CHAPTER 1

Part V

SECURITY REGULATION IN THE

UNITED STATES

1. POLICY AND PERCENTION

Before the September 11, 2001, terror attacks, security regulation focused mainly on preventing
convicted criminals from working as security officers. Since then, concerns over terrorism,
major financial frauds, and a worldwide recession have led to greater interest in security
regulation, whether self-imposed or government-mandated. For example, in 2004, Congress
passed the Private Security Officer Employment Authorization Act (PSOEAA), which states
that ‘‘the threat of additional terrorist attacks requires cooperation between public and private
sectors and demands professional, reliable, and responsible security officers for the protection
of people, facilities, and institutions.’’ The fact that much of the nation’s critical infrastructure
is in private hands adds to the POSEAA’s importance.

A notable review of regulation in the security industry observes (McGinley, 2007):

The growth of the security industry is an important factor in justifying regulation. Since the
1970s, private security personnel have outnumbered public law enforcement officers. In 1990,
for example, private security employed 1.5 million people and spent $52 billion per year, while
public law enforcement employed 600,000 and spent $30 billion per year. These gaps have only
widened in recent years and it is now estimated that private security outnumbers public law
enforcement by at least three to one. According to market analysts, this trend will continue. The
international demand for private security services is expected to grow at a rate of 7.7 percent per
year through 2008. In short, private security is increasingly responsible for the protection of

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-1

UNITED STATES/Part V
SECURITY REGULATION

people, places and assets; yet, little consideration was given to its role in national security prior
to 9/11.

A related concern is the possibility of a lawsuit based on a negligent hiring decision and lack
of due diligence in the hiring process. Negligent hiring litigation has been described as the
fastest-growing area of employment litigation, with plaintiff verdicts averaging $3 million
(Rosen, 2008). Public oversight of private security has also become an issue given the increased
use of contract private security officers by the Federal Protective Service.

In general, regulation of businesses and private activities is justified under the general police
powers of the government. Because security business is usually local in nature (despite the
existence of national security service companies), the most appropriate level of government
for administration of regulatory provisions is the state or municipality.

To exercise its general police powers constitutionally, federal or state government must
establish that some aspect of the public welfare is involved and that unregulated activity in
the field under consideration would likely harm some or all of the public. As workplace
violence, terrorism, and other attacks continue, the public perception of the need for govern-
ment regulation increases, leading agencies to act.

2. SELF-REGULATION
One way to regulate the industry is through the creation of national guidelines and standards
by which security professionals can be judged.

2.1 SECURITY INDUSTRY STANDARDS AND GUIDELINES

The terms guideline, suggested practice, recommended practice, and model statute have been
used in the absence of actual laws and because of a prior reluctance on the part of many
industry groups to go on record as promoting specific, legislated standards. Concerns include
the liability that may accrue to the group publishing them and the likelihood that more
complex and restrictive requirements might grow out of initial standards. However, ASIS has
been allowed to develop guidelines with government-legislated limits to its liability in certain
circumstances.1

1
The ASIS guidelines program has received a Designation award under the Support Anti-terrorism by Fostering Effective
Technology Act of 2002 (the SAFETY Act) from DHS. That designation limits the designee’s liability for acts arising from
the use of guidelines in connection with an act of terrorism and precludes claims of third-party damages against
organizations using guidelines to prevent or limit the scope of terrorist acts. See http://www.asisonline.org/guidelines/
guidelines.htm.

1-V-2 Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09)

 UNITED STATES/Part V
SECURITY REGULATION

After September 11, 2001, ASIS began working diligently to develop standards with other
groups (ASIS, 2010):

ASIS had previously chosen not to promulgate guidelines and standards, but world events have
brought to the forefront the need for a professional security organization to spearhead an initiative
to create security advisory provisions. By addressing specific concerns and issues inherent to
the security industry, security guidelines and standards will better serve the needs of security
professionals by increasing the effectiveness and productivity of security practices and solutions,
as well as enhancing the professionalism of the industry.

