All posts in Uncategorized

Silica Safety Enforcement Delayed for Construction Industry

Stonecutter's Workshop

Cal/OSHA has delayed enforcement of its crystalline silica safety standard for the construction industry for another three months to ensure the California rules are in synch with federal rules on the dangerous airborne matter.

The move came after Fed OSHA announced April 6 a delay in adoption of the crystalline silica standard for the sector “to conduct additional outreach and provide educational materials and guidance for employers.”

The silica rules have already been in effect for general industry since 2016 and the delay in enforcement is only for the construction industry. Enforcement for the construction sector was slated to start June 23, but that’s been changed to Sept. 23 under the new order.

Under the new silica standard, the permissible exposure limit is 50 micrograms per cubic meter of air, compared to the old standard of 100.

The California standard is similar to the federal standard, which the industry is challenging in a federal lawsuit. One outfit, the American Chemistry Council, wrote to the Cal/OSHA standards board that the 50 micrograms level is unnecessary and that the current standard, in place since 1971, has markedly reduced the cases of silicosis.

Industry has complained that the cost of complying with the new standard for employers nationwide will be about $6 billion, although Fed-OSHA says it will cost $371 million for employers to fall in line.

The sticking point for the federal construction silica rule is that it requires wet cutting of silica-containing materials to reduce the chances of particles in the air.

The California rules allow for wet cutting and dry cutting with vacuum saws that suck in the particles before they escape into the air. Contractors would rather cut dry rather than wet.

Fed-OSHA’s requirements were also scheduled to take effect on June 23, but the agency announced that implementation would be delayed by three months to give industry a chance to provide data showing that dry vacuum cutting is just as safe in reducing crystalline silica dust as wet cutting.

While Cal/OSHA’s move only delays enforcement, the silica rule is already on the books and employers should comply with it.

All construction employers covered by the standard are required to:

  • Establish and implement a written exposure control plan that identifies tasks that involve exposure and methods used to protect workers, including procedures to restrict access to work areas where high exposures may occur.
  • Designate a competent person to implement the written exposure control plan.
  • Restrict housekeeping practices that expose workers to silica where feasible alternatives are available.
  • Offer medical exams – including chest X-rays and lung function tests – every three years for workers who are required by the standard to wear a respirator for 30 or more days per year.
  • Train workers on work operations that result in silica exposure and ways to limit exposure.
  • Keep records of workers’ silica exposure and medical exams.

 

If you have not started complying, you should get your new safety protocols in place now. You have an additional three months to do so.

 

IRS Adjusts Out-of-Pocket Maximums for HSAs, HDHPs for 2018

Torn dollar with HSA ( Health Savings Account ) paper message

This month, the Internal Revenue Service released the 2018 inflation-adjusted amounts for health savings accounts and high-deductible health plans.

The two types of account are related, as all HDHP participants must also have an accompanying HSA. But HSAs are also available to participants in more traditional health plans that do not have high deductibles.

If you have HDHPs for your employees or are considering offering one for 2018, you’ll want to pay attention to the changes for that year:

  • The HSA maximum calendar-year contribution will be raised to $3,450 in 2018 from the current $3,400 for self-only coverage, and to $6,900 for other than self-only coverage from the current $6,750.
  • The HDHP minimum annual deductible will rise to $1,350 for self-only coverage from the current $1,300. The HDHP minimum annual deductible will rise to $2,700 for other than self-only coverage from the current $2,600.
  • The HDHP maximum out-of-pocket expense for self-only coverage will increase to $6,650 from the current $6,550. And the HDHP maximum out-of-pocket expense for other than self-only coverage will rise to $13,300 from $13,100.

 

Please note that if you have a grandfathered plan, the Affordable Care Act limits the out-of-pocket maximum. For 2014, the limit was equal to the out-of-pocket maximum for HSAs.

