Driving remains one of the most dangerous activities that we engage in at work and in our personal lives. Despite legislative action, increased enforcement, and public awareness campaigns, distracted driving still injures or kills thousands each year. Public agencies face unique challenges in driver safety. Many of our drivers operate in the same areas to complete maintenance and repair activities and may become comfortable driving the same route each day. It’s easy to let our guards down in these situations, which can unfortunately lead to complacency and disaster. Roadway incidents accounted for 1,982 workplace fatalities in 2021, 38.2% of all workplace fatalities. These incidents have been the chief source of occupational fatalities for over 20 years. Preventing vehicle-related incidents starts with a strategic safety program, but what measures are the most successful? Top 6 Fleet Safety Strategies
Public agencies can have a liquor liability exposure present with venues or events such as golf courses, performing arts centers, fundraisers, festivals, and employee holiday parties. No matter how infrequent these events may be, anytime activities include the sale or serving of alcohol, your organization may be held responsible for issues relating to the individuals that they have served. It is important to understand the potential liability as an entity and a server of alcoholic beverages. Examples of areas where issues have occurred when serving alcohol include:
Liquor LawsIt is also important to be aware of the liquor laws specific to your state. For example, non-profit entities having and/or hosting private parties on their premises may not need to obtain a venue or event specific permit for the sale of alcohol. A liquor license will more than likely be required for events that are open to the public, have a charge to get in and/or sell alcohol. Specific laws pertaining to servers or establishments serving alcohol that may apply to you are:
State Specific Liquor LawsReducing RiskThe following steps can help reduce your liquor liability exposure:
Professional CaterersAnother way to manage your liquor liability risk is to use a professional caterer who can provide the following documentation:
(You should consult an attorney to assure that indemnity language is sufficient and enforceable for your local jurisdiction) While some effort is required to verify the qualifications of a caterer, the extra effort will be worth it in terms of transferring the liquor liability risk away from your organization. Liquor PoliciesIt is also recommended that you develop an alcohol policy to reduce the entity’s liquor liability exposure, prevent alcohol from being served to minors and intoxicated persons, and minimize the potential for tragedies. Consider implementing the following into your policy.
Host Liquor Liability vs. Liquor LiabilityHost liquor liability is often included as an extension of a Commercial General Liability (CGL) policy, while a Liquor Liability Policy is generally a separate insurance policy, which more detailed underwriting, which is rated the receipts from the sale or distribution of alcohol.
This issue can be confusing when permitting third-party events, and verifying that the tenant user of your facility has adequate insurance for their event. Host Liquor Liability is generally responsive when you permit the consumption of alcohol on your premises, but you are not involved in the sale or distribution (even if complementary) of alcohol. For events where alcohol is sold or distributed a Liquor Liability policy is needed. The Log of Work-Related Injuries and Illnesses (Form 300) is required by the Occupational Safety and Health Administration (OSHA) to classify work-related injuries and illnesses and to record the extent and severity of each case. Employers are required to complete the OSHA Form 300 log unless they are exempt. Employers will also be required to post an annual summary (Form 300A) in their workplaces from February 1 until April 30 of each year. Step 1 - Determine LocationsA Form 300 log is required for each physical establishment location that is expected to be in operation for at least one year. For employees who work from home, OSHA does not consider the worker's home to be an establishment for record-keeping purposes. OSHA considers the worker's establishment to be the office to which he or she reports, from which he or she receives direction or supervision, collects pay, and otherwise stays in contact with the employer. It is at this establishment that the log is kept. Step 2 - Identify Required RecordingsWork-related injuries and illnesses that result in the following must be recorded:
In addition to the above cases, employers must record the following conditions when work-related:
The OSHA Regulation 29 C.F.R. §1904.7 contains an in-depth overview of recordable injuries and illnesses. Additional information on determining medical treatment and first aid can be located at 29 C.F.R. §1904.7(b)(5). Step 3 - Determine Work-RelatednessWhen an accident occurs, an employer must document a recordable injury or illness on the OSHA Form 300 log within seven days. An injury or illness is considered work-related and must be recorded on the log unless an exception applies. Some exceptions include:
Step 4 - Complete the OSHA Form 300Employers must take the following steps to fill out the OSHA Form 300:
The Form 300 will contain information related to an employee's health and must be kept confidential to the extent possible while using the information for occupational safety and health purposes. OSHA provides guidance that includes the forms needed for maintaining occupational injury and illness records along with step-by-step instructions. Some workers' compensation providers provide an option to expedite completing the Form 300 with your claim data. Step 5 - Complete and Post the OSHA 300A Annual SummaryThe information from the OSHA Form 300 Log is transferred onto the 300A Summary by matching the corresponding lettered column on the log with the lettered blank space on the summary. The employer must complete the establishment information section and have the summary signed by an authorized executive of the company. Employers must complete the 300A summary form and post the summary in the workplace from February 1 to April 30 of the year following the year covered by the form at each job site in a conspicuous area where notices to employees are customarily placed. For example, accidents