​A well-crafted fleet safety program can provide significant benefits to organizations and public agencies of any size. Driver monitoring is an essential element of every fleet safety program. This is typically accomplished by evaluating and monitoring Motor Vehicle Records or MVR’s.  MVR monitoring has been the standard practice to assure that drivers maintain an acceptable driving record, on and off the job. However, the MVR monitoring process is not perfect.  There can be a significant lag time of weeks or months before a citation is posted to a drivers MVR, especially for serious offences likes DUI and reckless driving.

Vehicle telematics are not a new development in fleet safety.  For over 20 years many operators of large commercial fleets have incorporated some form of telematics to obtain additional information about how and where their vehicles are operated.  In recent years, the capabilities of telematics solutions have increased significantly.  In addition to location, speed, and idling time, telematic systems today can provide valuable additional information:

• Braking severity
• Excessive acceleration
• Unsafe cornering speeds
• Geofence notifications
• Excessive idling 

Today’s telematic systems can alert drivers and supervisors at predetermined thresholds and can also be connected to road and cab facing cameras to obtain a far more accurate view of an event.  A telematic program requires the support of senior management.  Management not only must support the cost of implementation and ongoing system costs, but also the changes to organizational culture.
​
There is a tendency for employees to resist telematic programs, as they can be perceived as a tool that takes away flexibility and independence in job performance.  Training can offset many of these concerns.  It is important that employees understand the purpose of the telematics program is to improve overall fleet safety for the entire organization.  Employees should also be educated and on what metrics are being monitoring and what driving behaviors will trigger alerts. 

A County government with 3,000 drivers installed telematics throughout their fleet of commercial and private passenger vehicles in early 2018.  The county informed employees that these systems would be installed, and internally monitored the data, with no employee notifications given for several months. When the County reviewed the preliminary data from their newly installed system, they found that over 80% of their drivers exceeded the speed limit by more than 10 miles per hour, for more than 2 minutes, monthly.  This was significantly higher than the county had anticipated.

In early 2019 after the county had internally monitored driver performance for more than six months, they established safety and performance goals to use as a benchmark for evaluating driver performance.  These benchmarks were widely circulated to all employees, so that they would be aware of the desired goal and their individual performance.
​
The next step was to start notifying employees and their supervisors of any unsafe driving behaviors that exceeded the notification thresholds. As employees became aware of their own performance, behavior changed.  By the end of 2019, the percentage of county drivers exceeding the speeding criteria was reduced from 80% to 2%.  The county also experienced a 53% reduction in their at-fault vehicle accidents.

​Telematic systems can be an incredibly valuable resource for any public agency.  Those with installed telematic systems consistently experience a reduction in vehicle claims, an in improvement in driver awareness to unsafe behaviors, and see a significant reduction in fleet maintenance and fuel expenses.

​Every year OSHA compiles a list of the ten most-cited standard violations from the previous year.  OSHA publishes this list to alert employers about these commonly cited standards so they can take necessary steps to find and correct recognized hazards before an incident occurs. The 2020 fiscal year statistics, which ended Sept. 30th, have just been released and not surprisingly, the list’s actual violations stayed the same as the previous year, though some standards changed places on the list. Fall Protection remained in the number one spot while ladders rose one spot to number five. Respiratory Protection also moved up two places to number three on the list, while Lockout/Tagout dropped two places, from fourth to sixth.  

Let’s Take a Look at the Top three in more detail:

1. Fall Protection - It is not unexpected that fall protection stayed at number one, with 5,424 total violations. Fall protection, or the lack of it, continues to be a problem at many job sites. It has been the most cited regulation for ten straight years. In 2019, there were 800 fatal falls in the US, and they continue to be the leading cause of death in the construction industry, according to Bureau of Labor Statistics data. Unfortunately, many employers do not provide adequate fall protection equipment and the appropriate training for required equipment, when it comes to falls from rooftops, ladders, scaffolds, and other fall exposed areas. Fall prevention training was number eight on OSHA’s list. The OSHA standard for Fall Protection may be found here - https://www.osha.gov/fall-protection. 
   
   
2. Hazard Communication - Is again near the top of the list. Hazard Communication regulations require employers who use hazardous chemicals to develop an effective written HazCom program, provide training to workers and make available copies of Safety Data Sheets (SDSs) for each chemical in the workplace.  It also requires labeling on each chemical container. Keeping SDS’s up to date can be a challenge, particularly for those with multiple locations.  Many organizations have migrated their SDS’s to online platforms that are available to all employees, all of the time, and can be updated instantly when SDS sheets change.  The OSHA standard for Hazard Communication may be found here - https://www.osha.gov/hazcom. 
   
