January 2019 - Issue 83

Cal/OSHA Reporting Requirements  

Phishing and Social Engineering Email Attacks - Current Best Practices

Paul Zeglovitch – Celebrating 10 Years of Service 

Minor Volunteers and Interns

Respiratory Protection

Court May Not Deny Qualified Immunity in Excessive Force Case on Ground That Freedom from Excessive Force is Clearly Established

Americans with Disabilities Act Lawsuit Targets Scooters

Cyber Exposure: Disposing of Sensitive Data-Storing Devices

Cyber Exposure: Encrypting to Combat Data Breach Threats​

News: Worthy

Cal/OSHA Reporting Requirements

The Occupational Safety and Health Administration (OSHA) requires employers to post OSHA Form 300A between February 1 and April 30, 2019.  Form 300A provides a summary of the total number of job-related injuries and illnesses that occurred in 2018 and were logged on OSHA Form 300.  The form must be posted in a location where employee notices are usually found, and must not be altered, defaced or obscured during the posting period.

Employers must record any new work-related injury or illness if it results in days away from work, restricted work or transfer to another job, medical treatment beyond first aid, loss of consciousness, significant injury or illness as diagnosed by a physician or other licensed healthcare professional, or death. Employers must record any incidents that aggravate a prior injury.

A copy of Form 300A must also be made available to employees who do not report to any fixed establishment on a regular basis.  At the end of the three-month posting period, the Form 300A should be kept on file for five years.  If any newly discovered, recordable incidents or changes in classification are noted, the log should be updated.

OSHA has strict requirements for protecting the privacy of injured and ill employees. An employer shall not record the employee's name on the OSHA 300 log for certain "privacy concern cases". Instead, “Privacy Case” shall be entered in the space reserved for the employee’s name. OSHA defines a privacy concern case as an injury or illness to an intimate body part or the reproductive system; an injury or illness resulting from a sexual assault; mental illnesses; HIV infection, hepatitis or tuberculosis; needle stick injuries and cuts from sharp objects that are contaminated with another person’s blood or other potentially infectious material; and other illnesses if the employee voluntarily requests that his or her name not be entered on the log. The Authority is recommending that all cases reference “Privacy Case” in the employee name fields, not just in privacy concern cases as defined by OSHA.

Members who participate in the Authority’s Workers’ Compensation Program recently received an email from York Risk Services Group with a partially completed Form 300A with instructions for completing and posting the form.  Members should follow the instructions and post a copy of the completed form by February 1, 2019. Forms 300 and 300A can also be obtained from the Cal/OSHA website.  

For more information, please contact Jeff Rush, Workers’ Compensation Program Manager, or your assigned Risk Manager.


News: Worthy

Phishing and Social Engineering Email Attacks - Current Best Practices

By Carl Sandstrom, Business Projects Manager

Everyone has received emails that are attempts by bad actors to cause harm to or somehow compromise an organization’s data environment.  Agencies must be ever diligent in order to keep employees aware of these constant threats in order to avoid cyber incidents.  When employees receive security awareness training, they are taught about the attack methods used, and to be suspicious of anything that seems out of the ordinary, even scrutinizing email, web pages, and even phone calls; all to make sure your agency is protected against successful attacks.

The Authority is not immune from bad actors who have tried to use the Authority domain for nefarious purposes.  Some members have even reported that they have received emails masquerading as legitimate from training@cjpia.org.  The Authority as well regularly receives malicious emails from various members.  We know it’s not the member who is sending the bad email, but bad actors spoofing the email addresses.   

There is no current method or solution to prevent the use of someone's email as cover for an attack on your data system.  The Authority uses security software and intercepts inbound emails that contain malicious attachments, and quarantines them while also alerting staff to the receipt of the offending email by letting the harmless bits flow through to the recipient’s inbox.  The security software is doing its job. However, malicious emails with malevolent links in them are still making their way into all our inboxes.

Best risk management practice with respect to the handling of questionable emails is to  ensure that your information technology staff or vendor possesses the sophisticated tools to determine whether an email is harmful or harmless.  Then instruct your employees, if there is any doubt, to forward the email to your staff or vendor to be screened.  Alternatively, you may call the sender to confirm the email's authenticity or delete the email and wait for another contact from the sending party.