occurring in 2022 will be summarized on the Form 300A and posted from February through April 2023. Copies of the 300A summary should be provided to any employees who may not see the posted summary because they do not regularly report to a fixed location. Step 6 - Submit Electronic Reports to OSHAEmployer establishments with fewer than 20 employees at all times during the year do not have to submit information electronically to OSHA. Employer establishments in certain high-risk industries with 20-249 employees must electronically submit to OSHA information from Form 300A (Summary of Work-Related Injuries and Illnesses) by March 2. Employer establishments with 250 or more employees that are subject to OSHA's recordkeeping regulation must electronically submit to OSHA information from Form 300A (Summary of Work-Related Injuries and Illnesses) by March 2. Effective Jan. 1, 2024, employers with 100 or more employees at an establishment any time during the previous calendar year will need to electronically submit data from Forms 300 and 301 each year if the establishment is classified in an industry identified by OSHA as having elevated injury and illness rates. A list of these covered industries can be found at the end of the final rule in appendix B. The data required to be submitted from Forms 300 and 301 include the date, physical location, and severity of the injury or illness; details about the worker who was injured; and details about how the injury or illness occurred. Covered employers must submit this data no later than March 2 each year. The submission of data from forms 300 and 301 is in addition to the requirement to electronically submit the form 300A summary. For more information, see OSHA Injury and Illness Recordkeeping and Reporting Requirements. Step 7 - Retain the Log and SummaryThe OSHA Form 300 Log and the OSHA 300A Summary must be kept for five years following the year that the log and summary pertain to.
OverviewA businessman going to work slipped and fell while descending the stairs at a light rail station. The incident occurred at 5:30 a.m., and he alleged that the stair landing had accumulated snow and ice that remained from the evening before the accident. An ambulance transported him from the scene, and the emergency department treated and released him within hours. The city and the transit authority both denied liability for maintaining the area, and each declined to make an offer of settlement. The claimant hired an attorney and filed suit against the city and the transit authority. During discovery, city and transit authority employees testified they had shoveled the landing and stairs in the past; however, the agreement between the parties was unclear regarding which one was ultimately responsible. Plaintiff counsel deposed a city maintenance worker, who declared he had been assigned the task of removing snow and ice in the area; however, the worker denied he had performed the task and left the area without clearing the stairway and landing. A transit authority employee testified that he, too, had cleared the landing and stairs previously but not on the date in question. The defense counsel put forward a defense based on an administrative code that specified snow and ice removal does not have to commence for four hours after the conclusion of a storm. A meteorologist retained by the plaintiff rebutted this defense by testifying the snow had concluded at 10 p.m. the prior evening and the wind had been redistributing snow during the morning hours. The city and the transit authority continued to argue that neither of them was responsible for the snow removal, and as time passed, several doctors treated the plaintiff. Throughout the following years, the plaintiff underwent epidural injections of steroid-based painkillers, surgery to insert an artificial disc, and arthroscopic surgery on his right shoulder. Plaintiff’s counsel presented damages to the jury as follows: $170,000 for medical treatment, $117,000 for past lost earnings, $1,000,000 for future loss of earnings, $5,000,000 for pain and suffering, and $8,000,000 for future pain and suffering. OutcomeThe jury deliberated for 4.5 hours and returned a verdict of $8,050,000 to be split between the city and the transit authority. Notably, the award allocated $6,000,000 for future pain and suffering and $1,100,000 for future loss of earnings. Posttrial motions to dismiss claims for lost future earnings and future pain and suffering were denied, and each party had to pay their own litigation expense. ProblemThe city and the transit authority did not have a signed agreement that clearly documented maintenance responsibilities for the light rail station platform stairs. The city assigned employees to clear the snow from the area; however, the employee in question did not do so before leaving his shift, mistakenly assuming the transit authority personnel would clear the area. The city and the transit authority could have created a joint defense agreement to efficiently defend the case and resolve the liability dispute between them prior to submitting the case to a jury. Where there is a common interest in defending a case, two or more parties may create a joint defense agreement to share expenses and evidence without waiving attorney–client privilege. In this case, the parties may have considered sharing the cost of an economical expert to dispute future wage loss or a medical exam to review whether the plaintiff had reached maximum medical improvement. Ideally, the defendants would have collaborated and resolved the case short of trial. Lessons LearnedRecent jury verdicts reflect generous awards for plaintiffs with objective and subjective injuries. Juries are likely to split liability when clear evidence is not presented to establish responsibility. Rather than rely on a jury to decide the fate of a defendant, when there are two or more parties potentially liable for an incident, it is advisable to identify whether a common interest and efficiency can be gained in compromising on a liability split and defending a lawsuit together. Public entities are encouraged to practice risk management and cost-effective litigation management for trip-and-fall cases, as follows:
NoteAlthough the statements above are based on actual incidents, some facts might have been altered for illustrative and educational purposes. The aforementioned information is not intended as legal advice. Contact an attorney to discuss the specific facts of your case.