   
3. Respiratory Protection - OSHA’s respiratory protection standard sets expectations for control measures, respirator use, cleaning and repair, written programs, and medical evaluations for workers who wear respirators. Regulators typically cite this standard for lack of medical evaluations, implementation of a written respiratory protection program, and fit testing.  The OSHA standard for Respiratory Protection may be found here - https://www.osha.gov/respiratory-protection.
   
   The top ten list is rounded out with the following citations.
   
   
4. Scaffolding.
5. Ladders.
6. Lockout/Tagout.
   
7. Powered Industrial Trucks.
8. Fall Protection – Training Requirements.
   
9. Personal Protective and Life Saving Equipment – Eye & Face Protection.
   
10. Machine Guarding

Do any of the regulations on the list apply to your organization? If so, you should thoroughly review the standards and ensure you are complying with all employer requirements. There are several steps that an agency can take to both avoid worker injuries, illnesses and deaths. Developing and enforcing a comprehensive safety program is your key to success.
 
Your safety program should include:

• Written Safety Programs - Develop and maintain written safety programs covering the hazards to which employees may be exposed. OSHA requires written safety programs and looks to see that they’re reviewed and updated annually. Make sure they are available to all employees.

 

• In-depth Safety Training - Both new hire and annual safety training should cover all of the key risks workers are exposed to while performing their work. Staff should be aware of the risks associated with their jobs, and the appropriate policies and procedures to mitigate these risks.

 

• Periodic Jobsite Inspections - Conduct inspections to identify hazardous conditions throughout your organization. Most field job sites require frequent monitoring and observations to stay on top of safety issues.  Inspections identify hazards and provide opportunities to correct problems before injuries and accidents can occur.

 

• Safe Tools and Equipment - Provide safe tools and equipment and ensure workers inspect them regularly. Many workers rely on their tools and equipment to get their work done safely. Unsafe tools and equipment can mean a higher risk of serious accidents. They can also lead to OSHA citations.

 

• Personal Protective Equipment - Provide appropriate personal protective equipment, or PPE, to workers. Organizations must pay for and ensure that workers have the necessary PPE, including fall arrest systems, hard hats, respirators, and hearing protection, to do their jobs safely.

​In 2020, the global pandemic created near-perfect conditions for cybercriminals. Unsurprisingly, we have witnessed a dramatic spike in cybercrime, but what is driving this threat and what will the implications be for cyber risks throughout 2021?

​The shift to remote work and the large-scale dependency on personal devices and residential networks have expanded threat actors’ attack surface — the number of different points through which an unauthorized user can access or extract data from an environment. At the same time, organizations have been adapting to remote working trends at a record pace, increased virtual public meetings and services.
​
The net effect has been a mass increase in potential targets for criminals to exploit and an unprecedented expansion of corporate networks beyond their external firewalls. Cybersecurity in these conditions has proved extremely challenging. Organizations of all industries and sizes were forced to pivot many critical operations to remote environments rapidly and with little time for preparation, exposing insufficient information technology infrastructures, data governance, and security controls.

​In parallel, ransomware proved devastating in 2020 with incidents becoming more frequent, targeted and automated. Global ransomware attacks rose by 40% in the first three quarters of 2020 compared with the same period in 2019, and payments more than doubled in size since the start of 2020.  Increasingly sophisticated and AI-enabled tactics have seen large agencies become more and more vulnerable. For example, criminals have not only accessed core systems, they are successfully infiltrating backup systems as well. Criminals have also started extrapolating data from hacked networks and threatening to release it as part of the extortion scheme. 

​In addition, SCADA systems have proved to be vulnerable to targeted attacks, as was evidenced by the attack at the Oldsmar Water Treatment Plant in Florida, where the attacker increased the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million.

Meanwhile, the explosion of “ransomware as a service” has lowered the barriers to entry for aspiring cybercriminals, enabling less sophisticated actors to cause significant harm.

The spike in cybercrime has driven demand for cyber insurance, with many revisiting their cyber insurance programs and requesting higher limits.
​
Not surprisingly, insurers have become increasingly nervous about the deteriorating risk landscape, and risk quality and underwriters are far more thorough in their underwriting review.
​
Despite the challenging landscape, there are reasons for optimism. Organizations are more aware of the importance of purchasing a robust cyber insurance program, and of the need to improve and harden critical IT systems.

