentication.

Since the investigation, PayPal has remediated these issues and improved its cybersecurity practices, according to the DFS.

Also of Interest

Security Management tracks court cases, bills, laws, and regulatory issues that impact the security industry. Here are some of the stories that are of current interest.

Artificial intelligence. The United Kingdom plans to become the first nation to create legislation that criminalizes using AI tools to generate images of child sexual abuse. UK’s Home Secretary Yvette Cooper announced that four measures will be introduced as part of the Crime and Policing Bill. The measures ban the possession, creation, or distribution of AI tools designed to create child sexual abuse materials; ban possession of manuals that instruct how to use AI to sexually abuse children; introduces a new charge against people that create websites designed for people to share child sexual abuse content or advice on grooming children; and give the Border Force the power to force an individual they reasonably suspect of posing a risk to children to unlock digital devices for inspection.  

Data collection. Texas filed a suit against Arity, a subsidiary of insurance provider Allstate, alleging that the company collected data about drivers’ behavior through mobile phone apps, which in turn led to drivers’ insurance rates increasing.

Hate crime. Three men were accused of fatally drugging and robbing two men who patronized gay bars and nightclubs in 2022 in New York City.

Misuse of AI. Microsoft filed a lawsuit against a group of hackers who breached the company’s servers to create unsafe AI content. The suit alleges that the group, which consists of 10 defendants, violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and federal racketeering laws.

Money laundering. The U.S. Treasury Department filed an appeal and a motion for stay against an Eastern District of Texas injunction regarding the enforcement of the Corporate Transparency Act’s filing deadline for businesses to provide a beneficial ownership information report. The department said that if the stay is granted, it would extend the filing deadline for 30 days during which time the department would determine if certain entities should be excluded from the filing requirements (it remains unclear on which companies would be excluded or considered a lower risk). The act is an anti-money laundering law meant to oppose terrorist financing, seize drug trafficking proceeds, and identify any illicit assets belonging to sanctioned entities that are in the United States. Appeals arguing against the constitutionality of the law are also currently pending in the Fourth, Fifth, Ninth, and Eleventh Circuit courts.

Ransomware. U.S. Congressmen Zach Nunn (R-Iowa) and Josh Gottheimer (D-New Jersey) introduced a bill (HR 9315) that would direct the U.S. Secretary of Treasury to deliver a report on the state of collaboration between federal agencies and private financial entities, hoping to improve coordination between the two sides.

 

MOST POPULAR ARTICLES

1. Violence for the Sake of Violence: Understanding Nonideological Extremism

2. Protests Target Tesla Showing How Brands Can Be Focus of Political Ire

3. Five Years Later: Security in a Post-COVID World