ASIS has been a leader in developing standards and best practices, often in conjunction with
state and federal legislative initiatives. As of late 2009, the organization was working to develop
several such documents, including Organizational Resilience: Security, Preparedness, and
Continuity Management Systems—Requirements with Guidance for Use; Facilities Physical
Security Measures Guidelines, and American National Standard for Workplace Violence Preven-
tion and Intervention.

The federal government, too, is focusing on security standards. As the name suggests, the
Department of Homeland Security (DHS) Voluntary Private Sector Preparedness Accreditation
and Certification Program (known as PS-Prep) is designed to promote, not require, nationwide
resilience in an all-hazards environment by encouraging private-sector preparedness. The
program will provide a mechanism by which a private-sector entity may be certified by an
accredited third party as conforming to one or more preparedness standards adopted by
DHS. However, ASIS notes that third-party certification can be a barrier to small- and medium-
sized businesses working to improve preparedness, and it favors a system in which businesses
that want certification are not forced to choose from a set list of standards but can develop
voluntary standards that work best for their organization.

2.2 CASE STUDIES IN SELF-REGULATION FAILURE

Sometimes a lack of—or failure of—standards in a particular industry can lead to calls for
government regulation. Michael (2006) explores two industries where a failure to follow
standards or self-regulate resulted in a failure that convinced the public that government
regulation was needed:

● Airport security. The Pan Am 103 bombing in 1988 represented a shift in terrorism
strategy—from hijacking a plane to fly to another country to bombing for its own sake.
In 1996, the government chartered the Commission on Aviation Security and Safety to
study the problem and recommend solutions. After the 9/11 terror attacks, security
focused more on airline employees, enhanced passenger and baggage screening, and
reassignment of authority. Terror tactics showed that ‘‘terrorists no longer want to sit

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-3

UNITED STATES/Part V
SECURITY REGULATION

at the table, they want to blow it up and everyone at it’’ (White, 2002). Aircraft themselves
had become weapons of mass destruction.

What followed was the new Transportation Security Administration (TSA). While most
airports use TSA-employed screeners, TSA also offers the Screening Partnership Program,
through which an airport operator may apply to have security screening conducted by
personnel from a qualified private contractor working under federal oversight. At the
same time, each airport has a federal security manager with overall responsibility for
screening. Such a hybridized system of control and oversight will be interesting to study
to determine its acceptance, effectiveness, and receptivity to private interests.

● Publicly traded companies. Major scandals involving publicly traded companies, such as
Enron, WorldCom, and Arthur Anderson LLP, have fueled distrust of corporate accounting
practices and ethics. One result was the Sarbanes-Oxley Act (2002). The act did not
replace the private accounting profession with a federal staff, but it did establish an
oversight board that is under tight government control and that wields governmental
authority (Michael, 2006). Many security professionals are aware of the act’s effect on
physical security systems and audits.

Efforts to regulate the entire security industry suffer from a lack of uniform momentum.
Despite calls for regulation in the 1970s, 1980s, and 1990s, little regulation has been instituted.

3. GOVERNMENT REGULATION
The form of government regulation is usually determined by whether the primary objective
is control of the activity or the raising of revenue through taxation.

Control-oriented regulations tend to address screening, oversight, and review procedures. In

revenue-based laws, the chief thrust is to identify the firms or persons engaged in the defined
activity, require payment of license and renewal fees, and provide penalties for those engaging
in the defined activities without payment of required fees.

Early regulatory statutes tended to deal exclusively with persons offering security services to
the general public. State legislatures and local municipalities were persuaded that without
regulation, such persons might be unqualified and might cause injury or harm to clients and
others. In a New York State case (Shorten v. Millbank, 1939) construing the purpose of that
state’s licensing and regulatory statute, the court held that ‘‘[p]rovisions of this section...are
for the protection of the public at large and to prevent from engaging in that business
disreputable, incompetent persons who would prey upon the public.’’

1-V-4 Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09)

 UNITED STATES/Part V
SECURITY REGULATION

Today, security regulation varies widely among the states. Although nearly all statutes define
the regulated service or activities, the period for which any license issued will be valid, the
license fee, and the penalties for engaging in the regulated business without registration, they
differ on other provisions. The following are other requirements they may specify, with the
most common listed first:

● age, citizenship, and experience standards

● good character

● lack of felony or specified misdemeanor convictions

● lack of material omissions or falsehoods in the application

● lack of previous conviction for operating without a license

● not being a public law enforcement officer

● not having been dishonorably discharged from U.S. military service

● lack of current mental illness

Many government bodies that regulate security services also require evidence of financial
responsibility, usually a bond, to ensure faithful and proper performance.