For many years, Cyber insurance programs focused on the risks faced by the loss of third party data.  The leading cyber insurance programs today address these risks, as well as provide extensive coverage for the direct costs incurred in the response to a cyber event. 

The leading cyber insurance programs take this a step further by delivering preventative services to actively monitor client networks to identify weakness, and recommend corrective actions to mitigate these risks.

Safety and risk committees are an incredibly powerful tool to prevent incidents and enhance the effectiveness of all organizations.  Safety and risk committees bring together dedicated employees, representing departments and divisions throughout an organization. They are focused on improving and reinforcing safety and risk management initiatives and make a real impact on the organization.
 
Safety committees enhance employee morale, foster greater productivity, and improve standing among the various stakeholders of the organization. An effective committee sends a powerful message that management cares about the wellbeing of their employees, and the public.
 
When establishing safety and risk committees, careful consideration should be given to identifying the appropriate scope and duties that will be delegated to the committee as a group, and to the members who serve on the committee(s).   Effective committees include representation from senior management, supervisors, and front-line employees, from across all departments or divisions. Committees should not be so large that they lose the ability to be responsive to individuals or to affect organizational changes. 
 
For larger organizations safety committees may need to be established in individual departments and divisions, which report to a centralized risk committee.  Selecting those employees that have a desire to serve on a committee and that will be actively engaged in committee activities is crucial.
 
The mission of the committee should be clearly stated, with well-defined objectives. These objectives reinforce the overarching mission that safety reaches beyond just complying with OSHA or other minimum requirements.  Rather, safety and risk management provide a sense of purpose and a roadmap for accomplishing key organizational objectives.  For example, if the organization has had several lost time workers compensation injuries, the safety committee could identify and evaluate the root cause of the injuries and form and execute a plan to correct unsafe conditions. 
 
While many committees meet monthly, other successful committees may meet less frequently on a semi-monthly or quarterly basis.  The key issue is holding well planned meetings consistently, with good committee member participation.
 
Safety and risk committees are most effective when they can identify issues and are empowered and provided with the resources to resolve them. When a committee is working as it should, employees and managers work together to address safety and risk concerns before injuries or claims arise.
 
While many may think of safety committees as simply a forum to review workplace accidents, many successful committees have much broader oversight, including many key risk management functions, which include:

• Address employee safety concerns.
• Administer safety incentive programs, and safety grants.
• Develop emergency response plans.
• Establish safety training standards.
• Examine OSHA citations and identify solutions.
• Investigate incidents, or near misses.
• Perform site inspections with safety recommendations. 

When these key areas are addressed early, they significantly improves the effectiveness of committees:

Members should demonstrate a general understanding of technical safety and risk issues, familiarity with data gathering and analysis, and experience with group dynamics and meeting participation.  Training may be provided internally, online and from third party resources.  

A committee should be considered an investment, and management needs to provide adequate tools and resources.  Committees may need funds to oversee and administer safety incentive programs and purchase safety equipment or tools.

​Committees will make recommendations for corrective actions or changes in policy and procedure. The committees need to know that they have the support of management to carry out their mission and that their efforts will be sustained.

Engaging all organization stakeholders can significantly improve the visibility and support for the organization. Many successful risk committees prepare an annual report that is reviewed with the governing body (e.g., Councils, Commissions and Boards), with objectives and goals outlined for the coming year.

When safety and risk committees are engaged and empowered, they serve as a vital piece of a risk management program. With knowledgeable, enthusiastic members that develop innovated and creative solutions, these committees have a far-reaching impact on the organization. They improve the culture of safety and risk awareness throughout the organization, improve employee moral and build good will with those that are served by the organization.  

With Spring comes the start of many significant capital projects, from new office and administration buildings to pipelines and treatment plant expansions.  The risks to property under construction are significant but can be well managed through an effective builder’s risk insurance program.
​
Builder’s risk insurance programs can be handled by the owner or left to the general contractor or construction manager.  Project owners understand the scope, cost and special conditions of the project and are better equipped to set up the builder’s risk insurance program.  Contractors may not address all of the ancillary elements and supplemental limits needed for a builder’s risk project and may, mark up the cost of the insurance with profit and overhead. 

​In the absence of detailed information, many underwriters may make assumptions which could result in higher than necessary premiums.  Providing details on the type of construction materials, a timeline of work to be completed (e.g. Gantt Chart) and a summary of new construction vs existing facilities being renovated, will provide greater clarity on the project. This will result in more competitive terms.

