January 2017 - Issue 59

Cal/OSHA Reporting Requirements

Clear as Mud Redux: California Leaves of Absence in the Public Sector

New Social Media Resources

Join Social Media Conversations with the Authority 

Cybercrime: A Rising Concern (Part One of a Two-Part Series)

California's Top Court Says Public May See Government's Legal Bills

Ransom Not Paid

News: Worthy

Cal/OSHA Reporting Requirements

By Jim Gross, Senior Risk Manager and Alex Mellor, Risk Manager

As we wrote in last month’s newsletter, effective January 1, 2017, Federal OSHA instituted new injury and illness reporting rules that will affect some public agencies. While California employers are not yet required to comply with these rules, there are a host of established rules and regulations related to injury and illness reporting with which California employers must comply.

One of these rules is the annual recording of all work-related injuries and illnesses on Cal/OSHA Form 300 (Log of Work Related Injuries and Illnesses), and the posting of Cal/OSHA Form 300A (Annual Summary of Work Related Injuries and Illnesses) between February 1 and April 30 the following year.

A work-related injury or illness must be recorded if it results in death, days away from work, restricted work or transfer to another job, medical treatment beyond first aid, loss of consciousness or a significant injury or illness as diagnosed by a physician or other licensed healthcare professional. Employers must record any new incidents as well as incidents that aggravate a prior injury.

A copy of Form 300A must also be made available to employees who do not report to any fixed establishment on a regular basis. At the end of the three-month posting period, the Form 300A should be kept on file for five years. If any newly discovered, recordable incidents or changes in classification are noted, the log should be updated.

When privacy is a concern, employee names should not be entered on the Form 300. Instead, “Privacy Case” should be entered in the space reserved for the employee’s name. Privacy concern cases are defined as an injury or illness to an intimate body part or the reproductive system; an injury or illness resulting from a sexual assault; mental illnesses; HIV infection, hepatitis or tuberculosis; needle stick injuries and cuts from sharp objects that are contaminated with another person’s blood or other potentially infectious material; and other illnesses.

Members who participate in the Authority’s Workers’ Compensation Program recently received an email from York Risk Services Group with a partially completed Form 300A and instructions for completing and posting the form. Please follow the instructions in the email and post a copy of the completed form (in a conspicuous location where notices to employees are regularly posted) by February 1, 2017.

If your agency does not participate in the Authority’s Workers’ Compensation Program, Forms 300 and 300A can be obtained from the Cal/OSHA website here: http://www.dir.ca.gov/dosh/etools/recordkeeping/CAStandard/CalStandard.htm.

For more information, please contact Workers’ Compensation Program Manager, Jeff Rush, or your assigned Regional Risk Manager.

News: Worthy

Clear as Mud Redux: California Leaves of Absence in the Public Sector

By Katy A. Suttorp, Monica S. McQueen, and Ulysses L. Aguayo, Esq., Burke, Williams & Sorensen, LLP


While most public employers are familiar with the requirements of California and federal medical leave laws and have at least some understanding of California sick leave law, many are less knowledgeable regarding the numerous other leaves of absence that are provided under California law. Similar to the difficulties we discussed in our prior article, Clear As Mud: California Wage and Hour Laws in the Public Sector regarding applicability of California wage and hour laws in the public sector, California law offers some answers, but also leaves some questions unresolved regarding which, if any, of these additional “other” laws apply to various types of public agency employers.

Accordingly, this article provides an overview of some of the other leaves of absence that public employers may be requested to provide, and identifies the terms for each. Because a number of these laws limit their own applicability based on employer size, we have organized our discussion in order of increasing employer size.


Leave for Victims of Domestic Violence, Sexual Assault, or Stalking

Brief Summary: California Labor Code § 230 et seq. (“Victim Leave”) prohibits employers from discharging, discriminating, or retaliating against an employee who is the victim of domestic violence, a victim of sexual assault, or a victim of stalking, and who takes time off from work to obtain or attempt to obtain any relief, such as a restraining order.[1]

How “Employer” is defined: The statute does not define the term “employer.”