3.1 EARLY REGULATORY HISTORY

In 1972, the Rand Corporation conducted the first systematic review of regulation of the private
security industry in the United States, performed under contract from the Law Enforcement
Assistance Administration (LEAA) of the U.S. Department of Justice. Given the lack of standard
qualifications, along with weak personnel selection practices, little training, poor supervision,
high turnover, and abuses of authority, the authors made the following recommendations
for improving and upgrading the security industry (Kakalik & Wildhorn, 1972):

● Government regulation should be applied as uniformly as possible.

● Regulation should be at the state level.

● Directors and managers of in-house security services as well as owners and managers
of contract security services should be licensed.

● All employees of both proprietary and contract security organizations should be registered
by the state.

● Each licensee and registrant should meet minimum standards or qualifications (which
could vary among types of licensees and registrants).

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-5

UNITED STATES/Part V
SECURITY REGULATION

● State regulatory agencies should conduct background investigations of each applicant

for a license or registration (i.e., for all security employees, proprietary and contract),
including a criminal records check and prior employment verification for a period of
seven years.

● All new applicants for licensing and registration should have completed high school or
its equivalent or must pass a special literacy test.

● Experience in private security should be required before a license is granted. A bachelor’s

degree (or higher) should be permitted to substitute for some of the experience require-
ment. Law enforcement experience may be a substitute for the security experience
requirement.

● Licensees should meet a minimum bond or insurance requirement.

● State agencies should require minimum training programs for all types of private security
personnel.

● Separate training programs should be required for different security positions, such as
guard, investigator, polygraph operator, and central station alarm responder.

● Instructors’ schools should be accredited by the state regulatory agency.

● Currently employed security personnel should be given one year to meet the training
requirements.

● Private security personnel should be prohibited from carrying concealed firearms while
on duty. Company-furnished weapons should remain on company property during
off-hours.

● Statutory liability should be imposed on private security businesses for weapons abuses
by their employees against private citizens.

● Regulatory agencies should have the authority and resources to spot-check private secu-
rity records and operations.

● Local police and insurance companies should forward to the regulatory agency any
information coming to their attention involving major complaints or incidents involving
security personnel.

● Prior criminal convictions related to potential abuses in private security should be a

basis for denying registration or licensing.

● Evidence obtained by illegal search by private individuals should be subject to suppres-

sion either on a per se basis (as is the case for evidence illegally seized by law enforcement
personnel) or ad hoc, with the judge or magistrate weighing the equities.

1-V-6 Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09)

 UNITED STATES/Part V
SECURITY REGULATION

● Uniformed private security personnel should be forbidden to engage in interrogation or

interviewing.

● Jurisdictions should regulate the color and style of private security uniforms, as well as
the use of police titles by private security personnel.

● Any firm hiring the services of an independent security contractor should be held liable
for any negligent failure to control the contract staff.

● The federal government should consider funding a research center to evaluate the effec-
tiveness of private security personnel. Its findings should be included in an overhauled
statistical reporting system to be maintained by the insurance industry.

Many of the recommendations were later incorporated into the PSOEAA. Debate over their
usefulness continues.

At the time of the study, existing state regulations dealt with guards and investigators offering
services to the public. Control of proprietary security forces, i.e., those working for a single
employer, did not come until much later and is still not the rule.2

3.2 REGULATORY METHODS

Jurisdictions use two different methods for regulating security activity. One requires the
licensing of the primary controlled business. The individual or corporate applicant must
typically apply for and obtain a license before engaging in the regulated activity.

