In late June, we notified our readers that OSHA had again delayed the compliance date for electronically submitting injury and illness reports.  Notwithstanding the ongoing delays, this regulation has charitably been described as a political hot potato.

On August 21, 2017, the Department of Homeland Security (DHS) informed OSHA that its Injury Tracking Application (ITA) had been breached, and its data potentially compromised.  In fairness, OSHA 300 logs should not contain employee names or other Personally Identifiable Information (PII), but any data breach of a government database is concerning.

As of August 25, 2017, OSHA declared that DHS was incorrect and no ITA information was compromised.  According to OSHA, the National Information Technology Center performed a “complete scan” and confirmed that the ITA portal was not breach.  (The ITA portal had been out of commission during the fourth week of August, presumably while the scan was performed, but is up and running as of today.)

Notwithstanding the absence of an actual breach, the fact that the ITA portal was believed to have suffered a breach raises concerns as to whether the data is properly protected, and adds credence to the concerns about misuse and manipulation of the portal’s data.

Historically, OSHA-regulated employers must maintain injury and illness records on OSHA 300 Logs, under the theory that this requirement helps employers identify hazards and minimize future injuries and illnesses.  Then-OSHA Assistant Secretary Dr. David Michaels claimed that “high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace.”

Dr. Michaels’ vision for the public having access to employer data was to “nudge employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers and the public that they operate safe and well-managed facilities.” Ironically, OSHA’s internal injury and illness statistics from 2014-2016 suggest that Dr. Michaels may be throwing stones inside a glass house.

It is unclear whether this benefit was ever achieved because the reporting data was provided to OSHA if requested during an inspection. One of the major concerns with the new regulation is OSHA’s stated desire to make individual establishment injury and illness data available to the public.

Industry stakeholders understandably have significant concerns with making their OSHA 300 logs available to the public. Sadly, the stakeholders’ concerns appear to have merit.  At this juncture, it is unclear what prompted DHS to assess that the portal had been breached, and it is unclear what added protections OSHA is putting in place to protect data that is submitted through the ITA portal. Today, it appears that the data breach assessment was a false alarm. However, there is no guarantee that OSHA’s existing data security measures can safeguard employers’ future submissions from attack, as seen by the data breach of the Office of Personnel Management’s (OPM) servers.

Data that is comprised in a breach is subject to manipulation, misuse and misinterpretation by activists, competitors and criminal enterprises.  These risks are the next iteration in cybersecurity threats. In public appearances and congressional testimony over the last two years, national security and intelligence experts have commented on hackers who do not just steal data but alter it, and the threat data manipulation poses to large segments of corporate America.  Admiral Michael Rogers, Director of the National Security Agency went so far as to ask “What happens if the digital underpinning that we’ve all come to rely on is no longer believable?” Employers have good reason to worry about sharing electronic data simply because an agency thinks doing so will alter human behavior.

Our Data Privacy, Security & Breach Response group offers a deep understanding of information compliance, risk, and value, and often coordinates responses to data breaches similar to what the ITA portal experienced.  In light of the breach at OPM that involved government employee data , it is a reasonable to ask whether private sector employers – and their respective Officers/BODs – must now consider their fiduciary obligations to protect company data (employee info) when complying with OSHA’s expectation or making another disclosure to the government.

Are older workers more likely to die in workplace accidents? A research fellow studying aging and workforce issues with the Associated Press published an analysis yesterday, reporting that “[o]lder people are dying on the job at a higher rate than workers overall, even as the rate of workplace fatalities decreases.”

Continue Reading Older workers have higher workplace death rate, says AP study

Even without a new Assistant Secretary for OSHA, the Trump Administration has recently deleted numerous Obama-era OSHA plans for workplace safety related rules.  Rules that administration officials have said they plan to overhaul or scale back include: regulations strengthening limits to exposure to beryllium, addressing workplace safety violation in healthcare, and addressing combustible dust and noise in construction.

Several OSHA rulemakings have been changed to “long-term actions,” causing speculation that the administration considers these items to be of low or no priority.  The topics of these rules include emergency response and preparedness, infectious diseases in health care, and cranes and derricks in construction.

Given the Trump administration’s executive order requiring two standards to be removed for every one added, we are speculating that it is not likely OSHA will be adding many new regulations in the near future.

The latest regulatory agenda for OSHA is available here, and a list of completed/discontinued rules is available here.

 

by Henry Chajet and Kaileigh Fagan

With the summer in full swing, employers should remember that the season’s heat and bugs are not just uncomfortable nuisances. They can easily become legal liabilities. In this two-part series, we’ll walk through the hazards and preventive guidance you need to protect your workers and your safety record. Continue Reading Could summer mean itchy, swelling enforcement?