In late June, we notified our readers that OSHA had again delayed the compliance date for electronically submitting injury and illness reports. Notwithstanding the ongoing delays, this regulation has charitably been described as a political hot potato.
On August 21, 2017, the Department of Homeland Security (DHS) informed OSHA that its Injury Tracking Application (ITA) had been breached, and its data potentially compromised. In fairness, OSHA 300 logs should not contain employee names or other Personally Identifiable Information (PII), but any data breach of a government database is concerning.
As of August 25, 2017, OSHA declared that DHS was incorrect and no ITA information was compromised. According to OSHA, the National Information Technology Center performed a “complete scan” and confirmed that the ITA portal was not breach. (The ITA portal had been out of commission during the fourth week of August, presumably while the scan was performed, but is up and running as of today.)
Notwithstanding the absence of an actual breach, the fact that the ITA portal was believed to have suffered a breach raises concerns as to whether the data is properly protected, and adds credence to the concerns about misuse and manipulation of the portal’s data.
Historically, OSHA-regulated employers must maintain injury and illness records on OSHA 300 Logs, under the theory that this requirement helps employers identify hazards and minimize future injuries and illnesses. Then-OSHA Assistant Secretary Dr. David Michaels claimed that “high injury rates are a sign of poor management, no employer wants to be seen publicly as operating a dangerous workplace.”
Dr. Michaels’ vision for the public having access to employer data was to “nudge employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers and the public that they operate safe and well-managed facilities.” Ironically, OSHA’s internal injury and illness statistics from 2014-2016 suggest that Dr. Michaels may be throwing stones inside a glass house.
It is unclear whether this benefit was ever achieved because the reporting data was provided to OSHA if requested during an inspection. One of the major concerns with the new regulation is OSHA’s stated desire to make individual establishment injury and illness data available to the public.
Industry stakeholders understandably have significant concerns with making their OSHA 300 logs available to the public. Sadly, the stakeholders’ concerns appear to have merit. At this juncture, it is unclear what prompted DHS to assess that the portal had been breached, and it is unclear what added protections OSHA is putting in place to protect data that is submitted through the ITA portal. Today, it appears that the data breach assessment was a false alarm. However, there is no guarantee that OSHA’s existing data security measures can safeguard employers’ future submissions from attack, as seen by the data breach of the Office of Personnel Management’s (OPM) servers.
Data that is comprised in a breach is subject to manipulation, misuse and misinterpretation by activists, competitors and criminal enterprises. These risks are the next iteration in cybersecurity threats. In public appearances and congressional testimony over the last two years, national security and intelligence experts have commented on hackers who do not just steal data but alter it, and the threat data manipulation poses to large segments of corporate America. Admiral Michael Rogers, Director of the National Security Agency went so far as to ask “What happens if the digital underpinning that we’ve all come to rely on is no longer believable?” Employers have good reason to worry about sharing electronic data simply because an agency thinks doing so will alter human behavior.
Our Data Privacy, Security & Breach Response group offers a deep understanding of information compliance, risk, and value, and often coordinates responses to data breaches similar to what the ITA portal experienced. In light of the breach at OPM that involved government employee data , it is a reasonable to ask whether private sector employers – and their respective Officers/BODs – must now consider their fiduciary obligations to protect company data (employee info) when complying with OSHA’s expectation or making another disclosure to the government.