The final defense is the continued vigilance on every employee’s part to not click on links in emails that either you were not expecting, or  from email addresses that are corrupted or being usurped for bad reasons.  Examine the sending address and look for misspellings or characters that are added or misplaced in the address.  Hover over the links looking for URLs that don’t look right.  Google recently released a free phishing quiz to help with user awareness on this crucial last line of defense:  https://phishingquiz.withgoogle.com/

If the email in question is from a financial entity (bank, credit union, loan company, etc.) that you personally do business with, call them using a number from the company's official website or visit them in person to discuss the content of the email if you think it may be legitimate. 

Email communication has replaced voice communication in many ways.  Bad actors have quickly adopted email schemes to take advantage of this volume, and hope to make money illegally or cause disruption of all our data systems.  While tools can be purchased to screen suspect emails, ultimately employees themselves are an important line of defense for any agency.  Take the time to educate them on what to look for and to help lessen the risk that your agency will be the victim of an attack.


Pro: Files

Paul Zeglovitch – Celebrating 10 Years of Service 

Paul Zeglovitch celebrated a decade of service with the Authority. Serving as Liability Program Manager since December 2008, Paul manages all aspects of the Authority’s liability protection program directing his focus on managing the activities of the program’s third-party administrator, Carl Warren & Company, defense panel attorneys, and the employment intervention program.

Paul is a 25-year veteran of the insurance claims industry. His experience andPaul Zeglovitch expertise in government entity claims includes dangerous conditions, inverse condemnation, employment practices, civil rights, and police liability has earned him trust and respect with the members, defense panel attorneys, and Carl Warren & Company.

Paul is a regular contributor at the Authority’s Risk Management Educational Forum and regularly provides training to members. He hosts the Annual Defense Panel Attorney Summit that brings together the Authority’s legal experts and attorneys to collaborate on recent case law and legal strategies impacting members.  Additionally, Paul is actively involved in professional organizations including serving as chapter chair of PARMA’s Southern California chapter. He currently serves on PARMA’s board of directors. 

Congratulations, Paul!


Risk Solutions

Minor Volunteers and Interns

by Alex Mellor, Risk Manager

Public agencies occasionally offer volunteer or internship opportunities to individuals under the age of 18. These opportunities provide valuable work experience and exposure to the wide array of services provided by public agencies. A minor may approach the agency individually regarding volunteering or interning, or the assignment may be a part of the minor’s studies.  Under the California Labor Code, "minor" is defined as any person under the age of 18 years required to attend school under the provisions of the Education Code, and any person under age six.

Regardless, allowing minors to volunteer or intern at your agency creates certain liability and workers’ compensation exposures, each of which should be appropriately managed. With that in mind, the following actions are recommended to mitigate these risks:

  • Limit volunteers/interns to individuals aged 15 or older. Additionally, each volunteer's level of maturity should be assessed when assigning duties and responsibilities. Almost all minors under the age of 18 are subject to California's child labor protections.
  • Obtain parent/guardian consent. This can be achieved by requiring that the minor complete an application form to be signed by the parent/guardian.
  • Complete appropriate background checks (e.g. Live Scan fingerprinting) for employees with supervisory responsibility over minor volunteers/interns.
  • Provide appropriate training regarding agency policies, programs and procedures, including training on the specific duties and responsibilities to be performed.
  • Provide appropriate oversight of minor volunteer/intern activities. Remember that these individuals are minors and should be closely supervised.

When using volunteers, workplace injuries are arguably the greatest exposure. It is critical that your agency understand who bears responsibility for injuries or illnesses to minor volunteers and interns, and how that responsibility will be met. If your agency has extended workers’ compensation coverage to volunteers via a resolution, those benefits are also available to minor volunteers/interns. Alternatively, the volunteer/intern can be required to sign a waiver releasing the agency from responsibility for any injury or illness. In certain circumstances, the minor volunteer/intern’s school may provide coverage through its workers’ compensation insurance.

The California JPIA has a sample Volunteer Manual which contains a number of resources to assist with implementing the above recommendations. This resource is available through the California JPIA website.

For questions or more information, please contact your assigned regional Risk Manager.