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: There is no express cap on the amount of Victim Leave.

Paid/Unpaid?: Victim Leave is unpaid.[2] However, an employee can choose to use any accrued sick leave when taking leave under this section because Victim Leave is a permitted use of sick leave under the Healthy Workplaces, Healthy Families Act.

Notice/Verification requirements: Employees must give the employer reasonable advance notice of the employee’s intention to take time off, unless the advance notice is not feasible.[3]

School Suspension Leave

Brief Summary: California Labor Code § 230.7 provides that an employee who is the parent or guardian of a pupil can take time off from work to attend a class from which the pupil was suspended, at the request of the pupil’s teacher, in accordance with California Education Code § 48900.1.[4]

How “Employer” is defined: The statute does not define the term “employer.”

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: There is no cap on the amount of time an employee can take off from work pursuant to Section 230.7.

Paid/Unpaid?: Suspension Leave is unpaid. The statute is silent regarding an employee’s use of accrued paid time off.

Notice/Verification requirements: Prior to taking the time off, the employee must give reasonable notice to the employer that he or she is requested to appear at the school under California Education Code §48900.1.

Emergency Duty Leave

Brief Summary: Under California Labor Code Sections 230.3, employers must permit an employee who is a volunteer firefighter, reserve peace officer, or emergency rescue personnel to take leave to perform emergency duty (“Emergency Duty Leave”).[5] However, a public safety agency employer or provider of emergency medical services may deny leave if the employee’s absence would impair the availability of public safety or emergency medical services.

How “Employer” is defined: The statute does not define the term “employer.”

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: The statute does not cap the amount of leave.

Paid/Unpaid?: The statute does not specify whether leave is paid or unpaid, or whether employees may use accrued paid time off during their absence.

Notice/Verification requirements: The statute does not describe notice requirements for all employees. However, for an employee who is a health care provider, the employee must notify his or her employer at the time the employee becomes designated as emergency rescue personnel and also when the employee is notified that he or she will be deployed as a result of that designation.[6]

Voting Leave

Brief Summary: Under California Elections Code Sections 14000 and 14001, employers must permit employees to take time off from work to vote in a statewide election if the employee does not have sufficient time to vote outside normal working hours (“Voting Leave.”)[7]

How “Employer” is defined: The statute does not define “Employer.” However, Sections 14000 and 14001 specify that they “apply to all public agencies and the employees thereof, as well as to employers and employees in private industry.”[8]

Eligibility requirements (if any) The statute does not contain any eligibility requirements.

Amount of leave: Employees may take up to two hours of Voting Leave at the beginning or end of the regular working shift on election day, whichever allows the most free time for voting and the least time off from the regular working shift, unless otherwise mutually agreed with the employer.[9]

Paid/Unpaid?: Voting Leave is paid.[10] The statute is silent regarding an employee’s use of accrued paid time off.

Notice/Verification requirements: If the employee “knows or has reason to believe that time off will be necessary to be able to vote on election day, the employee shall give the employer at least two working days’ notice that time off for voting is desired….”[11]


Organ and Bone Marrow Donation Leave

Brief Summary: California Labor Code § 1508 et seq. provides for Organ and Bone Marrow Donation Leave (“Donation Leave”). Upon conclusion of Donation Leave, the employee must be reinstated to his or her original position, or to a position with equivalent seniority status, employee benefits, pay, and other terms and conditions of employment.[12]

How “Employer” is defined: “Employer” includes “any person, partnership, corporation, association, or other business entity that employs 15 or more employees.”[13]

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: Employers must provide employees up to 30 days in a 12-month period of Donation Leave to donate an organ to another person;[14] and up to five days in a 12-month period of leave to donate bone marrow to another person.[15] Moreover, the statute explicitly provides that Donation Leave does not run concurrently with leave that may be taken under the federal Family and Medical Leave Act or California Family Rights Act.[16]

Paid/Unpaid?: Donation Leave is paid.[17] If employees have accrued paid time off, employers may require employees to use up to five days of paid time off for bone marrow donation, and up to two weeks of accrued paid time off for organ donation.[18] If employees do not have sufficient accrued paid time off, their Donation Leave will still be paid.