Organizations that supervise or work with youth, or organize youth focused events are under a legal and moral obligation to protect against sexual abuse and misconduct. The National Child Abuse and Neglect Data System (NCANDS) reports that nearly 70 percent of all reported sexual assaults (including assaults on adults) occur to children ages 17 and under, and that 50 percent of abused children are abused by someone outside of the family whom they know and trust. To help protect minors and the organization, define and implement a strong sexual abuse and misconduct risk management program supported by leadership. Consider the following suggestions to help protect organizations and youth. Utilize the Employee/Worker Selection Process – Use the selection process to help monitor who is being brought on-board. Formal applications, professional and personal reference checks and face-to-face applicant interviews followed up with thorough background checks for employees, volunteers, board members and others (e.g., contractors) affiliated or doing regular work with the organization can help to mitigate the risk of sexual abuse and misconduct. Regardless of the organization’s size, perform due diligence to help ensure persons with criminal backgrounds are not being put in situations where harm to others is likely, particularly minors. Increase Awareness of Reporting ProceduresVictims and witnesses of abuse or misconduct may not complain, especially where there is a lack of knowledge (or trust) of internal reporting, investigative and resolution processes. Bring awareness of the internal and external complaint and investigation procedures to persons affiliated with the organization. Publish a written sexual abuse and misconduct prevention policy that is easy to understand and deliver it to persons associated with the organization. Lack of KnowledgePeriodic and wide dissemination of how to report sexual abuse or misconduct may help empower the most vulnerable to seek internal or external resolution. Lack of PowerVictims of abuse and misconduct may be persons without power, authority, or tenure. They may fear lodging a complaint against a long-term and respected individual within the organization. Victims, witnesses, or others made aware of wrongdoing may not trust the neutrality and transparency of the organization’s internal investigation or response processes when the alleged offender is a prominent figure in the organization. Deterrent EffectA perpetrator may be less likely to commit misconduct if he or she knows the victim(s) and witnesses receive periodic prevention training, have a clear understanding of the available avenues of complaint, and that the organization will take decisive actions to stop wrongdoing. Train EveryoneTrain employees, volunteers and youth associated with the organization and their parents or guardians on the prevention of sexual abuse and misconduct. Regular training sends the message that wrongdoing is not tolerated and immediate response processes are in place. Educate individuals on the organization’s policy against sexual abuse and misconduct and the avenues of internal and external complaint and resolution. Allow the opportunity for questions to be answered during and after training sessions. Because of the serious nature of the subject matter, a victim, witness, or other person that suspects or learns of sexual abuse or misconduct may feel most comfortable asking a trainer questions in confidence after a group training session. Not providing a periodic training forum may keep inappropriate behavior or incidents in the dark and may foster an environment where problems continue or escalate. Consider utilizing a professional from outside the organization to facilitate training on sexual abuse and misconduct prevention for all groups. A third-party expert helps demonstrate the organization’s transparency and willingness to prevent, learn of, and promptly respond to misconduct. Maintain Healthy BoundariesA safe environment includes the establishment of healthy boundaries between youth and adults. It is important to understand “grooming” behaviors, defined as methods by which abusers target a potential victim, win the trust of the youth, manipulate the child to engage in sexual activity and command the child not to disclose the abuse. Examples of inappropriate grooming behaviors may include, but are not limited to:
Investigate and RespondInvestigate all allegations of sexual abuse or misconduct. It is also important to investigate conduct that may be characterized as potential grooming behavior. Follow the legal requirements in the organization’s state to report allegations or incidents of sexual abuse or misconduct to appropriate law enforcement or child protective services organizations. Internal Investigation ProceduresFollowing standardized internal investigation and interviewing procedures may help ensure uniformity and fairness. It is recommended that those within the organization designated as internal investigators receive training on how to respond appropriately and legally to sexual abuse or misconduct suspicions or accusations. External Investigation ResourcesPersons accused of inappropriate sexual behavior, misconduct or abuse may be in positions of authority. Therefore, utilizing an outside third-party investigator for sexual abuse or misconduct allegations may be an appropriate risk management step to defend the integrity of the investigative process. External third-party professionals can often help protect against real or perceived cover-up in the investigation or resolution of the misconduct allegation. Several factors to consider when determining whether utilization of a third-party investigator would be beneficial in responding to an allegation of wrongdoing:
Duty to Report Suspected or Alleged Sexual Abuse or MisconductIt is not recommended that the reporter investigate or assess the validity or credibility of an allegation of abuse as a condition before reporting the allegation to proper law enforcement authorities. Consult with the organization’s legal counsel to determine the state, federal, or other jurisdictional requirements to report suspicions or allegations of child sexual or physical abuse. Require Signed AcknowledgementEmployees, volunteers, and youth affiliated with the organization and their parents or guardians may be provided acknowledgement forms for their signature, with a return copy to the organization. Well-written forms include statements that the organization will conduct a prompt and thorough internal investigation and complete a conflict of interest check to help ensure persons named in a complaint will not be part of the investigative team or efforts. Inform persons and ask them to acknowledge their understanding that an outside third-party investigator may be utilized to resolve allegations of wrongdoing, which emphasizes the organization’s transparency. Note the organization’s legal responsibilities to report suspected or alleged sexual abuse to appropriate law enforcement authorities on the acknowledgment form. Also, give persons an opportunity to ask questions about the organization’s sexual abuse and misconduct policy, accompanying training and content of the acknowledgement form. Monitor & Adapt ProgramDesignate persons within the organization to be primarily responsible for monitoring the effectiveness of the sexual-abuse risk management program. Not only monitor compliance, but solicit feedback to determine ways to improve the understanding and impact of the policy, training and other risk management efforts. Insurance CoverageDue to the increasing frequency and severity of sexual abuse and molestation claims, many insurance companies severely limit or even completely exclude coverage for claims arising from allegations of sexual misconduct, including abuse and molestation. It is critical to evaluate and understand how your insurance program will respond, in the event of a claim. Some insurance companies will remove the sublimit, allowing the full liability insurance limit to be available for claims in this area, if appropriate controls are in-place. SummaryOrganizations have a duty to protect employees, volunteers, and others associated with the organization from wrongdoing. Prevention of sexual abuse or misconduct is increasingly important where organizations are engaged in activities with youth and vulnerable adults. Resources
Over the past three years, a robust cyber insurance program and cyber risk posture has become more crucial than ever. Cyber threat actors have increasingly taken advantage of new network vulnerabilities at an alarming rate, resulting in a rapid increase in the frequency and severity of cyber claims. Ransomware threats continue to be the most prevalent and damaging to public agencies.