So, the maximum out-of-pocket that may be used under a non-grandfathered health plan in 2018 will be $7,350 for self-only coverage and $14,700 for other than self-only coverage.

Employee Texting Blows Holes in Your Company Communications Policy

Mature businessman with his younger team using smart phones and digital tablet inside modern office building.

If you are not aware, your employees are most likely communicating with each other and clients using texting or instant messaging.

While the immediacy of texting and instant messaging is great for business as it allows faster communications, better collaboration and more responsiveness, the downside is that your organization likely can’t track and retrieve those communications.

It becomes even harder if the communications are via instant messaging apps like Whatsapp! and Facebook’s Messenger.

As an employer, it’s important that you understand the issue and that you have clear rules for communications among employees in order to protect your company’s interests.

You’ll need a policy in place when something goes wrong and you need to track the thread of communications to see what was said or promised by whom, and when. These details can be crucial to resolving problems with clients, or if you are ever sued and your communications are subpoenaed for discovery.

Plaintiff-side lawyers in employment cases are already started demanding the production of text messages and e-mails during discovery. And if litigation ensues on an issue, you may have a duty to preserve text messages.

 

Roadblocks

There are a few issues that you need to consider, especially in light of the fact that many companies are allowing staff to use their own devices for company communications, including giving them access to the business’s e-mail system on their phone.

If your employees are exchanging texts and instant messages on company phones, the history of communications would be preserved and you would be able to access the content by asking for the phone.

But, if your employees are sending and receiving work texts and instant messages on their personal devices, the issue gets murkier, particularly if you don’t have a bring-your-own-device (BYOD) policy. Accessing messages about company business on an employee’s smartphone may raise privacy issues.

The problem especially arises in the case of wrongdoing by an employee. If they are using their phones for communications that could provide insight into their behavior, they can erase those messages before you ask to see them.

In other words, you cannot rifle through their phone without first obtaining it, meaning you can’t look at it without them knowing as you could if you looked at their e-mail on your company server.

There are also privacy issues that arise if you are trying to access an employee’s personal phone to view texts and messages.

The big issue is: how do you capture those communications? After all, it will not be done over your network, unlike your company’s e-mail system that preserves all communications which are available to you. The messages reside on the phone instead.

 

What you should do

Obviously texting and instant messaging are a potential minefield for employers who want to be able to access all company communications among employees and between your staff and clients, vendors or partner organizations.

To ensure you have a handle on it, you should set rules outlining what method of communication employees may use for business purposes.

If you don’t want texting or instant messaging of any kind for company business, that needs to be spelled out – including ramifications for breaking the rule.

If you decide to allow texting and instant messaging, your policy should be clear on what kind of communications are okay.

You will need to amend your policy related to employee communications and record retention to make sure texts and instant messages are included.

If you have a BYOD policy, at a minimum it should include allowing you to take custody of the employee’s phone for legitimate purposes like a dispute with a client, or discovery for litigation.

As you can see, it’s important that you initiate a policy on employee communications that takes into account texting and messaging.

If you haven’t done so, you should do it now as this faster method of communication is becoming the new normal, particular as Generation Y continues filtering into the workforce.

 

How Tracking Near Misses, Employee Training Reduces Injuries

Business woman gives safety presentation at office. Multi-ethnic group of professionals.

The latest trend in workplace safety best practices is tracking “leading indicators” – or events that take the lessons learned from past events – to reduce the chances of future injuries.

Safety professionals are increasingly keeping track of near misses, hours spent on training and facility housekeeping and measuring the impact on the organization’s overall safety record. And they are finding that this approach is having a significant impact in preventing injuries.

The trend is a new one. For years, workplace safety managers and industrial safety engineers used lagging indicators to track and manage workplace injuries and illness. They would evaluate:

  • Injury rates
  • Injury counts, and
  • Days injury-free

 

The major drawback to only using lagging indicators of safety performance is that they tell you how many people got hurt and how badly, but not how well your company is doing at preventing incidents and accidents.

