RISC eNews Blast

January 22, 2014

RISC eNews Blast

JANUARY 22, 2014

Data Breach & Cyber Security

Point-of-sale systems targeted in retailer data thefts
USA Today, 1/13/2014

The Advanced Persistent Threat attack used to breach Target’s system and that of others begins with intelligence gathering about possible entry points into the system, which can include the spear phishing approach discussed in sessions at NLC-RISC’s October 2012 and May 2013 conferences. The hackers use a variety of information to identify employees who may have access to the systems targeted, and then try to plant information in the system via emails sent to those employees. Those emails are often highly credible, appearing to come from the employee’s superior and containing an explicit instruction to click on a link. Recognizing and avoiding these traps is an important part of any cyber risk training pools offer to their members.

In a Cyber Breach, Who Pays, Banks or Retailers?
Wall Street Journal, 1/12/2014

Another dimension of loss in data breach events involving credit cards is the cost to reissue the cards. Banks are pushing for the retailers whose systems are breached to bear this expense. The retailers say the banks should develop more secure cards. Pool members could be affected by this debate if they accept credit cards in transactions and their systems are breached. Pools that provide cyber coverage may want to consider whether they want to cover this type of cost, how their present coverage language would treat it, and loss control measures to control the exposure.

The bright side to the Target hack? It’s getting Congress moving
Washington Post, 1/10/2014

A federal data breach law may be in the offing, in the wake of major security breaches over the holidays. Senator Patrick Leahy introduced the Personal Data Privacy and Security Act of 2014, S 1897, on January 8. There is no indication in the bill that it applies directly to state or local governments. A summary and the full text of the bill are available here.
S. 1897 would include:

  • Title I adds to the federal racketeering criminal statute fraud in connection with the unauthorized access of personally identifiable information in electronic or digital form.
  • Title I imposes a prison term on those who know of an intentionally conceal a security breach that results in economic harm of more than $1,000 and for which notice is required under Title II.
  • Title II subjects certain businesses (which can include nonprofits) engaged in interstate commerce to data privacy and security requirements for information on U.S. persons, requires notice of breach under defined circumstances, and imposes penalties for breach.
  • Title II preempts state law requirements “with respect to administrative, technical and physical safeguards for the protection of personal information” for business entities subject to the bill.

Layered Security: Why it Works
SANS Analyst Program, 12/2013

A robust firewall and antivirus software are no longer enough to protect a computer network. Layered security provides redundancy that increases the chances an intruder will be deflected. Important tools include:

  • Identifying the critical information that must be protected
  • Educating employees, especially but not limited to those with administrative rights, about phishing attacks and how genuine they can seem
  • Firewalls and Data Loss Prevention systems that identify important documents that are being transferred out of the network
  • Antivirus scanning at multiple points
  • Checking the “reputation” of the file
  • Automating the detection of abnormal behavior
  • Remediation in a rapid manner



Employment Practices

Risk management: What to include in a personnel file
Mondaq, 1/9/2014

The risk of potential discrimination claims can be reduced by keeping documents that do not belong in the personnel file – generally those that include subjective information - in a separate locked location. This helps to eliminate the perception that the information may have served as the basis for personnel actions. Information that should be considered for removal and storage elsewhere includes:

  • Subjective notes about the employee during the interview process;
  • Reference checks or letters of reference;
  • Documents pertaining to criminal or other investigation of the employee;
  • Credit reports;
  • Immigration and naturalization information (I-9 Forms);
  • Medical files of any records informing of a medical condition, including drug test results;
  • Wage garnishments;
  • Photos of employee or his or her documents, i.e. driver’s license, passport etc.; and
  • EEO forms.

For this strategy to be effective, access to the separately stored information must be strictly limited and not accessible to those making decisions about the employee.

How BYOD Puts Everyone at Legal Risk
Network World, 11/21/2014

Pools whose members are subject to a state labor law may want to consider how the reasoning in the National Labor Relations Board’s recent reports on social media policies might extend to BYOD (Bring Your Own Device) policies. If so, some of the very broad BYOD policies that have been evolving could be treated as violating employees’ rights under labor laws, just as some social media policies have been. Whatever the breadth of the BYOD policy signed by the employee, employers should be cautious when extracting personal information, such as personal email and social media, from employee-owned devices. The law is still evolving, so any access to personal information should be supported by the policy signed by the employee and relevant to a specific employer need.



Property & Casualty

To Foster Claims Excellence, Begin with the Right Metrics
Property Casualty 360, 1/14/2014

Activity based metrics help a claims operation ensure that the appropriate steps are followed in a timely manner, but they do not measure how those steps affect outcome. Results based metrics, which measure how interim steps affect the final outcome, are more difficult, especially for workers’ compensation and liability claims, which take longer to resolve. One suggestion, for evaluating reserving practices, is to compare the relationship of the final closing value of claims with their reserve pattern throughout their history. Others include comparison of the final value to specific activities of interest, such as timeliness of initial reporting, claims decisions, initiation of return to work programs, or the use of case managers.