The second method applies to the licensing or registration of employees of the business other
than those named on the original application. Registration of such employees is required
upon employment and consists of filing their name and other identifying data, usually finger-
prints, with the appropriate agency. The employee may also need to provide a personal
history statement and generally must answer questions concerning prior criminal convictions.
Specific details vary among regulatory bodies. The least that is typically required where
regulatory requirements exist is the filing of the individual’s name and submission of finger-
prints. In most cases, the employee can work provisionally in security assignments pending
return of the completed file check from the regulatory agency. In some locales this process
can take several months and may not involve any express communication. A lack of reply
from the regulatory body is deemed to indicate a lack of disqualifying information.

The problem of long delays in checking applicants for security positions is serious and has
resulted in harm to clients or third parties by unsuitable security employees. Lack of a

2
Legislative tracking and advocacy regarding security regulation is done by such groups as the National Fire Protection
Association, National Burglar and Fire Alarm Association, National Association of Security Companies, and ASIS.

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-7

UNITED STATES/Part V
SECURITY REGULATION

requirement for an express communication from the regulatory agency can result in lost or
strayed disqualification notices and indefinite retention of unacceptable employees.

3.3 REGULATED INDUSTRY SECTORS

One challenge in assessing the state of regulation is the lack of a standard method of categoriz-
ing the industry’s various sectors. However, in general, state and local regulations tend to
use the following categories:

● Security officers (guards and guard services): contract security officers and the agencies
that employ them. Proprietary officers are often exempt from statutes and ordinances.
This category typically includes armored car personnel.

● Armed versus unarmed security officers: those that carry or do not carry firearms. Armed
and unarmed security personnel may need to meet different requirements. Separate
records may be maintained.

● Private investigators: firms or people offering investigative services for a fee. Executive
protection personnel, if addressed, may fall under this category.

● Alarm companies: firms and personnel that design, sell, install, service, and monitor
fire and intrusion alarm systems.

● Guard dogs: canines to protect property. Regulations may cover their licensing, care,
handling, and use. Animals specifically trained for drug or bomb detection are typically
regulated by a separate division of government.

Some government agencies also have license requirements for polygraph operators,3 consul-
tants, process servers, locksmiths, repossession agents, claims adjusters, bouncers, motorcade
escorts, and special police. Special police are generally private security personnel with limited
authority to act as police or peace officers in some area of their employment, such as a private
residential community.

3.4 FEDERAL REGULATION

The federal regulatory efforts described below (mostly failed) illustrate the trend toward
regulation on a national scale:

3
Aside from polygraph licensing statutes, many states have statutes prohibiting or limiting the use of the polygraph as a
condition of employment or continued employment. The most significant polygraph legislation yet passed is the federal
Employee Polygraph Protection Act of 1988 which sharply limited polygraph use by private employers.

1-V-8 Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09)

 UNITED STATES/Part V
SECURITY REGULATION

● Security Officers Employment Standards Act of 1991, S. 1258. Introduced by then-

Senator Al Gore, it attempted to introduce basic hiring and training requirements for
the security industry. The bill was killed.

● Security Officers Quality Assurance Act of 1992, HR 5931. Introduced by Representative

Matthew Martinez of California, this legislation, now dead, broke new ground by propos-
ing that regulations apply to all security personnel, whether employed by security contrac-
tors (thus contract security officers) or other employers (proprietary security officers).

● Private Security Officer Quality Assurance Act of 1993, HR 1534. Introduced by Represen-
tative Matthew Martinez of California, this bill did not pass either, but like its predecessors,
its intent was to require states to ensure the quality of security services and the compe-
tence of private security officers. Compliance with the bill was to be a requirement for
eligibility to receive certain federal funds.

● Private Security Officer Quality Assurance Act of 1995, HR 2092. Introduced by Represen-
tatives Bob Barr of Georgia and Matthew Martinez of California, this never-passed bill
was intended to expedite state reviews of criminal records of applicants for private
security officer employment. The bill also suggested employer licensing, classroom and
in-service training, and state reciprocity. The bill was characterized as a ‘‘Sense of Con-
gress,’’ meaning it would not be binding even if passed but that Congress thinks it is a
good idea.

Companies desiring to conduct thorough background inquiries are often hindered by

the lack of information available to the private sector through the states. Matching
fingerprints with criminal records maintained by the FBI is one of the most efficient
means of conducting checks, but it may take as long as 18 months in some states,
according to the bill’s sponsors. Under the proposed legislation, the FBI would send
results of record checks to the appropriate state regulator. This provision effectively
limited the process to states with security regulation, as only they would have state
security regulators.