Notice/Verification requirements: To receive Donation Leave, an employee must provide written verification to his or her employer that he or she is an organ or bone marrow donor and that there is a medical necessity for the donation of the organ or bone marrow.[19]

Civil Air Patrol Leave

Brief Summary: California Labor Code § 1500 et seq., otherwise known as the Civil Air Patrol Employment Protection Act, requires employers to provide leave for an employee who is responding to an emergency mission of the California Wing of the Civil Air Patrol (“Civil Air Patrol Leave.”).[20]

How “Employer” is defined: “Employer” means any person, partnership, corporation, association, or other business entity; or the State of California, a municipality, or other unit of local government; that employs more than 15 employees.[21]

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: Employers must provide at least 10 days per calendar year of Civil Air Patrol Leave.[22] For single emergency missions, protected leave is limited to three days, unless an extension of time is authorized by the governmental entity that authorized the emergency mission, and the extension is approved by the employer.[23]Moreover, employers are not required to grant leave to an employee who is required to respond to either the same or other simultaneous emergency missions as a first responder or disaster service worker for a local, state, or federal agency.[24]

Paid/Unpaid?: Civil Air Patrol Leave is unpaid.[25] The statute is silent regarding use of paid leave during leave, but does specify that an employer cannot require the employee to exhaust accrued vacation leave, personal leave, compensatory leave, sick leave, disability leave, or any other leave, in order to take Civil Air Patrol Leave.[26]

Notice/Verification requirements: An employee requesting Civil Air Patrol Leave must give the employer as much notice as possible of the intended dates upon which the leave will begin and end.[27] An employer may also require certification to verify the eligibility of the employee for the leave requested.[28]


Military Spouse Leave

Brief Summary: California Military & Veterans Code § 395.10 provides for a leave of absence to an employee whose spouse or registered domestic partner is deployed for active military service during a period of military conflict, to spend time with the spouse or registered domestic partner while he/she is on leave from such deployment. (“Military Spouse Leave.”)[29]

How “Employer” is defined: “Qualified employer” includes any individual, corporation, company, firm, state, city, county, city and county, municipal corporation, district, public authority, or any other governmental subdivision, that employs 25 or more employees.

Eligibility requirements (if any): To be eligible for Military Spouse Leave, an employee must meet the following conditions: The employee must be the spouse of a “qualified member” of the military; the employee must work an average of 20 or more hours per week; the employee must provide notice to his or her employer; and the employee must provide written documentation certifying the spouse's temporary leave from active duty during the time the leave is requested.[30]

Amount of leave: Eligible employees may take up to 10 days of leave for each period during which the spouse or domestic partner is on leave from deployment. The law provides no maximum number of leave periods that may be taken by an eligible employee in any given year.

Paid/Unpaid?: Military Spouse Leave is unpaid. The statute is silent regarding use of an employee’s accrued paid time off during the leave period.

Notice/Verification requirements: The employee must notify his or her employer of the employee's intention to take leave within two business days of receiving official notice that the employee's spouse will be on leave from military deployment; and the employee must provide written documentation certifying the spouse's temporary leave from active duty during the time the leave is requested.[31]

School and Child Care Leave

Brief Summary: California Labor Code § 230.8 provides for School and Child Care Leave (“Child Care Leave”). Under Section 230.8, employers must permit an employee who is a parent of one or more children to take time off from work for the purpose of participating in certain school and child care-related issues, including enrollment, school activities, and emergencies. (“School and Child Care Leave.”) [32] The definition of “parent” includes “parent, guardian, stepparent, foster parent, or grandparent of, or a person who stands in loco parentis to, a child.”[33]

How “Employer” is defined: The statute does not define the term “employer.”

