Employers advised to delay injury data filings in wake of security breachReprints
A potential security breach of the U.S. Occupational Safety and Health Administration’s web-based form to allow employers to electronically submit required injury and illness data has validated employer concerns about the agency’s ability to secure and protect the information and has lawyers advising their clients not to file the reports until right before the deadline.
On Aug. 1, OSHA launched the injury tracking application as part of the compliance effort for its controversial electronic record-keeping rule, but a note on the website Aug. 15 said technical difficulties were making some of the pages unavailable. An OSHA spokesperson later confirmed that the agency received an alert from the United States Computer Emergency Readiness Team in the Department of Homeland Security indicating there was a potential compromise of user information for the injury tracking application and that the one unnamed company apparently affected by the breach had been notified.
“This has to be the OSHA staff’s worst nightmare,” said John Martin, a Washington-based shareholder with Ogletree, Deakins, Nash, Smoak & Stewart P.C.
In late June, the agency set a new Dec. 1 compliance date for electronic data submission after announcing in mid-May that it would delay compliance. However, it also announced plans to issue a separate proposal to reconsider, revise or remove other provisions of the electronic record-keeping rule, which was adopted in the last year of the Obama administration.
Legal experts expect the requirement to electronically submit injury and illness records and plans to publish this information via an electronic database accessible to the public to be revisited and are advising their clients to be patient.
“I’m not advising anybody to file it before Dec. 1 because it might change,” said Mark Kittaka, a Columbus, Ohio-based partner with Barnes & Thornburg L.L.P. “I don’t know why you’d want to file it early. You may not have to file it all.”
The compliance day when employers must electronically file this information is “growing dimmer and dimmer if you ask me,” Mr. Martin said.
“I think the Trump administration’s Department of Labor is no fan of this rule and I think they’re going to use this to try and justify revoking at least this part of the rule — the making this information public,” he said. “But they could also use it to kill the whole aspect of employers having to provide this information via e-filing.”
Employers should make sure their on-site injury and illness forms are up to date in case they do have to file, but should not submit the information until November, said Edwin Foulke, an Atlanta-based partner at Fisher & Phillips L.L.P. and a former OSHA assistant secretary of labor.
“It’s potentially harmful information to use against employers,” he said. “It made no sense for any employer to put the data in now. Why send it in? If they decide not to require employers to do it, they’re not going to send back the information.”
As it stands, the rule requires employers with 250 or more employees in industries covered by the recordkeeping regulation — as well as those with 20 to 249 employees in high-risk industries such as agriculture, forestry, construction and manufacturing — to electronically submit injury and illness data that they are already required to record on their on-site OSHA Injury and Illness forms.
The rule initially requires employers only to submit their Form 300As, which are the annual injury and illness summaries that only feature high-level data such as total number of deaths and the total number of days away from work. Eventually, however, they would have to submit other forms, including 300 and 301 forms that contain a lot more sensitive information such as employee names and descriptions of their injuries and illnesses. Eric Conn, founding partner, Conn Maciel Carey L.L.P. based in Washington, predicted the agency would at least shift away from requiring the submission of these forms.
“I think this is not a new concern, everybody has been concerned about the protection of that data, but the fact now that literally two weeks after the database goes live, there is a real security breach issue slapping the agency in the face, I think that is going to only heighten that concern and make it more likely that they change to basically say ‘no matter the size of the employer, no matter the year, all we want from you is 300A data,’” he said.
Kristen Beckman contributed to this article.