Risk Solutions

Respiratory Protection

By Alex Mellor, Risk Manager 

Development and implementation of a formal program to mitigate employee exposure to harmful airborne contaminants is an important consideration for many public agencies. Prolonged exposure to such contaminants can result in diseases that have significant negative effects on employee quality of life and can result in costly and complex workers’ compensation claims.

Respiratory protection is also a significant focus of enforcement agencies. For fiscal year 2017, respiratory protection was the fourth most frequently cited standard following inspections of worksites by federal OSHA[1].

Recognizing the importance of this exposure, Cal/OSHA has promulgated regulations imposing certain requirements on employers. These requirements are codified in Title 8, California Code of Regulations, section 5144: https://www.dir.ca.gov/title8/5144.html.

Critical elements of this regulation are as follows:

  • Identification and evaluation of respiratory hazards in the workplace.
  • Engineering and administrative controls (enclosure of operation, ventilation, substitution of less toxic materials etc.) shall be used as far as feasible to prevent employee exposure to airborne contaminants.
  • When engineering controls are not feasible, respirators shall be used.
  • When respirators are used, employers shall develop and implement a written Respiratory Protection Program. This program shall include, but is not limited to, the following:
    • Selection of appropriate respirators
    • Medical evaluation of respirator users
    • Annual face seal fit testing
    • Procedures for routine and emergency use
    • Procedures for respirator inspection and maintenance
    • Annual employee training

Where respirator use is not required, employers may provide respirators at the request of employees, or permit employees to wear their own respirators, provided respirator use itself does not create a hazard. If the employer determines voluntary respirator use is permissible, the information contained in Section 5144 Appendix D, Information for Employees Using Respirators When Not Required Under the Standard, shall be provided to employees. This information can be found at the following link: https://www.dir.ca.gov/title8/5144d.html.

It is important to note that Cal/OSHA also has additional respiratory protection regulations related to working with specific substances such as lead, asbestos and silica. There is also a separate respiratory protection regulation specific to firefighters. That regulation can be found at the following link: https://www.dir.ca.gov/title8/3409.html.

California JPIA members are encouraged to become familiar with their obligations regarding respiratory protection. To assist with this effort, a number of resources are available. A Respiratory Protection Program template is available on the California JPIA website. Member agencies may use the template and tailor it to their specific operations. In addition, the California JPIA offers respiratory protection classroom training along with a number of e-learnings accessible through the California JPIA website.

Finally, Cal/OSHA also has a number of helpful resources on this topic:

For questions or more information, please contact your assigned regional Risk Manager.

[1] https://www.osha.gov/Top_Ten_Standards.html


The Court Report

Court May Not Deny Qualified Immunity in Excessive Force Case on Ground That Freedom from Excessive Force is Clearly Established

By Daniel P. Barer, Pollak, Vida and Barer 

In City of Escondido v. Emmons, published January 7, 2019, the U.S. Supreme Court, in a per curiam opinion, reversed a Ninth Circuit decision holding that excessive force claims against two officers should be sent to trial.  

Background
In April 2013, Escondido police received a 911 call from Maggie Emmons about a domestic violence incident at her apartment. Emmons lived at the apartment with her husband, her two children, and a roommate, Ametria Douglas.  Officer Jake Houchin responded to the scene and eventually helped take a domestic violence report from Emmons about injuries caused by her husband.  The officers then arrested her husband, but he was later released.

 A few weeks later, on May 27, 2013, at about 2:30 p.m., Escondido police received a 911 call about another possible domestic disturbance at Emmons’ apartment. That 911 call came from Trina Douglas, the mother of Ametria Douglas. Trina Douglas was on the phone with her daughter Ametria, who was at the apartment. Trina heard her daughter Ametria and Maggie Emmons yelling at each other and heard her daughter screaming for help. The call suddenly disconnected, so Trina Douglas called 911.

Officer Houchin again responded, along with Officer Robert Craig. The dispatcher informed the officers that two children could be in the residence and that calls to the apartment had gone unanswered.

Police body-camera video recorded the actions of the officers at the apartment. 

No one answered the officers as they knocked on the door of the apartment.  The officers ended up speaking with Emmons through a side window, attempting to convince her to open the door to the apartment so that they could conduct a welfare check. A man in the apartment then told Emmons to back away from the window, but the officers said they could not identify the man. At some point during this exchange, Sergeant Kevin Toth, Officer Joseph Leffingwell, and Officer Huy Quach arrived as backup.