In the last few years, safety-minded companies have been shifting their focus to using leading indicators to drive continuous improvement. Lagging indicators measure failure, but leading indicators measure performance – and that’s what we’re all after.

And even if you don’t have dedicated safety professionals on your staff, your organization can learn from what its larger counterparts are doing. Surveys like a recent one of safety professionals by the online news site EHS Today can be valuable to even small firms.

EHS Today surveyed about 1,000 environmental, health and safety professionals about which leading indicators they are tracking the most. The top 10 are:

  1. Near misses
  2. Employee audits/observations
  3. Participation in safety training
  4. Inspections and their results
  5. Participation in safety meetings
  6. Facility housekeeping
  7. Participation in safety committees
  8. Overall employee engagement in safety
  9. Safety action plans execution
  10. Equipment/machinery maintenance

 

 

As you can see, a leading indicator is a measure preceding or indicating a future event that you can use to drive activities or the use of safety devices to prevent and control injuries.

Leading indicators are focused on future safety performance and continuous improvement. These measures are proactive in nature and report what employees are doing on a regular basis to prevent injuries.

Used correctly, leading indicators should:

  • Allow you to see small improvements in performance
  • Measure the positive: what people are doing versus failing to do
  • Enable frequent feedback to all stakeholders
  • Be credible to performers
  • Be predictive
  • Increase constructive problem-solving around safety
  • Make it clear what needs to be done to get better
  • Track impact versus intention

 

Creating a leading indicator

To design a leading indicator, you need a framework that takes into account the near-term, mid-term and long-term objectives that will lead you to your goal.

Suppose you want to reduce strain injuries in your printing plant. You might want to start by identifying the factors that lead to these injuries.

Ergonomics is an obvious factor, but you could get more granular or more general in your consideration. Loads, repetitions and workstation design might be factors at the individual level, while work procedures, the pace of work, and safety culture might be important factors at the operational or corporate levels.

You can track the data to see which areas are likely to cause future strain injuries. And once you do that, you have a model for how the injuries occur. At that point you can consider what type of interventions you may want to implement to prevent future strain injuries.

 

When Safety Shortcuts Become a Criminal Act

Businessman in prison. Financial crime concept.

As the economy grows and companies’ operations are busier, workplace injuries also increase. And as companies add employees, they may fail to keep up their safety regimens, which can result in an uptick in workplace injuries.

Some businesses have so much to keep track of that they may be negligent in enforcing their safety standards and making sure that all of their safety devices are in proper operating order.

When an employee is injured due to an employer’s negligence in keeping up its safety practices, there is typically no right of action for the employee under the exclusive remedy bargain that’s implicit in all workers’ comp agreements.

In that bargain, the employee trades the ability to sue the employer for the right to receive benefits and medical care to treat the injury.

But there is a point where employer negligence spills over into a criminal issue and owners risk incarceration for flagrant violations that put employees at risk.

And during the last few years OSHA has been stepping up criminal prosecutions of employers whose actions were more than just negligent.

While criminal penalties under the federal Occupational Safety and Health Act are fairly limited, with imprisonment capped at six months and fines capped at $10,000, the fines are stiffer for willful violations that cause loss of human life, with maximum fines of $250,000 for an individual and $500,000 for an organization.

If an employer’s willful violation of an OSHA standard causes the death of an employee it is not a felony, but a “Class B” misdemeanor.

And although the act carries with it the possibility of a prison term, in practice, prison occurs only in the rare circumstances where a senior management official operates de facto as the company. Otherwise, practically, only criminal monetary fines are applied for criminal violations.

Historically, there have been few prosecutions. There have been fewer than 80 OSH Act criminal cases resulting from the more than 400,000 workplace deaths that took place since the law was enacted. That’s fewer than two a year, and only 14 have resulted in criminal convictions.

Also, it’s challenging to prove a criminal violation under the OSH Act.