In harmony with the rapidly increasing risks in this area, our postures for risk mitigation have improved significantly. Many organizations have been rapidly pivoting to deploy new processes, systems and protocols to improve their cyber risk profile. Multifactor authentication in particular has proven to be one of the strongest defenses against threat actors gaining access to our systems. The underwriting of cyber liability insurance policies has evolved significantly over the past three years as well. What once was a routine, brief application with very basic questions regarding cyber security posture, cyber insurance applications today are extensive and require in-depth technical information regarding systems, processes, security and future system changes and upgrades. In conjunction with the information directly provided to underwriters, underwriters are also employing extensive tools to evaluate cyber risks from a public facing standpoint, and often make underwriting determinations exclusively based on information collected through scanning and monitoring of systems, not necessarily what was included on applications. Insurance companies now have a far better understanding of where claims originate, and how severe these claims may ultimately be. Subsequently, some insurance companies have embedded ‘trap-doors’ in their cyber policies, often with innocuous sounding names, however these new provisions are anything but innocuous. These new provisions can reduce and even completely eliminate your cyber coverage in the middle of your policy term, based on changes in the insurance companies scanning and monitoring activities, or if you fail to apply software patches. One example is that if a vulnerability is identified in the middle of your policy term, your policy could contain a provision that begins to reduce your cyber insurance limits and coverage grants, while increasing your deductible or retention (e.g., excluding ransomware). These new provisions are most commonly included on group purchase cyber insurance policies, where the underwriting process may not be as rigorous. In this evolving cyber risk environment, it is not uncommon for insurance companies to revisit the terms and limits they are providing at each policy anniversary as part of the renewal underwriting process. However, cyber insurance policyholders should not tolerate these types of mid-term restrictions in coverage, which could take effect without any notice to the policyholder of the reduction in coverage, unless a cyber claim occurs, at which point a policyholder would be left with little, if any, responsive cyber insurance to respond. Please contact us today if you have any questions regarding your cyber insurance program. Do not underestimate the impact you can have on reducing the potential damage and disruption to your organization if flooding occurs. There are countless examples of employees taking impromptu steps that have reduced potential damage and disruption during a flood emergency. Formal advanced plans, such as a flood emergency response plan, have the advantage that those involved are aware of the most important steps to take, and have adequate resources on hand. What is unique to planning for flood is that, by understanding the event to which you are exposed, you can factor in warning times that do not exist in many other emergencies. This is the key to an effective flood emergency response plan. Before developing a plan, take a hard look at equipment and/or processes in your basement or other low-lying areas. Relocating this key equipment and/or processes to higher levels has a major – and permanent – impact on your potential loss should flooding occur and does not rely on human intervention in the event of a flood. Protecting Your PropertyThere are steps you can take to protect your property from the ravages of flood, but, remember – emergency actions to protect your property from flooding are very different from the actions needed in case of fire. Flood emergency actions need time to be put into place. By taking the time to understand the potential flood event that could affect your facility, you can make good use of what warning time is available, however limited. And if the potential flood event affects a wide area, make sure you consider the impact to resources you might otherwise use, such as contractors and emergency agencies. Insurance industry loss data from FM Global and other large property insurers has shown that facilities with well-organized flood emergency response plans have nearly 70-percent less damage, and resume operations sooner than those locations without a flood emergency response plan, or an inadequate on, in place. The key to success? Spending an adequate amount of time developing a flood emergency response plan prior to the flood. Consider Taking the Following Steps
Remember it’s important to develop a flood emergency response plan for your specific facilities. Don’t adopt a plan that’s been prepared for another agency; your plan must reflect your local conditions and be governed by the contents, equipment and construction of your facilities. The Ultimate AuthorityAs you prioritize actions, be sure to evaluate the business impact of each step. Actions that do not affect normal business activities are easy to implement with the right resources. Once your plan starts to affect your business, establish the most appropriate level of authority necessary to shut down your facility. Do not underestimate the challenge this presents – the success of the entire plan to work ahead of the flood, so you are reliant on flood-warning information. Taking action can lead to disruption. After all, there is always the chance that predictions will be wrong, and the flood may not occur. By truly understanding the potential flood event, as well as the nature of the warning and timing, you will be able to determine a point of no return, after which your plan will not have time to work. This may be the most critical part of the plan, so it’s essential that management is aware of the implications, supports the plan, and agrees as to who has the authority to put the plan into place – regardless of the immediate operational implications. Only One Piece of the PuzzleWhile a well-developed flood emergency response plan can be effective, you can have a great impact by taking some physical steps to protect key parts of your business. Where possible, relocated key processes and/or material from basements and low-lying areas to other parts of your facilities at elevations higher than the expected flood. If this is not practical, consider protecting individual areas and/or equipment by:
A Well-Planned Flood Emergency Response Plan Should Include:
Resources
In recent years, the property insurance market has paid record claims, resulting in escalating rates and a more focused review of the loss control programs. Loss control greatly improves an organization’s risk profile, and often grants more favorable treatment from insurance underwriters. Many losses can either be avoided or minimized by adopting essential risk practices. Know the RisksMany catastrophic events can be forecasted with risk modeling services. These services review the historic characteristics of an insured property and the surrounding area. The most common catastrophic risks arise from named windstorms and convective storms, including tornados, hail, or severe thunderstorms. Catastrophic loss events can also arise from earthquakes, particularly in areas with major fault lines. Flood events and wildfires have seen increased frequency in the past few years. Each of these events presents unique challenges and requires special planning to mitigate the potential damage that can arise. Fire Sprinkler SystemsMost commercial buildings have fire suppression systems. These systems primarily consist of sprinklers to suppress or contain a fire until fire services can be deployed. Fire sprinkler systems have several components that need to be inspected and maintained on a regular basis. Fire systems have central monitoring though a network of sensors which alarm when fire conditions are present. The sprinkler valves open when heat is present, and the central monitoring panel will alarm to alert you that system as activated. The best practices are to complete a weekly review of the system including risers and valves. Quarterly, the system should be inspected by a fire sprinkler contractor to review the maintenance and overall operation of the system. Annually, the fire sprinkler system should be tested, and any necessary maintenance or upgrades should be completed. The fire sprinkler system maintenance should be documented. When the fire sprinkler contractor issues their report, this should be reviewed for any outstanding or recommended maintenance items. These items should be scheduled for completion as early as possible. When a system needs to be shut down for maintenance or repair most property insurance companies require notification, though a tag or permit system. The occupancy of each area protected by fire sprinklers should be evaluated to ensure the sprinkler heads are designed for the current use of the area. A change of use of an area from office to storage, and change to the quantity of stored material may necessitate making adjustments to the sprinkler system to ensure that it will function correctly in the event of a fire. A well-maintained fire sprinkler system is not only vital to preserve the building but is also a key to life safety ensure building occupants have adequate time to safely evacuate. Domestic Water LeaksDomestic water leaks are the leading cause of loss to commercial properties. A domestic water leak plan can help to significantly reduce the impact of water damage to our properties, and should include a map with the location of all valves and fixtures, as well as contact information for on-call or contracted maintenance technicians to quickly address any needed repairs. Areas around water valves should also be inspected periodically to identify any slow, gradual leaks, which may contribute to mold or other water damage related issues. Emergency Utility Shut-OffA utility shut-off plan should include the location of utility valves and switches identified on a map, available to all employees. The necessary keys to access shut-off areas and the tools to shut off all utilities should be clearly available and identified. On a regular basis, drills should be completed to measure how quickly the shut off locations can be identified and accessed. The drills should also be completed in simulated conditions, such as finding a shut off valve or panel in dark conditions, or in adverse weather conditions. Employees should also be trained to identify unusual circumstances, which require shutting down a utility. This may include unusual sounds or strange smells, that may require further investigation or shut off. Often early intervention when a problem arises will protect the building and allow for a more contained response to the problem. The most common areas that may require shut off are the failure of motors or other electrical apparatus or extraordinary weather events. Electrical Panels and ServiceA minimum of 36 inches clearance should be maintained on all electrical panels, transformers, electrical motors, switch gear and mechanical equipment. Ideally rooms containing electrical or mechanical equipment should not be used for storage. Infrared scanning should be completed annually for all electrical panels and equipment to ensure hot spots or problem areas will be identified and corrected before a catastrophic failure occurs. If a building has a backup battery system or UPS system, the UPS systems needs to be evaluated regularly, with frequent service and rotation by qualified contractors. If backup generators are used, then they need to be exercised regularly, with the fuel source checked as part of regular maintenance. Loss Prevention DividendA well-run building reduces the potential for fire or other hazards that could occur and results in more effective loss prevention. This ultimately provides better loss experience and more favorable property insurance rates. In addition to the insurance cost savings, a loss-free building saves on the indirect cost that would otherwise disrupt normal operations and the efficient operations of those that rely upon the building.
