Archive for March, 2017

New OSHA Rules Delayed, Watered down under Trump

Osha 400x180

Acting on new marching orders from the Trump Administration, federal OSHA seems to be scaling back some regulations to benefit employers.

Significantly, it seems that large employers will not be required to start submitting their injury and illness reports electronically as required by Obama-era regulations that were to take effect in February.

The idea was that these electronic filings would become public information easily accessed online, as part of Obama’s push to publically shame companies with poor workplace safety records.

Under current regulations, establishments with 250 or more employees in industries covered by the record-keeping regulation must submit information from their 2016 Form 300A electronically by July 1, 2017.

As recently as early January, OSHA said on its website that it expected the site to be live in February. But in recent weeks, the agency changed the wording and it now states that: “OSHA is not accepting electronic submissions at this time.”

It’s unlikely that the electronic reporting will go forward under Trump, and that will also likely mean that companies won’t have their records posted online.

Another Obama rule, issued in December, is also likely to never see the light of day. That regulation gives OSHA the authority to cite companies failing to properly record workplace injuries up to five-and-a-half years after an alleged violation.

For years, OSHA had taken the position that it had up to five-and-a-half years after an alleged violation to issue a citation for record-keeping infractions.

But a court in 2012 found that OSHA’s interpretation was inconsistent with what the court called the “clear” wording of the law, which gave the agency only six months to bring charges.

In response to that ruling, the Obama administration promulgated new regulations circumventing the court decision and restoring the five-and-a-half-year period. Legislation overturning Obama’s rule has already been passed by both houses of Congress and Trump is expected to sign it. When he does, the six-month rule would stand.

 

Downside for honest firms
The problem for honest employers in this is that six months does not give OSHA enough time to detect record-keeping violations and bring subsequent charges. Also, if an inspector finds during an inspection that a company has been flouting the law and not filing its records for years, OSHA would be unable to cite the business.

Unfortunately, this could create an unlevel playing field, as responsible companies comply with record-keeping rules, while companies that take shortcuts won’t.

In a further step, OSHA announced in February that it would delay the implementation of a new rule aimed at reducing workplace exposure to beryllium, a widely used mineral linked to a deadly lung disease.

The rule was slated to take effect in March, but OSHA has delayed that until May at the earliest.

Employers can also expect a slowdown in new rule-making thanks to Trump’s executive order in January that agencies must cancel two regulations for every new one they make.

The new policy is expected to slow ongoing OSHA rule-making, such as an industry-backed effort to write regulations specifically for tree-trimming work and discourage the agency from pursing wide-ranging rules, such as revising limits for chemical exposures.

 

 

ACA Repeal Plan Is Dead; So What Should You Do?

A blank tombstone against a sky with fluffy clouds..

Now that the American Health Care Act has suffered a defeat in Congress and President Trump has said he’ll move on to other matters, the Affordable Care Act will stand as the law of the land.

The big question hanging over the law, however, is the executive order that Trump signed shortly after taking office in January. While that order did not abolish the legislation, it set the stage for agencies to act immediately on regulations that are deemed overly burdensome.

However, the administration has not indicated what it will do now that the AHCA has ground to a halt.

While the executive order still stands, it’s now abundantly clear that the ACA will not be repealed this year, but what’s not certain is how the agencies will enforce the law’s regulations.

They can choose, for example, not to enforce the penalties for applicable large employers who do not provide acceptable health insurance for their employees, or to enforce the penalties for individuals that do not secure health insurance if none is offered by their employer.

There are two main agencies that have enabling regulations in place for the ACA: the

Department of Treasury and the Department of Health and Human Services (HHS). There has been no indication or announcement from these agencies that they will or will not enforce the regulations currently in place or whether they are in the process of starting to write new ones.

Regardless, whatever they chose to do, rule-making takes time… often years. In fact, the regulations that enabled the ACA took four years to unfold as the agencies were busy writing them and putting them out for public comment.

And any rules would still have to be changed within the confines of the ACA, and it’s unclear how much leeway the agencies have in deviating from that law.

The executive order reads:

“…it is imperative for the executive branch to ensure that the law is being efficiently implemented, take all actions consistent with law to minimize the unwarranted economic and regulatory burdens of the Act, and prepare to afford the States more flexibility and control to create a more free and open healthcare market.”

It also said that the HHS secretary and other agency heads “shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision… that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”

Meanwhile, Trump has expressed willingness to work with the Democrats to get a new law pushed through, but the chances of that are slim if he insists on repealing the ACA. They are more likely to be open to changes to address some of the problems with the law, particularly the lack of participation by private insurers in health exchanges in some parts of the country.