But in 2016, the Department of Justice (DOJ) started encouraging all United States Attorneys to charge employers for other violations that occur in connection with OSH Act violations, such as obstruction of justice, making false statements, witness tampering and conspiracy.

 

U.S. Attorneys were also encouraged to consider environmental crimes, which often occur in concurrence with worker safety violations. These offenses carry more significant periods of incarceration and fines.

 

Conviction examples

Two noteworthy examples of this wider implementation of the law are:

  • The owner of a roofing company in Philadelphia lied to OSHA on four occasions that he’d provided fall protection to employees after one his workers fell to his death. He even went so far as to instruct other workers to tell OSHA that they had worn fall protection on the day of the incident.
    He was indicted for lying, obstruction of justice and willfully violating an OSHA standard. Facing 25 years in prison, he pleaded guilty and was sentenced to 10 months in jail.
  • A worker was killed in 2015 because of a trench collapse at a construction site in Manhattan’s Meatpacking District. The general contractor was convicted of manslaughter for improperly securing the work site.

 

To obtain a conviction under Section 17(e) of the act, a prosecutor must establish beyond a reasonable doubt (unlike the lower civil standard for ordinary OSHA enforcement actions) that:

  • An OSHA standard (not the General Duty Clause) was violated;
  • The violation was committed by the employer (in other words, not by a rogue employee);
  • The violation of the standard was the direct cause of an employee’s death (prosecutors must prove beyond a reasonable doubt that the conduct underlying the OSHA violation resulted in the death); and
  • The violation was committed willfully by the employer.

 

Other actions that may result in criminal action

According to a the DOJ, in addition to willful OSHA violations that caused an employee fatality, employers (and employees) can face criminal sanctions in the following circumstances:

  • Falsifying OSHA documents
  • Advance notice of an OSHA inspection
  • Perjury during OSHA proceedings
  • Violating state criminal laws – The OSH Act does not preempt prosecution under state criminal laws, such as manslaughter or negligent homicide for work-related deaths and injuries.
  • Violating environmental laws.

Bill Would Make Collecting Health Information for Wellness Plans Easier

blue double helix models on background

Legislation has surfaced in Congress that would allow employers to collect biometric and genetic information from employees and their family members as a precondition for participation in a company wellness program.

The bill would essentially repeal a portion of the Genetic Information Non-discrimination Act (GINA), which in part bars employers from collecting genetic information on employees or members of their family for certain wellness programs.

The GINA bars health insurers and employers from discriminating against people based on information that their genes carry – say, a family history of heart disease or stroke.

The law contains an exception for employers that collect information from employees for a voluntary wellness program, the kind with no carrots or sticks for participation.

It is aimed at wellness programs that offer employees discounts on their health insurance in exchange for participation. Wellness plans may require participation in a health risk assessment or that the employee meet certain fitness or health goals.

Under the Affordable Care Act, employers can offer discounts of up to 30% on health insurance to employees that participate in wellness plans. In some cases, the employer can offer up to a 50% discount if the employees meet certain health targets.

HR 1313 would allow employers to collect biometric information from employees and their family members as a prerequisite for participation in wellness programs that provide discounts or other financial incentives.

Employer groups have decried the GINA’s strict rules, which they say inhibit their ability to help employees improve health metrics like high blood pressure and obesity, among others.

 

Bill’s key language

HR 1313’s key language states that:

The collection of information about the manifested disease or disorder of a family member shall not be considered an unlawful acquisition of genetic information with respect to another family member as part of a workplace wellness program.”

The bill passed along party lines in the House Education and the Workforce Committee, (22 Republicans for and 17 Democrats against). It still has other committees to clear before the full House votes on the legislation and sends it to the Senate.

Proponents of the bill, like the American Benefits Council, say that it would preserve wellness plans, which they say have suffered under the GINA.

Why You Can’t Afford to Not Have Professional Liability Insurance

At some point, most businesses are involved in some type of legal dispute, be it over an alleged physical or property damage to a third party or financial injury to a competitor, client or vendor.