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: An employee may be limited to eight hours per month for use of School and Child Care Leave to find, enroll, or reenroll a child in a school or with a child care provider, or to participate in activities of the school or child care provider.[34] School and Child Care Leave is capped at 40 hours each year.

Paid/Unpaid?: School and Child Care Leave is unpaid.[35] However, employers may require employees to use accrued vacation, personal leave, or compensatory time off for planned absences.[36]

Notice/Verification requirements: “Reasonable notice” to the employer is required.[37] Employers may require documentation from the school or licensed child care provider as proof that the employee engaged in authorized child-related activities on a specific date and at a particular time.[38]


Emergency Training Leave

Brief Summary: Under California Labor Code Section 230.4, employers must permit an employee who is a volunteer firefighter, reserve peace officer, or emergency rescue personnel to take leave to engage in fire, law enforcement, or emergency rescue training (“Emergency Training Leave.”).[39]

How “Employer” is defined: Although the statute does not define the term “employer,” the statute applies to any person or entity with 50 or more employees that also employs one or more “emergency rescue personnel.” Emergency rescue personnel means “any person who is an officer, employee, or member of a fire department or fire protection or firefighting agency of the federal government, the State of California, a city, county, city and county, district, or other public or municipal corporation or political subdivision of this state… whether that person is a volunteer or partly paid or fully paid, while he or she is actually engaged in providing emergency services….”[40]

Eligibility requirements (if any): The statute does not contain any eligibility requirements.

Amount of leave: Emergency Training Leave is limited to 14 days per year to engage in fire, law enforcement, or emergency rescue training.[41]

Paid/Unpaid?: The statute is silent as to whether leave time is paid or unpaid, and regarding an employee’s use accrued paid time off during the leave period.

Notice/Verification requirements: The statute does not describe any notice requirements.[42]


Overall, it is clear that the California Legislature has provided guidance regarding use of some of these leaves in the public sector but has not provided similar detail for others. Given the uncertainty regarding the applicability of some of these leaves in the public sector, employers are encouraged to raise concerns regarding specific employee requests with legal counsel or their agency’s assigned Risk Manager.

Click here for the full article with citations.

News: Worthy

New Social Media Resources

By Alex Mellor, Risk Manager

In addition to working with members to manage traditional risks faced by public agencies, the California JPIA strives to identify emerging risks and provide members with timely and appropriate resources for managing those risks.

While use of social media platforms is an excellent way for public agencies to engage with citizens, businesses, and other stakeholders, failure to comply with applicable law and regulations can result in costly litigation. This is particularly true when it comes to managing content posted to the agency website and social media sites by third parties.

To assist members with effectively managing this risk, the Authority has revised its existing Social Media Policy Template, and also created a new Social Media Comment and Content Moderation Guide. Intended to be used together, these two resources provide model policies and best practice guidance for managing both employee use of social media on the agency’s behalf, and external visitors (e.g. the public) to the agency’s website and social media sites.

Whether your agency has a social media presence and allows comments, has a social media presence but disables comments, or does not have a social media presence at all (yet), members are encouraged to review these two resources and work with legal counsel to implement policies and procedures that protect the agency from social media related litigation.

It is also recommended that members provide training to employees on their agency’s social media policy. As such, the California JPIA is revising its training entitled Technology and Managing Risks in Email, Internet, Blogs and Cell Phones to be consistent with information provided in the Social Media Policy Template and Social Media Comment and Content Moderation Guide.

To access the new social media resources, please visit the Resources and Documents page of the California JPIA website here.

For questions regarding social media and associated risks, please contact your assigned Risk Manager.

To schedule an offering of Technology and Managing Risks in Email, Internet, Blogs and Cell Phones, please contact Training and Loss Control Specialist, Ryan Thomas.