As the shortage of qualified commercial drivers intensifies, it’s important for fleet managers to be reminded of good hiring practices. The challenge for fleet managers will not only be to fill increasing numbers of vacant positions, but also to ensure safe drivers are behind the wheels of an organization’s vehicles. From the interview to requirements for employment, every fleet should have a clear driver hiring process. What are the Requirements for Hiring DriversFormal hiring guidelines are crucial to ensuring every driver has been properly and consistently vetted. Industry best practices include the following minimum requirements for hiring drivers:
How to Review an Applicant's Motor Vehicle Record (MVR)Meeting the minimum requirements for a driving position is only the beginning of the vetting process for new hires. A thorough review of an applicant’s motor vehicle record (MVR) will reveal even more. Past violations noted on the MVR are often an indication of the potential for future accidents and violations. According to the American Transportation Research Institute, the occurrence of one of the following moving violations increased the likelihood of becoming involved in a crash by the following amounts:
Beyond identifying violations, the MVR will provide information on the applicant’s license endorsements and any restrictions they may have. You need to make sure your applicants have the necessary endorsements for the cargo that they will be hauling. For example, if your organization transports hazardous materials, drivers will need a HAZMAT endorsement. How to Conduct Driver InterviewsIn addition to a thorough MVR review, a well-organized interview will help you better assess the values, personality and work ethic of potential drivers. These soft skills are a solid indication of what often characterizes a long-term and valued employee. Ask open-ended questions during the interview about the candidate's driving history and what they have done to improve their driving skills. You may want to ask applicants to complete a written test and a driving test as part of the interview process. If you decide to hire the applicant, consider hiring them on a temporary basis to make sure their driving skills and habits are a good fit. Remember, you are hiring someone that represents your organization and your organization’s stakeholders, protects the public from accidents and will ensure the safety of your operating vehicles. The more comprehensive the hiring process, the greater the likelihood of putting the right person behind the wheel. Provide Frequent Driver TrainingDriver error is most significant cause of vehicle accidents. As an employer, it is your responsibility to make certain drivers receive ongoing training to ensure their safety and the safety of the public. These include classroom training, vehicle specific field training, online training programs, tailgate meetings, and supervisor ride-a-long observations, among others. Driver Monitoring Services (Vehicle Telematics)In addition to consistent and frequent driver training, incorporating a comprehensive driving monitoring service can provide invaluable insights into driver behavior, including recognized high-risk driving maneuvers (E.g., hard braking, sudden lane changes, excessive speed, etc.).
Business email compromise (BEC), also known as “CEO fraud,” is one of the most expensive forms of cyberattack, yet organizations continue to overlook it as a significant and active threat. Traditionally, BEC is defined as a sophisticated form of phishing that involves the criminal taking over the email account of a high-ranking official and using it to conduct social engineering attacks on employees, contractors and vendors. The ultimate goal is to steal money, often through fraudulent wire transfers. While ransomware receives the lion’s share of attention, BEC-related theft can be just as expensive as a ransomware demand, if not more so. According to IBM’s Cost of a Data Breach Report 2022, “BEC and phishing attacks led to the highest average breach costs—about $4.9 million per incident.” The FBI reports that BEC scams have cost businesses over $43 billion globally since 2016, making it one of the most costly forms of attack used by cybercriminals. Recently, a growing number of BEC-style attacks have been moving to communication platforms other than email, such as SMS, messaging apps, social media and collaboration platforms like Slack. Some hackers are even combining deepfakes with BEC tactics on video conferencing platforms. Over the coming year, risk managers should expect to see a surge in these new “hybrid BEC” attacks that will put their organizations’ cybersecurity processes to the test. Here are key points for risk managers to be aware of: There are many variations within these attacksWhile account takeover and key staff impersonation traditionally define BEC attacks, the risk has become more complicated as these attacks frequently deviate from the standard definition. Therefore, it is important for risk managers to understand that BEC is more of a concept than a specific act and to expect wide variations in real-world attacks. For example, many BEC attacks use spoofing instead of actual account hacking. They may also skip senior staff completely and use the account of a lower-ranking employee, IT personnel, third-party contractor, vendor or even a customer. They may target personal accounts instead of work accounts. Additionally, they often use means other than wire transfers to steal money. For instance, many cybercriminals these days are more partial to gift card payments because these cannot be canceled and are harder to trace. In some cases, BEC hackers may not even be after money at all. They may use these same tactics to steal information, such as client information, intellectual property or employee W2s. BEC is a communication attack, not just an email threatAt their heart, BEC attacks are about exploiting trusted communications, not just email. This means any communication channel employees use in their professional or personal lives can be a target. While corporate email has long been a focal point for BEC and other types of phishing scams, improvements in email security have made these attacks harder for cybercriminals. Since hackers often look for the path of least resistance, many are now expanding these scams to personal email accounts and other communications platforms. These platforms, including SMS, messaging apps, social media, video conferencing and collaboration platforms like Slack, often have little built-in scanning for malware or malicious messages and they are not able to detect a hijacked account. Most companies also lack sufficient monitoring of these platforms, which creates an enormous blind spot for