 

The takeaway
So what does this mean for you, an employer? It means you should continue providing insurance for your employees if you are an applicable large employer, and continue submitting the required forms to the IRS.

For now, do what you’ve been doing.

 

Reduce the Chances of Workplace Violence With Tactful Disciplinary Actions

Businesswoman dismiss a worker, pointing at the door. Man with eyeglasses holding a box with documents, looking down. Female colleague behind. As background tall windows, pictures on the wall, shelves with foldders, desk with computers. On the desk monitor, keyboard, tools and a cup.

Every year a few hundred people are murdered in American workplaces by disgruntled workers or former employees who come back to exact revenge for perceived or real slights, or poor treatment.

And while it’s impossible to tell when and if someone is going to snap, or whether they are carrying a concealed weapon, there are steps employers can take to minimize the chances of someone taking the final step that can lead to violence or the ultimate tragedy.

The law firm of Ohio-based Dunlevey, Mahan and Furry in a recent blog suggested reconsidering how you handle certain confrontations, like disciplining or firing an employee.

Unfortunately, many people are fragile these days and they have stresses both in and outside of the workplace you likely don’t know about. So if you have to discipline someone, you should treat them with dignity.

The key to dealing with disciplinary and termination meetings is planning ahead and not leaving anything to chance.

The law firm recommends:

  • When firing someone, have two employer representatives present in the room.
  • Do not humiliate or embarrass the worker.
  • Avoid escorting the employee out of the office in front of co-workers. Don’t make them do the walk of shame.
  • When disciplining an employee, do so in private and not in front of others. Be compassionate and keep it respectful.
  • If you are genuinely concerned about the possibility of a violent reaction, consider bringing in professional help like security or police.
  • Eliminate the employee’s access to keys and passcodes.
  • Deal with conflicts promptly, and from the moment they begin. Harassment and violence stem from unresolved conflicts that fester. They can degenerate and turn the workplace into a hostile environment and lead to violence.
  • Don’t surprise someone with a termination. They should know in advance that their performance is not up to par and understand that their job is on the line. That means:
  • Explaining, documenting and discussing poor performance.
  • Addressing issues as they arise.
  • Giving everyone a legitimate chance to improve.
  • Confronting an employee if they are failing.
  • Letting someone know their job is on the line due to their performance or other reasons.

 

Don’t allow managers to give good ratings to poor performers, and ensure that poor performance is documented and discussed as it arises. Don’t wait for annual reviews.

 

 

How Tracking Near Misses, Employee Training Reduces Injuries

Business woman gives safety presentation at office. Multi-ethnic group of professionals.

The latest trend in workplace safety best practices is tracking “leading indicators” – or events that take the lessons learned from past events – to reduce the chances of future injuries.

Safety professionals are increasingly keeping track of near misses, hours spent on training and facility housekeeping and measuring the impact on the organization’s overall safety record. And they are finding that this approach is having a significant impact in preventing injuries.

The trend is a new one. For years, workplace safety managers and industrial safety engineers used lagging indicators to track and manage workplace injuries and illness. They would evaluate:

  • Injury rates
  • Injury counts, and
  • Days injury-free

 

The major drawback to only using lagging indicators of safety performance is that they tell you how many people got hurt and how badly, but not how well your company is doing at preventing incidents and accidents.

In the last few years, safety-minded companies have been shifting their focus to using leading indicators to drive continuous improvement. Lagging indicators measure failure, but leading indicators measure performance – and that’s what we’re all after.

And even if you don’t have dedicated safety professionals on your staff, your organization can learn from what its larger counterparts are doing. Surveys like a recent one of safety professionals by the online news site EHS Today can be valuable to even small firms.

EHS Today surveyed about 1,000 environmental, health and safety professionals about which leading indicators they are tracking the most. The top 10 are:

  1. Near misses
  2. Employee audits/observations
  3. Participation in safety training
  4. Inspections and their results
  5. Participation in safety meetings
  6. Facility housekeeping
  7. Participation in safety committees
  8. Overall employee engagement in safety
  9. Safety action plans execution
  10. Equipment/machinery maintenance

 

 

As you can see, a leading indicator is a measure preceding or indicating a future event that you can use to drive activities or the use of safety devices to prevent and control injuries.

Leading indicators are focused on future safety performance and continuous improvement. These measures are proactive in nature and report what employees are doing on a regular basis to prevent injuries.