News: Worthy

Join Social Media Conversations with the Authority        

In order to reach new members and better connect with current members, the Authority has an active presence on social media. Members can find information on various topics on the social media channels listed below.Social Media Logo

Connect with our latest topics:  

“If your agency does not have a policy in place regarding the use of AEDs, you can start by referencing our Automated External Defibrillator Program Policy, which is available to Authority members in the Resources and Documents library on our website, cjpia.org.” Like, comment and share:

LinkedIn Page
“In response to growing statistics supporting the dangers of cell phone use while driving, California has established a new law cracking down on handling cell phones behind the wheel.” Follow us, comment and share about risk management:

LinkedIn Discussion Group
“Unauthorized structures that are built by private citizens on public property, but not permitted by the member agency, should be removed as soon as possible to minimize potential risk exposure. Do you have experience with discovering unpermitted structures, and if so, what actions are typically taken after the discovery?” Join the conversation, or pose a question or idea about risk management and the California JPIA:

“At the League of CA Cities City Managers Department Meeting Feb 8-10? We want to meet you! Visit our table on Feb 9. http://tinyurl.com/hfjrc2b” Tweet, retweet and follow the California JPIA:

For information on how to join these sites or participate in discussions, please contact Courtney Morrison, Administrative Analyst.

Risk Solutions

Cybercrime: A Rising Concern (Part One of a Two-Part Series)

By Roy Angel, Senior Risk Manager

According to the FBI, the lead federal agency for investigating cyber-attacks, the threat of cybercrime is “incredibly serious—and growing.”  Moreover, the law enforcement agency’s website concluded that “Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries.”  (https://www.fbi.gov/investigate/cyber)

Cybercrime has become a multi-billion-dollar industry, and the public sector is not immune.  In September of 2016, the City of El Paso, Texas became the victim of a $3.2 million cyber scam.  One of the Authority’s members was also victimized for $17,000 in late 2016.  Regardless of the scale of the crime, any financial loss is an aggravating and costly situation.

In November of 2016, the Authority presented three Risk Manager Roundtables where attorney Scott Koller provided significant evidence of the growing threat to the public sector.  Koller, who is from the law firm of BakerHostetler and specializes in cyber law, notes that six percent of all cybercrime involves the government.  That percentage may seem low now, but if the above noted scams are any indication, the public sector appears to be a growing blip on the cyber-criminal radar.

In preparation for this article, Koller offered this additional insight:

“Cybercrime is huge, both in terms of the damages they cause and the profits criminal enterprises reap.  Security firm McAfee estimated the global cost of cybercrime is $1 trillion.  Lloyd’s, a British insurance company, provided a more conservative estimate at $400 billion, either way, those numbers are huge, and it is only going up.  We do not really know how much profit the criminals are making since they do not release their taxes.  However, the FBI estimates that ransomware alone took in over a billion dollars in 2016.  And that is just the ransom that was reported.  As you can see, cybercrime is big business.  Ransomware is so big that malware developers are operating call centers and outsourcing the distribution of the malware to other parities in exchange for a small percentage.  Cybercrime is only going to get worse and while there is no way to prevent it, with proper planning and preparation, you can limit the frequency and severity of an incident.  Public entities are frequently a target because of their size, complexity, and in some cases, limited resources to handle the variety of threats facing them.  It is important to prepare in advance by reviewing policies, performing risk assessments, and conducting table-top exercises so that when the unenviable day comes, you will know what to do. 

Both scams were “spear-phishing” in nature; emails sent to city staff from criminals impersonating vendors employed by the city.  The criminals then ask that money be wired to the impersonator’s account. 

Part two of this series will describe various methods cyber criminals are using to scam public agencies and the measures that can be taken to combat them.  Additionally, a description of the insurance coverage that the Authority offers to members to cover losses due to cybercrime will be explained in the article.