And you’d surely want an insurance backstop in case you are targeted, to help pay for legal costs and any settlements or judgments. The type of liability that your business is going to face will depend on the type of work that you do.

If you’re in a service trade, the chances of your work causing someone physical damage or harm are remote, but you could still be sued for not living up to your part of a contract or if your services caused a client to lose money.

The costs of defending against a lawsuit of that type could quickly mount, even if you come out victorious in the end. Those costs would have to be borne out of pocket if you didn’t have the appropriate insurance.

The costs of not carrying professional liability insurance in many services trades can be a disaster to your finances as a lawsuit can catch you by surprise, even for work that you may have done years ago.

 

The unfunded lawsuit

Here’s a scenario that could leave you scrambling for funds. You run an engineering firm and a manufacturer sues your business after one of the machine parts that you designed failed, causing one of the client’s machines to seize up, resulting in $58,000 in damage to the machine and production downtime.

The lawsuit accuses your firm of negligence. Your business could be facing serious financial hardship as the suit asks for the cost of repairs and the lost production.

Here’s what you’re looking at:

  • Attorneys’ fees – Depending on where you live, these can range from $150 to $400 an hour, or more if you go with a topflight law firm.
  • Court expenses – Fees for copying, filing and other miscellaneous tasks all add up.
  • Other legal fees – You may need to call expert witnesses, as well.
  • Damages or settlements – Even if you try to reach a settlement with your client, they may opt to take the case to trial in hope of winning the full amount of the damages they are claiming.

 

You can see how the costs can quickly mount and if it gets to a damages or settlements stage, the costs will increase significantly.

You should know too that even if the case was frivolous, you’d still have to pay attorneys to defend it and file motions to have it tossed out of court. That alone could run you at least $5,000 in legal fees – a lot of money to pay out of pocket.

In fact, the U.S. Small Business Administration estimated in a recent study that legal costs for litigation ranged from $3,000 to $150,000, and only one-third of small business owners reported spending less than $10,000.

And there can be other fallout, as well. Perhaps word has gotten out about the lawsuit, damaging your reputation and ability to attract new clients and retaining existing ones.

And if one client has sued, others who may have held off and had similar experiences could also file suit.

 

Professional liability insurance

Insurance could have saved you from these significant expenses. The coverage, which is relatively inexpensive, is what’s known as “claims-made” coverage.

That means your policy must be active when the alleged incident occurred and when the claim is filed, in order to receive your benefits.

Client allegations that your work caused them a financial loss are often covered by a professional liability policy.

Professional liability insurance can cover errors and oversights with your work, as well as legal fees and the cost of settlements or judgments.

Cost: The average yearly cost of professional liability insurance for a small business, regardless of the limits chosen or the industry of the business, was $985.49 in 2015, according to the Insurance Information Institute. The median was $758.00.

GOP Releases Legislation to Gut and Replace ACA

House Republicans have filed legislation that would repeal most of the Affordable Care Act, including measures to eliminate the employer and individual mandates.

But from the get-go the legislation – backed by the House leadership – was panned by the GOP’s conservative wing, which said it doesn’t go far enough to completely get rid of the ACA, casting doubt on the prospects of it getting passed.

And Congressional Democrats immediately voiced their absolute opposition to the bill, vowing to vote ‘No’ on the legislation.

While passage in the House would be a bit easier, the slim 51-49 vote edge that Republicans hold in the Senate means it’s unclear whether the bill can pass in its present form.

But for now, this is the only piece of viable legislation that’s been floated to gut the ACA, and replace it with a scaled-down version.

The leadership is mindful that they cannot do an outright repeal, since it would affect some 20 million people who have been able to secure health insurance under the ACA.

The bill, called the American Health Care Act, would be phased in over time and would keep the ACA’s premium subsidies for policies purchased through insurance exchanges until 2020, as well as fund Medicaid expansion under the ACA for the same time.

