OSHA Portal’s Data Breach Raises Concerns

Employers’ fears about electronic reporting may be confirmed

Allen Smith, J.D. By Allen Smith, J.D. August 31, 2017
LIKE SAVE

​Employers subject to the Occupational Safety and Health Administration's (OSHA's) new electronic reporting requirements are nervous about filing with the government following a potential data breach. The breach, reported by Bloomberg BNA, resulted in OSHA temporarily suspending its portal for submitting injury data within two weeks of its launch on Aug. 1. While OSHA's portal is now back up, employers distrust the agency's ability to safeguard confidential information from hackers, raising questions about whether the electronic reporting requirements—under review by the Trump administration—should be scrapped.

"While we do not know the details of the security incident or what company information was compromised, it is unsettling for employers that a security incident occurred that was significant enough that it required the site to be shut down," said Lillian Moon, an attorney with Akerman in Orlando.

"This incident might be cited as one reason for rescinding the rule if the new administration decides to do so," said Jamie LaPlante, an attorney with Porter Wright Morris & Arthur in Columbus, Ohio.

Electronic Filing Requirements

Establishments with 250 or more employees must file the Form 300A summary of illnesses and injuries electronically by Dec. 1. By July 2018, they will also have to file the more detailed Forms 300 and 301 in addition to Form 300A, unless the Trump administration revises the requirements.

[SHRM members-only how-to guide: How to complete OSHA Form 300]

All employers with 20 to 249 employees in industries that OSHA considers to be highly hazardous also will have to provide the illness and injury information in their OSHA 300A summary reports electronically. Affected employers include those in construction, manufacturing, furniture stores, grocery stores, hospitals, nursing homes, museums and amusement parks, Moon noted.

Previously, employers had been required to prepare their OSHA logs, post them at the workplace for employees and unions to examine, and keep them in HR files for five years. The only time they shared the information with OSHA was if there was an active inspection or if they were asked by the Bureau of Labor Statistics or OSHA to participate in annual injury surveys, noted Eric Conn, an attorney with Conn Maciel Carey in Washington, D.C. A randomly selected, rotating set of employers participated in the surveys. He said that even if employers had to participate, historically they were sharing only their 300A forms. Now under the electronic rule, employers will have to show their data every year, unless the requirements are rescinded. Conn thinks they may be scaled back with just the 300A summary information being required and not the full 300 or 301.

There's nothing to be gained in submitting data early, he said, recommending that employers wait until late November to submit their 300A data.

OSHA's Case for Gathering the Information

However, Deborah Berkowitz, a senior fellow with the National Employment Law Project in Washington, D.C., and former OSHA chief of staff in the Obama administration, said, "The idea that OSHA should not have any of this information is ridiculous." How will OSHA know where to best marshal its resources, she asked, if it does not have injury and illness information?

She said that the agency has received all sorts of data and kept it confidential for decades. "I have complete faith in OSHA," she said, adding that the information it is gathering "is very important to the agency to target the most dangerous workplaces in the United States." The agency does not want to go where there are no violations and everything is fine, she said.

"OSHA does not have a lot of resources. It has to prioritize," she noted.

Misused Information

But Moon cautioned, "The injury and illness reports are not meant to be a measuring stick as to safety levels at a company. The general publication of the information would allow OSHA and anyone else who obtains it through OSHA's publication to embarrass, shame or tarnish a company's image based on incomplete information."

Moon added that while only summary information will be entered into the system initially, in 2018, employers will have to input detailed log and incident report information, which includes: employee names, addresses, dates of birth, dates of hire, physician or health care provider names, job titles, dates of injury, where the events occurred, and descriptions of the injuries or illnesses. "This is the very type of information that is valuable on the black market for identity theft purposes," she said.

Matthew Deffebach, an attorney with Haynes and Boone in Houston, said, "OSHA has promised to scrub personal identifiers from this information, but a data breach could expose such information residing in OSHA's database." He added that the recent glitch "calls into question OSHA's ability to properly remove the personally identifiable information in the first instance."

 

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.

LIKE SAVE

Job Finder

Find an HR Job Near You
Search Jobs

MEMBER BENEFITS

CA Resources at Your Fingertips

CA Resources at Your Fingertips

View all Resources Now

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.
temp_image