Workers' Compensation

Police on Night Shift More Likely to Suffer Long-Term Injuries
Insurance Journal, 1/21/2014

A study from the University of Buffalo has concluded that police who work the night shift are more likely to sustain long term injuries – injuries producing more than 90 days of disability – than are officers working other shifts. Overall 9.6% experienced a long-term injury during the 16 year period studied. After adjusting for age and gender, the rates were 3.1 times higher for night shift workers than for day workers. Among the potential contributing factors cited were sleep disturbance and fatigue related impairment in high-risk situations and the higher level and more hazardous nature of activity in evening and night shifts. Night shift workers were also younger, more likely to be male, had less experience and were more likely to be patrol officers.

Another variable, for which there was no apparent adjustment across shifts, was that night shift officers were more likely to be patrol officers (83.8%) than were day (53.5%) or evening (66.1%) officers. Intuitively, one might wonder whether there would be a difference if the researchers had also adjusted for this difference. The full study can be downloaded here.

Respiratory Protection: In Harm's Way/Firefighters and Their Toxic Profession
EHSToday, 1/6/2014

A report published in December 2013 by the U.S. Department of Health and Human Services, the Centers for Disease Control and Prevention and NIOSH, titled "Evaluation of Dermal Exposure to Polycyclic Aromatic Hydrocarbons in Fire Fighters," says that harmful substances enter firefighters bodies even when they are wearing full protective gear, including their SCBA. The researchers believe that the exposure occurs through dermal exposure, specifically at the base of the neck, where protection by the hood is less reliable. It may also have occurred as firefighters were removing their gear. The conclusions noted that the air concentrations during overhaul and investigation were below applicable short-term exposure limits STELs.

The report was published as part of the Health Hazard Evaluation Program. The Health Hazard Evaluation Program permits employees, their representative or employers to ask NIOSH to evaluate whether health hazards are present at their workplace, at no cost. The report describes this as a pilot study. The researchers evaluated three controlled structure burns in two rounds conducted one year apart, involving fifteen firefighters in each round. The report notes that further study is needed to determine how these exposures contribute to a firefighter’s overall internal dose. It makes a series of recommendations to reduce exposure through inhalation and by skin absorption.

A copy of the full study report is available here.



Other Topics of Interest

The Mentally Ill and Law Enforcement
To the Point, 1/16/2014

This recorded radio program explores how proper training can reduce adverse outcomes from police interactions with the mentally ill. Note you can go straight to this broadcast by using the scroll bar about 2/3rds down the window.

How to keep your Millennials happy
Network World, 1/13/2014

Four recommendations for incorporating Millennials effectively into the workplace are:

  • Enable collaboration (Office set up, technology and software)
  • Facilitate the free flow of ideas (Including listening time by senior executives)
  • Accept the blending of work and life (Accept that they may attend to some personal matters at work but will also work when they are not in the office)
  • Recalibrate retention expectations (Don’t expect them to come and make a career at your organization)

Another interesting point is that they are highly motivated by missions in which they believe and organizations that are constantly evolving.

In This Issue
  • Data Breach & Cyber Security
  • Employment Practices
  • Property & Casualty
  • Workers' Compensation
  • Other Topics of Interest
  • Spotlight on RISC Member Pools
  • Focus on Pool Personnel
  • Upcoming Events



Spotlight on RISC Member Pools

Risk Management and Training Safety Officers
Law and Order, 1/2014

Training injuries can account for a significant part of police workers’ compensation claims. To address this problem, the League of Minnesota Cities Insurance Trust has developed a Training Safety Officer Program. The program and the process used to develop it are described in this article co-authored by Robert Boe, Public Safety Project Coordinator for LMCIT. It provides a useful road map for pools interested in this type of program.



Focus on Pool Personnel

Bruce Wollschlager appointed Interim CCM CEO; Ron Thomas to lead CCM advocacy at State Capitol
Connecticut Conference of Municipalities, 1/15/2014

The Board of Directors of the Connecticut Conference of Municipalities (CCM) has appointed Bruce Wollschlager, President and CEO of the Connecticut Interlocal Risk Management Agency (CIRMA) to serve as CCM’s Interim CEO. Senior CCM lobbyist Ron Thomas, Director of Public Policy and Advocacy, will lead CCM’s advocacy efforts before state and federal legislatures. Jim Finley, the former CCM Executive Director and CEO, retired from CCM after serving as its chief executive for nearly seven years, and as an advocate for Connecticut towns and cities for almost thirty-four years.



Upcoming Events

2014 NLC-RISC Trustees Conference ~ Registration now open!
May 8-9, 2014
Westin San Diego Gaslamp Quarter

The NLC-RISC Trustees Conference provides trustees and pool administrators of state municipal league risk pools the opportunity to learn about industry trends, programs, services and pooling best practices. The conference offers many opportunities to share creative ideas and solutions, and to network with peers from across the country.

Conference registration and hotel reservations are now available.  Go to the 2014 NLC-RISC Trustees Conference event page for details. For questions, contact Erin Rian, NLC-RISC Program Manager.