This is just the first draft, and because of the opposition from conservatives in the Republican Party, the current version will not likely be the final one.

House Speaker Paul Ryan has said he wants to see the bill passed by Congress by the end of April. In other words, there will be a lot of work to do in very short order.

 

Here are some of the major provisions of the bill:

  • Eliminating the employer mandate that requires employers with 50 or more full-time or full-time equivalent workers to offer health insurance.
  • Eliminating the individual mandate requiring Americans to be covered either through their employment or by purchasing coverage on the open market or a health insurance exchange.
  • Ending the funding for Medicaid expansion as of 2020.
  • Converting the Medicaid to a program of capped per-capita federal grants to the states, starting in 2019.
  • Eliminating the subsidies available under the ACA and replacing them with age-based, refundable premium tax credits to help people buy insurance. Under the ACA subsidies are based on income, not age, and the proposed age-based tax credits generally would be smaller than the ACA’s.
    The tax credits proposed by House Republicans would start at $2,000 a year for a person under 30, rising to a maximum of $4,000 for a person 60 or older. A family could receive up to $14,000 in credits.
  • Removing ACA taxes and penalties (adding a premium incentive for continuous coverage and allowing insurers to tack on a 30% surcharge for people who let their policies lapse).
  • Protecting employer exclusion (tax write-off for employers and pre-tax for employees).
  • Retaining the “Cadillac tax” on high-value plans, but delaying its implementation to 2025 from 2020.
  • Eliminating the requirement that plans must offer minimum essential benefits.
  • Offering states $100 billion over nine years to establish high-risk pools or other mechanisms for stabilizing the individual insurance market.
  • Allowing insurers to charge older individuals five times higher premiums than they charge younger people. That’s compared with the 3 to 1 ratio under the ACA.
  • Expanding and promoting health savings accounts.

 

 

The fate of the legislation remains to be seen and under the proposal, it would surely not live up to President Trump’s promise that individual plans would be better and less expensive under the GOP’s ACA replacement.

 

We will keep you posted as the legislation develops.

 

 

 

Republicans Consider Axing Tax Exclusion on Employer-sponsored Plans

Money grinding in gears.

As work on trying to overhaul the Affordable Care Act continues, lawmakers are considering a bold and what would likely be a controversial move to eliminate the tax exclusion for employer-sponsored health benefits.

The amount of taxes that are not collected as a result of the exclusion amounts to about $216 billion a year according to the Tax Policy Center, and is therefore a significant pool of untapped funds.

The current exclusion has its roots dating back to World War II when the government ordered that wages be frozen and tax-free health insurance be available. The notion of now taxing the benefit would likely not go down well with anyone who currently receives employer-sponsored health insurance.

While economists have long hated the tax exclusion, workers and employers love it. Depending on how much you pay in taxes, the savings on the cost of expensive health benefits can be substantial. Most Americans under 65 benefit from tax savings associated with this policy.

The outline details how funds raised through the collection of these taxes would be spent on various aspects of the health insurance system like Medicaid, tax benefits for health savings account enrollees, and a universal tax credit-based system that would help individuals buy insurance on the open market.

The House committees are also struggling to deal with the tax credits established by the ACA to help individuals buy coverage on government-operated health insurance exchanges, and how to eliminate that system.

In place of the ACA subsidies, the House bill starting in 2020 would give tax credits – based on age instead of on income. For a person under age 30, the credit would be $2,000. That amount would double for beneficiaries over the age of 60, under the proposal.

Republicans are considering various proposals for the tax exclusion:

  • Cap the tax exclusion at a certain level, such as $10,000 in benefits.
  • Eliminate the tax exclusion altogether.
  • Phase out the exclusion over time.

 

The outline did not specifically state that any captured taxes would specifically be used to pay for tax credit, but analysts say that it would be funded this way.