potential attacks. Mobile messaging attacks are on the riseOne of the most significant new forms of BEC is the mobile messaging attack, which became prevalent in 2022 as a wave of attacks targeted organizations both big and small. One of the most prominent cybercrime groups to use the mobile BEC attack is known as “0ktapus.” This group successfully targeted over 130 companies using these tactics, including many well-known brands like Twilio, Doordash and Mailchimp. In a mobile BEC attack, the hacker uses SMS messages and/or messaging apps like WhatsApp to carry out a social engineering attack on employees. One of the most popular types of mobile BEC scams is the fake IT notification, where a hacker impersonates someone in the IT department and notifies the employee that they need to update or authenticate one of their important IT services, such as Office 365, identity management platforms, VPNs or remote access. The hacker may send a fake login link and will ultimately try to steal the employee’s password and two-factor authentication codes, giving the cybercriminal full access to the account and a backdoor into the company’s network. These attacks can be difficult to detect, particularly when using SMS since text messages are not authenticated the same way emails are. Mobile carriers allow any phone number, including VoIP and fake phone numbers, to send text messages to a person’s phone without verification. LinkedIn phishing scams are becoming increasingly commonIn another variation of BEC scams, hackers now frequently use social media to carry out targeted spearphishing attacks on executives and key employees that can lead to data breaches through stolen credentials or malware. This is especially common on LinkedIn, which presents an ideal platform for BEC attacks because it is an easy way for hackers to reach C-level executives, HR managers and department heads directly without having to worry about whitelisting protections or spam filters. These attacks are becoming extremely sophisticated, with many hackers even using artificial intelligence tools to create “synthetic” headshots. Because this creates new images, they cannot be identified as fakes through reverse image searching online, though that is still a safety measure worth trying. Organized criminals will take the time to create an authentic-looking LinkedIn profile, build a large network of business connections and approach their targets through a convincing pretext, such as a business referral, job recruitment or resume submission. They will frequently impersonate other business executives, headhunters or vendors. Most of these attacks happen through LinkedIn direct messages, but the cybercriminal may push the victim to continue the conversation on a different platform like WhatsApp. Although LinkedIn scans for viruses in attached files sent through its messaging portal, sophisticated hackers may still be able to beat this security check. Beware of virtual impersonation scamsDeepfake tools and other machine learning and artificial intelligence technologies are creating new possibilities for BEC attacks, but are still in their infancy. In 2022, the FBI issued multiple alerts about the rise in BEC-style scams taking place on video conferencing platforms like Zoom. By using deepfake tools, hackers can engage in live “virtual phishing” attacks on company employees by impersonating senior executives in a fake meeting. Hackers are also exploiting the remote interview process by impersonating job candidates for IT positions and other sensitive roles in order to gain access to important organization systems and information. Organizations should also be aware of the potential for BEC “vishing” attacks that use audio deepfakes to impersonate the voice of an executive. This tactic is already being used by cybercriminals to steal money and information from companies. For example, in a case that was brought to light in 2021, fraudsters were able to steal $35 million after using forged email messages and deepfake audio to convince an employee of a United Arab Emirates company that a director requested the money as part of a corporate acquisition. Some cybercriminals are also using AI tools to launch targeted attacks on key executives, such as a 2019 case in which the attackers were able to mimic a CEO’s voice accurately enough to call the chief executive of a subsidiary and convince him to wire funds to another firm. How to minimize your organization's riskHybrid BEC attacks will be challenging to prevent completely because they take advantage of trusted business relationships and communication channels to manipulate employees. They also exploit a growing vulnerability in corporate security programs created by the increasingly blurry lines between work and private life when it comes to digital communications and devices. However, companies can significantly reduce their risks by implementing a layered defense approach, which should be equal parts prevention and post-breach contingency planning.
The first step is for companies to address the blind spot in their communications. Strict policies should be in place for how employees use non-email platforms like messaging apps, texting, social media, video conferencing and collaboration platforms. These rules should clearly state what can and cannot be done on these platforms, what information (if any) can be shared, and with whom they can communicate. It is particularly important that sensitive tasks like payment authorizations, IT updates, password reset requests and document requests have a prescribed process that must be followed, and dual authentication should be mandated. Since account takeovers are a common pathway for BEC hackers, all executives and employees should be educated on how to create strong, unique passwords for their personal email accounts, and how to enable multi-factor authentication protections. They should also understand the various ways hackers can steal these passwords, from tricking them with fake login pages to buying older passwords on the dark web and stealing session cookies for browser-based applications. In addition to these preventive steps, companies also need to prepare for the possibility of a successful BEC attack. This means implementing a number of damage control measures, such as requiring encryption for documents shared over any digital platform. Then, if an employee’s account is hacked, the cybercriminal will not be able to access these files. Additional measures companies should take to reduce their overall risk from BEC include implementing employee access controls, contractor/vendor security controls, rigorous cancellation of old/expired user accounts, network segmentation and data protection through backups and encryption. |
Categories
All
|