[BreachExchange] OSHA Portal’s Data Breach Raises Concerns

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 31 19:52:16 EDT 2017


https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/
pages/osha-portal-data-breach.aspx

Employers subject to the Occupational Safety and Health Administration's
(OSHA's) new electronic reporting requirements are nervous about filing
with the government following a potential data breach. The breach, reported
by Bloomberg BNA, resulted in OSHA temporarily suspending its portal for
submitting injury data within two weeks of its launch on Aug. 1. While
OSHA's portal is now back up, employers distrust the agency's ability to
safeguard confidential information from hackers, raising questions about
whether the electronic reporting requirements—under review by the Trump
administration—should be scrapped.

"While we do not know the details of the security incident or what company
information was compromised, it is unsettling for employers that a security
incident occurred that was significant enough that it required the site to
be shut down," said Lillian Moon, an attorney with Akerman in Orlando.

"This incident might be cited as one reason for rescinding the rule if the
new administration decides to do so," said Jamie LaPlante, an attorney with
Porter Wright Morris & Arthur in Columbus, Ohio.

Electronic Filing Requirements

Establishments with 250 or more employees must file the Form 300A summary
of illnesses and injuries electronically by Dec. 1. By July 2018, they will
also have to file the more detailed Forms 300 and 301 in addition to Form
300A, unless the Trump administration revises the requirements.

All employers with 20 to 249 employees in industries that OSHA considers to
be highly hazardous also will have to provide the illness and injury
information in their OSHA 300A summary reports electronically. Affected
employers include those in construction, manufacturing, furniture stores,
grocery stores, hospitals, nursing homes, museums and amusement parks, Moon
noted.

Previously, employers had been required to prepare their OSHA logs, post
them at the workplace for employees and unions to examine, and keep them in
HR files for five years. The only time they shared the information with
OSHA was if there was an active inspection or if they were asked by the
Bureau of Labor Statistics or OSHA to participate in annual injury surveys,
noted Eric Conn, an attorney with Conn Maciel Carey in Washington, D.C. A
randomly selected, rotating set of employers participated in the surveys.
He said that even if employers had to participate, historically they were
sharing only their 300A forms. Now under the electronic rule, employers
will have to show their data every year, unless the requirements are
rescinded. Conn thinks they may be scaled back with just the 300A summary
information being required and not the full 300 or 301.

There's nothing to be gained in submitting data early, he said,
recommending that employers wait until late November to submit their 300A
data.

OSHA's Case for Gathering the Information

However, Deborah Berkowitz, a senior fellow with the National Employment
Law Project in Washington, D.C., and former OSHA chief of staff in the
Obama administration, said, "The idea that OSHA should not have any of this
information is ridiculous." How will OSHA know where to best marshal its
resources, she asked, if it does not have injury and illness information?

She said that the agency has received all sorts of data and kept it
confidential for decades. "I have complete faith in OSHA," she said, adding
that the information it is gathering "is very important to the agency to
target the most dangerous workplaces in the United States." The agency does
not want to go where there are no violations and everything is fine, she
said.

"OSHA does not have a lot of resources. It has to prioritize," she noted.

Misused Information

But Moon cautioned, "The injury and illness reports are not meant to be a
measuring stick as to safety levels at a company. The general publication
of the information would allow OSHA and anyone else who obtains it through
OSHA's publication to embarrass, shame or tarnish a company's image based
on incomplete information."

Moon added that while only summary information will be entered into the
system initially, in 2018, employers will have to input detailed log and
incident report information, which includes: employee names, addresses,
dates of birth, dates of hire, physician or health care provider names, job
titles, dates of injury, where the events occurred, and descriptions of the
injuries or illnesses. "This is the very type of information that is
valuable on the black market for identity theft purposes," she said.

Matthew Deffebach, an attorney with Haynes and Boone in Houston, said,
"OSHA has promised to scrub personal identifiers from this information, but
a data breach could expose such information residing in OSHA's database."
He added that the recent glitch "calls into question OSHA's ability to
properly remove the personally identifiable information in the first
instance."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170831/62185a4e/attachment.html>


More information about the BreachExchange mailing list