 

Capped tax exclusion

If the capped method is implemented, it would likely set a maximum amount of benefits that would not be taxed – and any benefits over that amount would be taxed as salary.

 

Cap example

If Congress sets a cap of $8,000 for single coverage, a worker who receives $9,500 worth of health coverage paid for by his employer would not pay taxes on the first $8,000 in benefit. However, the remaining $1,500 would be treated as ordinary income and the full range of tax would be levied on the amount.

Both the employer and the employee would be exposed to the tax.

The danger is that the move could also spur states to adjust their laws to match federal law so that state income taxes are also captured on the benefit.

If talk of a cap sounds familiar, that’s because this is kind of how the ACA “Cadillac tax” was supposed to work. Under that measure, any health plan that is worth more than an established amount would be taxed at 40% for every dollar over the threshold.

The whole idea behind the Cadillac tax was that it would levy health plans that are deemed overly generous and hence do nothing to curtail the use of health services. But eliminating or capping the tax exemption would have no such effect, experts say.

We will keep you posted as the process develops.

 

Ransomware Becomes Biggest Cyber Threat Facing Businesses

ransomware

Ransomware is turning out to be the biggest cyber threat facing companies in 2017 after attacks more than quadrupled in 2016 from the year prior, according to a new study.

If you are not familiar with this fast-evolving cyber threat, typically the perpetrators will essentially lock down your database and/or computer system and make it unusable, then demand that you pay a ransom to unlock the system.

The “Beazley Breach Insights Report January 2017” highlights a massive and sustained increase in ransomware attacks.

Another report, the “2017 SonicWall Annual Threat Report,” found that cyber criminals are shifting their attention from malware and other types of threat to ransomware – as evidenced by a significant decline in the former types of attack and a dramatic increase in the latter.

Here’s what SonicWall saw in 2016:

  • Unique malware attacks fell to 60 million from 64 million in 2015, down 6.25%.
  • Total malware attack attempts fell to 7.87 billion from 8.2 billion, down 4%.
  • Ransomware attacks exploded to 638 million attempts in 2016 from 3.8 million in 2015, up a massive 166 times!

SonicWall’s report estimates that around $209 million in ransoms was paid in the first quarter of 2016 alone.

“It would be inaccurate to say the threat landscape either diminished or expanded in 2016 – rather, it appears to have evolved and shifted,” said Bill Conner, president and CEO of SonicWall. “Cybersecurity is not a battle of attrition; it’s an arms race, and both sides are proving exceptionally capable and innovative.”

The unprecedented growth of ransomware was likely driven as well by easier access in the underground market, the low cost of conducting a ransomware attack, the ease of distributing it and the low risk of being caught or punished.

Ransomware is also growing in both sophistication and type of attack, and the hackers are proving to be inventive in how they can cripple your business enough to elicit the ransom.

When you are most vulnerable

And there are some times that businesses are more susceptible than others in being targeted for an attack.

“Organizations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods,” the report states. “Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the more valuable files unencrypted.”

Ransomware enters a company’s system in a variety of ways.

The most common method is when an employee clicks on a link in a bogus e-mail that opens the door to malicious code to start rifling through your systems. But more often, an employee unintentionally clicks on a link or sends information.

The types of attack will vary from industry to industry.

How Ransomware Infiltrates 

  • Hack or malware: 40%
  • Insider: 7%
  • Unintended disclosure 28%
  • Physical loss: 6%
  • Portable device: 6%
  • Other/unknown: 9%

Source: Beazley Plc (numbers for financial services industry)

Horror stories

  • Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to regain access to its data in February 2016.
  • Lansing Board of Water & Light paid ransomware attackers $25,000 after they had paralyzed the company’s information system in April 2016.
  • A four-star hotel in the Austrian Alps paid 1,500 euros (about $1,600) in bitcoin after ransomware had locked up the computer running the hotel’s electronic key lock system, leaving guests unable to enter their rooms.