​Many organizations use the contract value or guaranteed maximum price when setting the insured value for their projects.  While this is a good starting point, a careful review of the projects costs often yields many items that may fall outside of coverage, or for which you would not intend coverage to respond.  These may include site grading, pavement, purchase of property or property rights (e.g. easements). 

​When establishing the term of the builder’s risk policy, owners and contractors should incorporate potential delays from material suppliers, subcontractors and sub-subcontractors, weather and other exigent circumstances which could result in a delay to the project.  Builder’s risk underwriters will generally increase the policy rate for projects that are behind schedule and need an extension in the policy term.  

When designating the policy term, allow additional time for unanticipated delays from contractors and suppliers.  Builder’s risk policies can be cancelled before the policy expiration at the conclusion of the project, with the unearned premium returned to the owner.  This approach will yield the lowest overall builder’s risk policy rate and total cost.

​Policies should include both the owner and contractors as insured parties.  This has become more critical in recent years due to the increase in owner supplied specialized equipment, which would not be covered under a standard builder’s risk policy obtained directly by a general contractor or construction manager.

​Understanding the transition from the builder’s risk policy to your permanent property insurance program is critical.  Builder’s risk policies may specify that coverage for the project will end when substantial completion is achieved, when a certificate of occupancy is obtained or when the property is put in service for its intended use, even if the project is not yet complete.  

These timelines should be communicated when evaluating builder’s risk insurance options, and throughout the duration of construction to ensure that the project is not left without coverage. 

Staying safe at work sounds like a simple enough goal.  No worker wants to work in an unsafe environment and no administrator or elected official wants to spend time and resources investigating preventable incidents.  The potential for workers’ compensation or third-party liability claims arising from unsafe activities are considerable, when, unsafe incidents occur.  People get hurt property is damaged and productivity is impaired, adding to the negative impact from t events.
 
Often, incidents occur in spite our best efforts to adopt safety policies and satisfy training requirements.  Safety culture is beyond policy and procedure, since it develops a   lasting change in the organization. A culture of safety t reinforces a shared organizational commitment at all levels of the organization. 
 
A good example is provided by Paul O’Neill, formerly of Alcoa.  Mr. O’Neill took over as the CEO at Alcoa during an incredibly challenging time, when he stated: “I knew I had to transform Alcoa. But you can’t order people to change. So, I decided I was going to start by focusing on one thing. If I could start disrupting the habits around one thing, it would spread throughout the entire company.” 
 
He reinforced his commitment to developing a culture of safety in a now famous speech to Alcoa shareholders, he said: “If you want to understand how Alcoa is doing, you need to look at our workplace safety figures. If we bring our injury rates down, it won’t be because of cheerleading or the nonsense you sometimes hear from other CEOs. It will be because the individuals at this company have agreed to become part of something important: They’ve devoted themselves to creating a habit of excellence. Safety will be an indicator that we’re making progress in changing our habits across the entire institution. That’s how we should be judged.”
 
Despite initial resistance from the shareholders, O’Neill’s decision to prioritize safety over profits paid off.  Sales increased, employee injuries declined, and net profits grew five-fold over his twelve-year tenure as CEO.
 
There are several steps we can take to better reinforce a safety culture within our own organizations.  While not an exhaustive list, these seven areas are a great place to start:
​

• Robust training program – Too many incidents resulting in employee injuries, organization property damage and third-party liability result from the lack of proper training.  Training should be more than checking a box once a year to meet a minimum standard.  Training should include specific examples of the type of work to be performed, the actual hazards evident and the safety practices to be followed to safety perform the work.  New employees should receive specific onboarding and follow-up training to ensure they are familiar with the safety policies and safe work practices of the organization.
  
  
• Keep safety top of mind – Do not leave safety training to a monthly formal training but incorporate safety into daily work activities.  Taking five minutes to review the work that will be performed, the hazards present and the safety precautions that need to be taken can be incredibly beneficial.
  
  
• Effective safety/risk committees – These committees should not just be a forum to review incidents but should provide members with the opportunity to review near-misses (near-hits) as well as to express safety and risk concerns from within their own departments or divisions.  Committees should have the full support of senior leadership, and when possible should have representation on the committee from the most senior levels of an organization.
  
  
• Safety incentive programs – An effective safety incentive program should not simply reward employees for a lack of incidents but should encourage proactivity from employees.  Recommendations from employees of known hazards or alternative approaches to perform a task in a safer way can be tremendously valuable.
  