The Court Report

California's Top Court Says Public May See Government's Legal Bills

(Reprinted from the Los Angeles Times, December 29, 2016)

A government agency’s legal bills for a case that has been resolved are generally public record, a divided California Supreme Court ruled Thursday.

The 4-3 decision reflected tensions between California laws that give the public broad access to government information and historic legal protections for confidential communications between lawyers and their clients.

“Invoices for legal services are generally not communicated for the purpose of legal consultation,” Justice Mariano-Florentino Cuéllar wrote for the majority. “Rather, they are communicated for the purpose of billing the client.

“And, to the extent they have no other purpose or effect, they fall outside the scope of an attorney’s professional representation,” said Cuéllar, who was appointed to the court by Gov. Jerry Brown.

The three dissenting justices contended the ruling undermined a pillar of California law and might have unintended consequences.

“Following today’s decision, attorneys in this state must counsel their clients that confidential communications between lawyer and client, previously protected by the attorney-client privilege, may be forced into the open by interested parties once the subject litigation has concluded,” wrote Justice Kathryn Mickle Werdegar, joined by Chief Justice Tani Cantil-Sakauye and Justice Carol A. Corrigan.

The case was brought by Eric Preven, an advocate for transparency in local government, and the ACLU of Southern California. They had used the state’s public records act to request copies of bills that Los Angeles County received from outside lawyers defending nine lawsuits charging brutality in the jails.

The ACLU and Preven suspected that the firms were engaging in a “scorched earth” strategy that was costing the county millions of dollars in fees for cases that should have been settled.

The county complied with the request for three lawsuits but argued that the attorney-client privilege protected the others because the suits were still pending. 

Communications between lawyers and clients are legally protected from disclosure to ensure openness and frankness.

A trial judge sided with the ACLU and Preven, ordering the county to produce invoices for all of the suits, and the county appealed. A court of appeal sided with Los Angeles, ruling that legal invoices were not public record because they amounted to confidential legal communications.

The court majority agreed that bills for ongoing litigation could reveal a government agency’s legal strategy and should remain confidential.

A sudden uptick in billed hours might tip off an opponent that the agency was preparing a major new filing or reacting to some development in the case, Cuéllar wrote. 

But bills for “long-concluded litigation … communicate little or nothing about the substance of legal consultation,” he said.

“The mere fact that an attorney transmitted a communication to his or her client confidentially … does not end the inquiry into whether the communication’s contents are protected by the attorney-client privilege,” said Cuéllar, who was joined by Justices Ming W. Chin, Goodwin Liu and Leondra R. Kruger.

The Times and several other media outlets participated in the case as friends of the court and argued that invoices should be public record.

Coverage Matters

Ransom Not Paid

by Jim Thyden, Insurance Programs Manager

Ransomware has become the most widespread cyber-crime and a billion-dollar industry. Government agencies are being targeted more frequently and the only way to combat this threat is to back up the data the cyber criminals might encrypt and lock. That’s exactly what a San Francisco transit authority did, and it saved them $73,000.

Members of the Authority have coverage for ransomware and can find details on the Authority’s website or by contacting Jim Thyden, Insurance Programs Manager.

Hacked Muni Refused $73,000 Ransom Demand; Computers Restored

(Reprinted from the San Francisco Chronicle, November 28, 2016)

For all Muni Metro passengers knew, the free rides they were getting Friday night and Saturday were a holiday gift from the transit system. Little did they know Muni was under attack from a hacker trying to squeeze $73,000 in ransom to unlock the agency’s computer systems.

Muni refused to pay up. Instead, officials shut down the system’s ticket machines, threw open the fare gates as a precautionary move, and contacted the Department of Homeland Security and their own technology division to contain the attack, they said.

“Considering paying that ransom was never an option,” said Paul Rose, an MTA spokesman.

By Sunday morning, the fare gates and ticket machines were up and running, and by Monday most systems were working again, Rose said.

The anonymous hacker used a ransomware attack — malicious software sent via email — to lock up employee computers at 900 workstations, shut down Muni’s email system and knock out the time-tracking portion of its payroll system, Rose said.