● Law Enforcement and Industrial Security Cooperation Act of 1996, HR 2996. This never-
passed bill was intended to create a commission to encourage cooperation between
public sector law enforcement agencies and private sector security professionals to
control crime.

The commission’s purpose would be to examine existing public-private cooperation

and, through consultation with leading authorities in law enforcement, private security,
criminal justice, and business, improve or develop new models that promote cooperation.
The commission would be specifically charged with analyzing federal, state, and local
statutes that either enhance or inhibit cooperation between public law enforcement

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-9

UNITED STATES/Part V
SECURITY REGULATION

and private security and recommending changes to such laws that would enhance
cooperation between public-sector law enforcement agencies and private-sector security
professionals. The commission would have a life of two years and would be required to
submit a closing report of its actions and recommendations.

● Private Security Officer Employment Authorization Act of 2004. This law, enacted as
Section 6402 of the Intelligence Reform and Terrorism Prevention Act of 2004, authorizes
a fingerprint-based check of state and national criminal history records to screen prospec-
tive and current private security officers. The bill is intended to provide security employers
with access, through the states, to the FBI national criminal history record database. It
requires written consent from employees before such searches and employee access to
any information received, and it establishes criminal penalties for the knowing and
intentional use of information obtained through criminal history record searches for
purposes other than determining an individual’s suitability for employment as a private
security officer. In practice, the states have been very slow to establish systems to facilitate
this process.

In the future, federal bills focused on developing an environment of cooperation could possibly
include regulation of the industry as a whole or of security officers specifically, but the
historical direction has been to leave legislation to the states.

3.5 STATE REGULATION

The current regulatory climate at the state level is extremely fluid, with differing legislation
being introduced or amended continually. While the majority of states regulating the industry
focus their statutory requirements on security officers, security agencies, and private investiga-
tors, particular states may address one sector and not another. Moreover, states that regulate
contract security officers may or may not exempt proprietary officers. Other states may
regulate only alarm companies.

Another complication is that one division of state government may regulate security officers,
while another regulates private investigators, each imposing different requirements. States
also vary in how they carry out the licensing process. In some states with a state licensing
requirement, a business must initiate its license request with the municipality in which
it operates.

When inquiring whether a state regulates the security industry, a security manager should be
specific and check closely how regulations are applied. Practitioners should check regulatory
bodies in the state where they do business for the most up-to-date information affecting
their specific type of business. Until the states adopt uniform regulatory practices, nothing
should be assumed.

1-V-10 Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09)

 UNITED STATES/Part V
SECURITY REGULATION

3.6 LOCAL ORDINANCES

In the absence of federal or state licensing and regulation, many municipal governments
have adopted local ordinances. The result is a multitude of often redundant licensing require-
ments, with no reciprocity from one municipality to another. For contract agencies, the cost
and administrative burden of meeting several sets of licensing requirements within a single
metropolitan area are substantial and may seriously disadvantage smaller security providers.
In some communities, licensing ordinances are of limited regulatory value and amount to
little more than revenue schemes. Criminal history checks conducted by some municipal
agencies are limited to local records, ignoring state and federal databases that might list
disqualifying convictions. As is the case with state regulatory requirements, practitioners
should check municipalities where they do business for the most up-to-date information
affecting their specific type of business.

One other type of legislative approach to regulation of security can be found in local crime
prevention codes. These typically prescribe elements of physical security, such as the kinds
of locks to be used; the means of securing windows; control of ingress via transoms, roofs,
and other points of entry; secure storage containers; and alarm systems. Such codes may
establish minimum requirements for residential or commercial properties or both. Enforce-
ment is indirect—by way of a business’s or homeowner’s inability to obtain casualty insurance
against crime losses unless in compliance with the local ordinance.

The future of regulation in the security field will likely involve joint efforts by ASIS, other
private-sector stakeholders, and government bodies to provide for a safe, secure, and profitable
environment.

Protection of Assets • Copyright © 2009 by ASIS International (Rev. 12/09) 1-V-11