  
• Empower employees – Employees at every level of the organization should be empowered and encouraged to address unsafe activities directly, including stopping work in process if necessary.   
  
  
• Plan for safety – When employees understand that safety is the first and highest priority of an organization, they will work differently.  Supervisors and managers should reinforce this while planning projects, that injuries are likely to occur when shortcuts are taken, or safety protocols are not followed.    Incidents occur where employees are hurried to finish to their work within a specific timeframe, such as the end of a shift or workday.    
  
  
• Safety accountability – Incorporating safety into the performance evaluations of employees, supervisors and senior leaders tangibly reinforces the organizations commitment to safety.

As we work to improve the safety culture within our organizations, safety will become a habit.   Productivity improves with a decrease in incidents, employee moral rises, and our public image is enhanced.
​

Sound risk management involves many preventative actions and processes, to maintain facilities and equipment, and to mitigate potential claims.  Unfortunately, many of these actions go unrecognized without documentation that the tasks were completed.  Two real-world situations to illustrate:
 
ABC City experienced a sewer back-up that flooded the living quarters of a private home. This resulted in the resident vacating the home and moving into a motel for nearly a month. When the claim for damages to the home was submitted, a request was made to the city for documentation of their sewer inspections and maintenance. The city’s public works staff responded that sewer lines were periodically inspected but could not produce written records of any inspections or completed maintenance.  This severely hindered the city’s defense efforts, which led to the city ultimately settling with the homeowner for over $100,000.

XYC City also experienced a sewer back-up, which caused raw sewage to back-up into a restaurant. Because the back-up occurred in the sewer main line under the street, city staff thought that the city was likely responsible for the damages, and the city contacted their insurance company to report the back-up before a claim was even submitted. The claims adjuster requested and reviewed the documentation of sewer inspections.
 
The area where the back-up had occurred was a known low spot in the main. Less than two weeks prior to the back-up, XYZ City’s public works staff had inspected the main on both sides of the low point, noting that the line was running free and clear. Additionally, the city had documentation reaching back several years for their entire sanitary sewer system inspections and maintenance activities. The documentation demonstrated that the city was being a responsible utility owner and, consequently, was not liable for the back-up and damages to the restaurant. Instead, it was later established that restaurant employees had caused the back-up by dumping grease down the drain and had not properly maintained their grease trap. Without this documentation, XYZ City could have been liable for significant clean-up and restoration expenses.

For local governments, there are several benefits to documenting the many daily activities conducted by staff, not just sewer system operations. These benefits include:
​

• Records what your people do every day
• Builds data to be used for scheduling future work
• Justifies current budget expenditures
• Adjusts capital replacement plans
• Establishes future budgetary and staffing needs
• Provides information for new employees when current employees retire or leave
• Reduces potential liability for the agency, thus saving costs

  Documentation should include all inspections and maintenance activities, as well as repairs conducted, and replacements made. While the list of what should be documented will vary by entity type, there are some common activities that should be documented across all public agencies, whether you are city, county, water or sewer utility, school district, fire district, or other government agency.

• Building and property use.
• Building safety systems (e.g. Fire extinguishers, AED’s, fire alarms, security systems, panic alarms, active shooter protocols, etc.).
• Chemical handling and storage.
• Department specific equipment (e.g. SCBA’s, ladders, hoses, nozzles, tools, etc.).
• Incident reports for employee and patron injuries.
• Parks/recreation facilities, playground equipment, tree health, trip/fall hazards, lighting, restrooms, security cameras, fencing, sports fields, and swimming pools/splash pads (including water quality).
• Right-of-ways for maintenance, encroachment, and obstructions.
• Sidewalks/trails including ADA accessibility, trip and fall hazards, and condition.
• Staff training conducted, including subject, attendance, date, and length of the training, training content, policies reviewed.
• Street condition.
• Streetlights.
• Swimming pools, gymnasiums, athletic fields and facilities.
• Traffic control/street name signs for visibility, retro-reflectivity, physical condition, and proper supports. Follow the Manual on Uniform Traffic Control Devices, for retro-reflectivity and placement, traffic signals, and temporary construction signage.
• Transit operations.
• Use of personnel protective equipment.
• Use of portable equipment and tools.
• Utilities systems, such as sewers, storm water, drinking water, electric, and waste management.
• Vehicle use and maintenance.

​
Inspection reports should contain the below items:

• Date
• Location
• What was wrong
• Who was involved in addressing the issue
• How was the problem or issue resolved, with specific details.