The hacker displayed messages on otherwise dark computer screens declaring “You hacked,” and asking for 100 bitcoins, a digital currency, or about $73,000. Muni never communicated nor negotiated with the hacker, Rose said. Instead, Muni officials relied on advice from federal officials and a backup system to restore the network.

“We were ready,” Rose said.

Confidential information such as customer or employee credit and bank account numbers was never compromised, he said. The hacker never had access to the computers that control trains, fare gates or ticket machines, he added.

“There was never an impact to transit service or safety systems, and no customer information was breached,” Rose said. “We’re working with the FBI, trying to identify any suspects.”

FBI officials in San Francisco did not return calls for comment.

The attack mainly affected the ability of Muni employees to log on to some computers and to send and receive emails, Rose said.

Silicon Valley venture capitalist Mahendra Ramsinghani, who invests in early-stage technology security companies, lauded Muni for quickly restoring its systems without succumbing to the ransom demand.

“If they were able to pull this off, it speaks to their technical abilities,” he said. “There are a lot of agencies that don’t have those abilities. There are so many examples where people pay.”

Typically, he said, victims don’t have a backup as Muni did, leaving them with the choice of taking a long time to rebuild their system or meeting the perpetrator’s demands.

Ransomware attacks are an increasingly common type of cybercrime scheme in which hackers send out thousands of random emails, hoping someone will inadvertently invite them inside a company or agency network by clicking on a link.

The FBI estimates that $150 million a year in the U.S. is exchanged through ransomware crime as victims cave to hackers’ demands. Worldwide, cybercriminals raked in nearly $325 million last year from individuals and businesses by using ransomware called CryptoWall.

Though ransomware attacks vary in execution — some are targeted and complex, while others are wide-reaching, such as the one on Muni — the way they ensnare victims is largely the same, cybersecurity experts said: They lay a trap.

People are conned into clicking on an infected pop-up in their Web browser or an email attachment that opens the malware and allows it entry to the computer system. Outdated software and unprotected systems are particularly vulnerable. Once infected, the system will shut down and alert the user that it has been infected. Hackers then hold the computer hostage until payment has been received.

Hackers usually ask for a specific amount — a number they believe to be realistic and low enough — to make it easier for victims to make payments and regain access to files, said Tim Erlin, the director of IT security and risk strategist for the security software company Tripwire.

“These attacks are becoming more common because they work,” he said. “The goal of a ransomware attack is to generate money or profit for the criminal involved. If you pay the ransom and get your files back, it creates a climate of trust for the victims, and if the criminal charges a ransom that’s relatively low — less money than it may cost to get your files back through other methods — that tends to make them successful. It’s an economy. Not a legal economy, but an economy nonetheless.”

Ransomware hackers will often escalate the threats as time ticks away and payment is not received, in an attempt to capitalize on people’s fear of what they might do with the information they have co-opted.

On Monday evening, a Forbes report said the Muni hacker was threatening to release files containing Muni employee and customer information. Rose said the MTA is convinced the hacker is bluffing.

“We’ve conferred with the Department of Homeland Security and, based on information from our internal team, we don’t believe he has access or those files,” Rose said.

It’s not the first time a public agency has fallen victim to a ransomware attack.

Despite the widely held belief that paying off hackers encourages more attacks, several police departments that fell victim to ransomware last year chose to pay hackers rather than lose access to their files. Over the summer, malware was found in San Antonio’s mass transit computer systems, and electronic traffic signs in Austin, Texas, were hacked earlier this year.

“Critical infrastructure, both large and small, remains a target and is susceptible to ransomware,” Andrew Storms, a vice president at San Francisco cybersecurity firm New Context, wrote in an email. “IBM has named transportation as a key cybertarget, given that the sector is increasingly relying on computer-based control, and yet security is such that hackers can cause a lot of damage with comparative ease.”