A few minutes later, a man opened the apartment door and came outside. At that point, Officer Craig was standing alone just outside the door. Officer Craig told the man not to close the door, but the man closed the it anyway and tried to brush past Officer Craig. Officer Craig stopped the man, took him quickly to the ground, and then handcuffed him. Officer Craig did not hit the man or display any weapon. The video shows that the man was not in any visible or audible pain as a result of the takedown or while on the ground. Within a few minutes, officers helped the man up and arrested him for a misdemeanor offense of resisting and delaying a police officer.

The man turned out to be Maggie Emmons’ father, Marty Emmons.

Claim
Marty Emmons later sued Officer Craig and Sergeant Toth, among others, under Rev. Stat. §1979, 42 U. S. C. §1983. He raised several claims, including, as relevant here, a claim of excessive force in violation of the Fourth Amendment. The suit sought money damages for which Officer Craig and Sergeant Toth would be personally liable. The District Court held that the officers had probable cause to arrest Marty Emmons for the misdemeanor offense. The Ninth Circuit did not disturb that finding, and there is no claim that the officers lacked probable cause to arrest Marty Emmons. The only claim remaining is that the officers used excessive force in effectuating the arrest. 

Ruling
The District Court rejected the claim of excessive force. 168 F. Supp. 3d 1265, 1274 (SD Cal. 2016). The District Court stated that the “video shows that the officers acted professionally and respectfully in their encounter” at the apartment. Id., at 1275.  The District Court held that Sergeant Toth—who did not participate in the use of force—was entitled to summary judgment, and Officer Craig was entitled to summary judgment based on qualified immunity.

In an unpublished opinion, the Ninth Circuit reversed as to both officers.  Because the right to be free from excessive force was clearly established, the Circuit Court ruled, the officers were not entitled to qualified immunity.

The Supreme Court ruled that the Ninth Circuit erred as to both officers.  As to Sergeant Toth—who did not participate in the use of force—the reversal as to him was unexplained and puzzling.  As to Officer Craig—who used excessive force—the Ninth Circuit erred in not defining the clearly established right with specificity.  The Court should have asked whether clearly established law prohibited the officers from stopping and taking down Marty Emmons in these circumstances.  The case has been remanded to the Ninth Circuit to re-evaluate qualified immunity, this time applying the proper standard.


The Court Report

Americans with Disabilities Act Lawsuit Targets Scooters

(Reprinted from the San Diego Union Tribune, January 11, 2019)

The city of San Diego and electric scooter brands Lime and Bird are the targets of a lawsuit filed in federal court alleging the ubiquitous motorized vehicles are violating the Americans with Disabilities Act by impeding and blocking access to city streets and sidewalks.

The suit filed by the group Disability Rights California and three disabled San Diego residents is seeking class-action status for people with mobility or sight disabilities who navigate sidewalks, curb ramps and public spaces also occupied by scooter riders.

“Without full use of the sidewalk and curb ramps at street intersections, persons with mobility and/or visual impairments have significant barriers in crossing from a pedestrian walkway to a street,” the suit alleges. “This is exacerbated when the sidewalk itself is full of obstructions and no longer able to be fully and freely used by people with disabilities.”

The suit accuses the city of not maintaining streets and sidewalks in a way that doesn’t discriminate against the disabled and allowing “dockless scooters used primarily for recreational purposes to proliferate unchecked throughout San Diego and to block safe and equal access for people with disabilities.”

The lawsuit also alleges the scooter companies have been allowed to “appropriate the public commons for their own profit.”

A spokeswoman for San Diego City Attorney Mara Elliott said the office would review the lawsuit and respond accordingly in court. A spokesman for Lime would not comment directly on the allegations in the suit but said the company is mindful of safety issues.

“While Lime does not comment on pending litigation, public safety has always been at the very core of everything we do at Lime,” the company said in an emailed statement.

“From Lime’s ‘Respect the Ride’ campaign, which is focused on educating riders on responsible riding, to our development of built-in sensor technology to detect if a rider is abiding by local riding laws, we are committed to keeping our communities safe for everyone.”