 
While documentation can be as simple as a spiral notebook with hand-written entries; many organizations use sophisticated asset management or work-order systems to not only track inspections and incident reports, but to also receive reminder tasks for preventative maintenance issues (e.g. cleaning ‘hot-spot’ sewer lines).  These systems can also often include pictures of sites before and after work is completed

Documentation and reports should provide sufficient detail so that someone who was not present when the work was performed, or when the problem was addressed, could fully understand what transpired.
 
Documentation offers many benefits to you as a worker and to your agency, the least of which is that ongoing and thorough documentation can help reduce an agency’s liability when a claim occurs.

​The U.S. Department of Transportation’s Federal Motor Carrier Safety Administration (FMCSA) clearinghouse of commercial driver's license (CDL) holders' drug and alcohol violations went into effect on January 6, 2020.  

Employers must register to access the data repository to fulfill compliance obligations.  Employers of CDL drivers, can now register on the site and create a secure online user account. Employers with drivers covered by FMCSA regulations will be required to query the database for current and prospective drivers' drug and alcohol violations before permitting those employees to operate a commercial motor vehicle. Employers also must report drug and alcohol program violations through the site. The regulation requires that employers annually screen each of their drivers through the clearinghouse.

​This new regulation comes from a law signed in 2012 intended to help reduce crashes, injuries and fatalities involving large trucks and buses by creating a way to identify and track commercial drivers with a history of violating drug and alcohol prohibitions.

Before the clearinghouse was created, regulated employers were required to check with a driver's prior employers to verify his or her drug and alcohol testing record. Drivers with violations are not eligible to drive a commercial motor vehicle until the employer confirms that the driver has successfully completed mandatory return-to-duty obligations.​

​The clearinghouse will enable employers to more easily identify drivers who commit a drug or alcohol program violation while working for one employer but who fail to subsequently inform another employer.  Records of drug and alcohol program violations will remain in the clearinghouse for five years, or until the driver has completed the federally mandated return-to-duty process, whichever is later.

Registration is free, but there will be a charge, depending on the number of queries, to run records searches. Employee drivers are not required to immediately register for the clearinghouse but will need to register to respond to an employer's request for consent prior to a pre-employment check or other query. "Employers may want to encourage drivers to create an account, however, as doing so will streamline the process by which a new driver can be hired or returned to work following a report.  As the database grows over time, it will become more effective. Unfortunately, employers must also continue to independently gather driver drug and alcohol program compliance records directly from prior employers until the clearinghouse has been operating for three years.

FMCSA regulations require employers to add language to their drug and alcohol testing policies to notify drivers and driver applicants that employers are now required to report any adverse drug and alcohol testing information to the clearinghouse.

This includes any positive drug-test results, any alcohol test results with a blood alcohol content greater than 0.04, refusals to test, and any other non-test violations of the FMCSA's drug and alcohol regulation.  Employers will have to submit a report of a drug or alcohol program violation by the close of the third business day following the date on which the employer obtained the information.

In addition, employers will be required to report any "actual knowledge" violations along with a detailed description of the event, supporting evidence, and the names and contact information for any corroborating witnesses.

For example, supporting documentation will be required … from a supervisor who saw the driver engage in prohibited conduct or documenting a driver's admission of a regulatory violation. The employer must also ensure and certify that all of the information reported to the clearinghouse was also provided to the covered driver in question. This process is designed to ensure that covered drivers are able to exercise their right to dispute potentially inaccurate information.

FMSCA-regulated employers must initiate a database query of the clearinghouse as part of the hiring process for new drivers.  This query must be run on every prospective driver before they are able to perform safety-sensitive functions.  Employers must obtain the consent of the driver before running the check. Consents to limited queries can be evergreen, allowing the employer to continue to search the database as needed after the driver's initial check.  If the query identifies a relevant report on a driver in the database, however, the driver must at that time and on an individual basis authorize the release of the full query report to the employer. Failing to authorize the release of these records to the querying employer will prevent the employer from using or continuing to use the driver.

In addition, employers will be required to run a search of the database at least once a year for all their current drivers.  Employers have some flexibility as to the timing of the searches and should be wary of the potential disruptions that running queries on all drivers at once can create. For example, if an employer elects to run all covered drivers at once as part of its annual review, and the limited query reveals information necessitating a full query on certain drivers, the employer must then conduct a full query on each of those drivers within 24 hours.  If the employer fails to conduct a full query within 24 hours—recognizing that the employer must obtain specific consent from the driver to do so within this time period—the employer cannot allow the covered driver to continue to perform any safety-sensitive function until the results of the full query confirm that the driver's clearinghouse record is clear.

​The operation of motor vehicles remains among the highest impact risks of public agencies.  Collectively, the public sector operates nearly 3 million licensed vehicles; more than any other segment of the US economy.  From patrol vehicles to fire trucks and specialized utility vehicles, these fleets are diverse, with unique uses and operational requirements.  The risks associated with the use of vehicles continue to expand, particularly the increasing number of distractions present within vehicles.  It is crucial to have a well-crafted fleet safety program to establish and reinforce best practices for the use of vehicles.  A comprehensive fleet safety program should address the following areas:

​The policy statement should address your unique operations and environment, as well as reinforce the commitment of management to the safety of drivers and the safe operation of motor vehicles.

​Many organizations permit certain types of vehicles to be taken home to facilitate greater efficiency or as a benefit of employment.  Rules should be outlined to clarify the personal use of vehicles for these employees, including permitted operators and passengers, deviations while commuting or any other territorial or mileage limitations.  These rules should also specify when prior authorization is required to deviate from the rules, and how that might be obtained.  In addition, company vehicles should not be used for the towing of personal trailers or for off-road or recreational use.  

​When employees drive their personal vehicle on official business, their employer may be enjoined in any claims arising their negligent acts.  Accordingly, they should be held to the same standards as those employees operating company vehicles.  Employers should specify the minimum acceptable personal insurance requirements for these employees, and obtain evidence of the personal insurance limits purchased.  Employers should also specify that when the employee is driving their personal vehicle on company business that they must still comply with the organizations fleet policy, including the use of electronic devices.

​Reinforcing the importance of seat belt use is crucial.  Annually, 47% of people killed in motor vehicle crashes were not wearing a seat belt.  Your policy should clearly state this is a requirement to operate a motor vehicle.

Operators of company owned vehicles must have a current driver’s license for the class of vehicle being driven.  A commercial driver’s (CDL) license must be required for all operators of commercial vehicles.  Employees with suspended or revoked licenses should not operate vehicles at any time. 

Motor Vehicle Reports (MVR’s) can be a valuable tool to ensure drivers have an acceptable driving history, however the timing of data being available on these reports can be problematic, often taking several weeks to be updated for the most severe violations (e.g. DUI, reckless driving), where mandatory court appearances are required.  In most states, public agencies have free access to MVR reports, which can be continuously accessed and monitored.  In Utah these reports are available through Utah Interactive.  It is recommended to require that employees self-report any moving violations immediately to their supervisor, regardless of severity.
 
Scoring criteria should be included to designate drivers as acceptable or unacceptable based on the number and severity of moving violations.  Examples of critera that would disqualify an employee from driving are as follows:   
 

• Not licensed for last two consecutive years
  
• License suspension or revocation within the past 3 years
  
• 3 or more moving violations within the past 3 years
  
• Reckless driving moving violation within the past 5 years
  
• Drug or alcohol violations within the past 5 years
  
• Other serious moving violation (Hit and run, use of vehicle for illegal purposes) within the past 5 years
  

​Driver fatigue is responsible for nearly 800 fatalities annually.  Your policy should affirm that drivers should be alert, attentive and rested before driving.  Drivers who may be fatigued or ill should not operate vehicles. 

​Rules specific to the types of commercial vehicles that you operate should be included, including securing of equipment, covering of loads, towing of trailers, and use of specialized vehicles (e.g. Streetsweepers, garbage trucks, vacuum trucks).

​The use of telematics to monitor fleet movements has increased significantly in recent years.  The data collected through these systems may be a useful tool to identify areas for improvement and reinforce safe driving behaviors.  Many telematic systems can provide alerts based on vehicle speed as well as acceleration, braking and cornering velocities.  Alerts may be triggered when a vehicle leaves a designed geographic area, or moves during a specified time (e.g. a take home vehicle moving after work hours).  Some systems also include forward facing and cab facing cameras, which can prove invaluable in the event of accident.

Training requirements should be established for new employees, including training for the specific vehicle(s) that will be operated, including a road test.  Special emphasis should be placed on unique driving exposures, including driving at night, use of 15 passenger vans, or other extreme driving conditions.  At least annually, all drivers should be required to complete refresher training as outlined by management.

​Vehicle maintenance should be monitored, scheduled and documented by a designated employee within the organization.  Employees should not be responsible for or directly perform vehicle maintenance.  Pre-trip and post-trip inspections should also be completed and retained by management for all vehicles.   