The proliferation of electric scooters has been welcomed by advocates pushing for transit alternatives to cars but opposed by some who see them as an unregulated nuisance. Several cities have struggled to control their growth.

This year, San Diego officials are expected to weigh a regulatory package that would include setting speed limits in certain areas. Last year, Los Angeles set a 15 mile per hour speed limit on the scooters, along with several other rules.


Coverage Matters

Cyber Exposure: Disposing of Sensitive Data-Storing Devices

By Jim Thyden, Insurance Programs Manager 

(Republished with permission from ePlace Solutions, a business partner of the California JPIA)

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) publishes a monthly newsletter to promote the importance of cybersecurity and increase awareness of the threats to the confidentiality, integrity, and availability of sensitive electronic data.

The HHS OCR Guidance on Disposing of Electronic Devices and Media (Guidance) provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information. While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients.

10 Questions

OCR’s Guidance offers ten specific questions to consider when disposing data-storing devices to reduce the risk of a data breach.

  • What data is maintained by the organization and where is it stored?
  • Is the organization’s data disposal plan up to date?
  • Are all asset tags and corporate identifying marks removed?
  • Have all asset recovery-controlled equipment and devices been identified and isolated?
  • Is data destruction of the organization’s assets handled by a certified provider?
  • Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
  • Is onsite hard drive destruction required?
  • What is the chain of custody?
  • How is equipment staged or stored prior to transfer to external sources for disposal or destruction?
  • What are the logistics and security controls in moving the equipment?

This guidance also includes thorough examination of decommissioning and disposing of devices and media no longer needed; destruction and disposal of protected health information; and disposal of paper, film and other hard copy media.

Key Takeaways

  • Take Stock: Know what personal information you have in your files and on your computers.
  • Scale Down: Keep only what you need for your business.
  • Lock It: Protect the information that you keep.
  • Pitch It: Properly dispose of what you no longer need.
  • Plan Ahead: Create a plan to respond to security incidents.

For more information please consult the NIST Special Publication 800-88: Guidelines for Media Sanitization.

If you have any questions, comments, or suggestions, please contact Jim Thyden, Insurance Programs Manager. 


Coverage Matters

Cyber Exposure: Encrypting to Combat Data Breach Threats

By Jim Thyden, Insurance Programs Manager 

(Republished with permission from ePlace Solutions, a business partner of the California JPIA.)
 

Data breaches happen all the time, simply look to the headlines and you’ll find multiple examples of corporations struggling to protect their data. From Target and Equifax to Anthem – all these organizations have fallen victim to some form of data breach usually affecting customer data. Yes, many (most) of us have received a breach notification letter or, at the very least, know someone who has.

Every state in the U.S. now has a data breach notification law. This trend is a signal to organizations conducting business in the U.S. that they should start taking the necessary actions to protect the personal identifying information of their customers, clients and employees.

Encryption

One of the best ways to protect personal identifying information is through encryption. Encryption is an algorithmic process which transforms readable data into unreadable data and that requires a confidential process/key to make the data readable again. An encryption key is a string of bits used to scramble and unscramble data, essentially unlocking the information and turning it back to readable data.

Not only has encrypting data become easier and cheaper to institute, it also has added legal benefits as well. For example, many data breach notification laws contain an encryption safe harbor that says notification is not required if the compromised data was encrypted.

How Encryption Will Help Your Organization

One purpose of encrypting data is to help mitigate the damages caused by a data breach. Although data encryption is not an absolute solution – as breaches will and do still happen – once accessed, unencrypted data can quickly yield a treasure trove of sensitive financial, business or personal information. With such unauthorized access, an organization can suffer massive reputational damage and find itself subject to hefty regulatory fines. However, if the accessed data was encrypted, your legal obligations (and resulting damages) will likely be much less.

Various states and industries now require organizations to safeguard their data. Companies can use encryption as part of those safeguards and to mitigate risk exposure. Acting now will limit the fallout of a potential breach!

Key Takeaways

  • Encryption can potentially help your organization avoid an incident that requires individual notification and should therefore be worthy of investment.
  • Encryption will save you time, money, and possibly your organization’s reputation.

If you have any questions, comments, or suggestions, please contact Jim Thyden,  Insurance Programs Manager.