If an accident should occur, all vehicles should have a copy of the organization’s post-accident procedures.  At minimum, the following steps should be included:

• Report to the employee’s supervisor
  
• Complete accident form, take photos, obtain witness information
  
• Coordinate the accident review process with supervisor or other designee
  
• Post-accident drug testing
  

​A formal process should be established to review the facts of the accident, determine if the accident was avoidable or unavoidable, and outline the corrective steps if an accident was avoidable.  This review may be completed by a supervisor, manager, director of accident review board. 

A sharp rise in public sector ransomware attacks across the U.S. has drawn considerable attention in recent years – and for good reason. Such attacks can cripple an organization’s ability to conduct important operations or provide needed services to the community. They can also have a huge financial toll.

“Ransomware is not a new problem, but it’s presenting a bigger challenge for public entities,” said Kirstin Simonson, Cyber Lead for Technology and Public Sector at Travelers. “Ransoms are trending significantly higher, in years past ransoms were often in the five to six figure range.  Cyber criminals now routinely demand seven or eight figure sums from local and state governments. Ransomware has impacted government agencies of all sizes, unfortunately, no one is immune.”

While ransomware has been a threat for years, newer variants are able to infect entire networks and cause considerable damage, often before detection.  Here are some measures you can take to help protect your data and ensure an effective response in the event of a ransomware attack:

​A primary step is to back up critical data on a frequent basis. Backed-up files can be quickly recovered, which can help to restore operations in the event of an attack.  Ensure the backed-up data is stored on a separate offline device that is completely severed from the working network. Otherwise, it’s likely to be ransomed along with your primary data.

​Splitting your network into smaller segments is another way to protect critical data. This is typically done by business function or data type, so you can grant employees access to just the data they need to do their jobs. If an employee should fall for a ransomware attack, segmentation can help to prevent the virus from spreading throughout your network and operations. Employees should only have access to critical data, including all forms of protected information when it is required to perform their work.  Otherwise, sensitive data should be restricted. 

​Multifactor authentication (MFA) provides an addition level of protection to your network data. This is a method of verifying an employee’s identity with two or more pieces of proof. The authentication factors typically correlate to a device (e.g., an authenticator app or text message on a smartphone), biometrics (e.g., a fingerprint) or information (e.g., a PIN).

Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. For example, they would need to steal both an employee’s password, as well as their phone, to be able to log in to your systems.

​It is important to continuously monitor your network to identify and mitigate security vulnerabilities. Begin with a complete assessment of the network; identify all systems that are not fully patched and take corrective action. This includes operating systems and software, especially older legacy systems that your municipality may depend upon, which often the most vulnerable systems.

If security updates are no longer feasible, you can reduce the legacy system’s exposure by placing it within its own network segment, making it inaccessible from the internet and restricting employee access.

Your monitoring should also include the systems that remote employees use to gain access to the network. Microsoft’s Remote Desktop Protocol (RDP), for example, can act as an open door for cyber criminals if not properly configured and secured.

​Ransomware attacks can often be traced back to an employee who unknowingly clicked on a phishing email or malicious link. To minimize the risk of human error, provide frequent training on how to recognize cyber threats. Emphasize to your employees the importance of examining links and attachments to make sure they are from a reliable source. Also, warn them of the dangers of sharing company or personal information in response to an email, letter or phone call, and set up protocols for reporting suspicious activity to a designated contact within the organization.

Avoid scrambling to figure out a plan after a ransomware attack occurs. Having an incident response plan in place in advance is key to a swift, systematic response to help contain the damage to your systems and minimize the response and recovery costs. To ensure that your plan will fulfill its intended purpose, test your plan and put it into practice before an incident occurs. You should also continuously update it as you become aware of new risks and vulnerabilities.

A comprehensive cyber insurance program should provide access to a data breach coach, who can review real-world claim scenarios and identify areas for improvement in our response planning; as well as provide complementary or discounted access to qualified cyber security services.  Some of the most common services provided are:
​

• Cyber security education
• Endpoint security
• Network vulnerability scans 
• Password Managers
• Phishing simulations
• Ransomware defense

​If an incident occurs, the first step a public entity should take is to engage legal and computer forensics experts, ideally those identified in your incident response plan or recommended by your cyber insurance provider. These professionals can assist with investigating the extent of the infiltration, removing the cause, restoring your network and determining whether or not to pay the ransom. You may also have an obligation to notify others of the incident if their information was potentially compromised as a result of the breach.