Used correctly, leading indicators should:

  • Allow you to see small improvements in performance
  • Measure the positive: what people are doing versus failing to do
  • Enable frequent feedback to all stakeholders
  • Be credible to performers
  • Be predictive
  • Increase constructive problem-solving around safety
  • Make it clear what needs to be done to get better
  • Track impact versus intention

 

Creating a leading indicator

To design a leading indicator, you need a framework that takes into account the near-term, mid-term and long-term objectives that will lead you to your goal.

Suppose you want to reduce strain injuries in your printing plant. You might want to start by identifying the factors that lead to these injuries.

Ergonomics is an obvious factor, but you could get more granular or more general in your consideration. Loads, repetitions and workstation design might be factors at the individual level, while work procedures, the pace of work, and safety culture might be important factors at the operational or corporate levels.

You can track the data to see which areas are likely to cause future strain injuries. And once you do that, you have a model for how the injuries occur. At that point you can consider what type of interventions you may want to implement to prevent future strain injuries.

 

When Safety Shortcuts Become a Criminal Act

Businessman in prison. Financial crime concept.

As the economy grows and companies’ operations are busier, workplace injuries also increase. And as companies add employees, they may fail to keep up their safety regimens, which can result in an uptick in workplace injuries.

Some businesses have so much to keep track of that they may be negligent in enforcing their safety standards and making sure that all of their safety devices are in proper operating order.

When an employee is injured due to an employer’s negligence in keeping up its safety practices, there is typically no right of action for the employee under the exclusive remedy bargain that’s implicit in all workers’ comp agreements.

In that bargain, the employee trades the ability to sue the employer for the right to receive benefits and medical care to treat the injury.

But there is a point where employer negligence spills over into a criminal issue and owners risk incarceration for flagrant violations that put employees at risk.

And during the last few years OSHA has been stepping up criminal prosecutions of employers whose actions were more than just negligent.

While criminal penalties under the federal Occupational Safety and Health Act are fairly limited, with imprisonment capped at six months and fines capped at $10,000, the fines are stiffer for willful violations that cause loss of human life, with maximum fines of $250,000 for an individual and $500,000 for an organization.

If an employer’s willful violation of an OSHA standard causes the death of an employee it is not a felony, but a “Class B” misdemeanor.

And although the act carries with it the possibility of a prison term, in practice, prison occurs only in the rare circumstances where a senior management official operates de facto as the company. Otherwise, practically, only criminal monetary fines are applied for criminal violations.

Historically, there have been few prosecutions. There have been fewer than 80 OSH Act criminal cases resulting from the more than 400,000 workplace deaths that took place since the law was enacted. That’s fewer than two a year, and only 14 have resulted in criminal convictions.

Also, it’s challenging to prove a criminal violation under the OSH Act.

But in 2016, the Department of Justice (DOJ) started encouraging all United States Attorneys to charge employers for other violations that occur in connection with OSH Act violations, such as obstruction of justice, making false statements, witness tampering and conspiracy.

 

U.S. Attorneys were also encouraged to consider environmental crimes, which often occur in concurrence with worker safety violations. These offenses carry more significant periods of incarceration and fines.

 

Conviction examples

Two noteworthy examples of this wider implementation of the law are:

  • The owner of a roofing company in Philadelphia lied to OSHA on four occasions that he’d provided fall protection to employees after one his workers fell to his death. He even went so far as to instruct other workers to tell OSHA that they had worn fall protection on the day of the incident.
    He was indicted for lying, obstruction of justice and willfully violating an OSHA standard. Facing 25 years in prison, he pleaded guilty and was sentenced to 10 months in jail.
  • A worker was killed in 2015 because of a trench collapse at a construction site in Manhattan’s Meatpacking District. The general contractor was convicted of manslaughter for improperly securing the work site.

 

To obtain a conviction under Section 17(e) of the act, a prosecutor must establish beyond a reasonable doubt (unlike the lower civil standard for ordinary OSHA enforcement actions) that:

  • An OSHA standard (not the General Duty Clause) was violated;
  • The violation was committed by the employer (in other words, not by a rogue employee);
  • The violation of the standard was the direct cause of an employee’s death (prosecutors must prove beyond a reasonable doubt that the conduct underlying the OSHA violation resulted in the death); and
  • The violation was committed willfully by the employer.

 

Other actions that may result in criminal action

According to a the DOJ, in addition to willful OSHA violations that caused an employee fatality, employers (and employees) can face criminal sanctions in the following circumstances:

  • Falsifying OSHA documents
  • Advance notice of an OSHA inspection
  • Perjury during OSHA proceedings
  • Violating state criminal laws – The OSH Act does not preempt prosecution under state criminal laws, such as manslaughter or negligent homicide for work-related deaths and injuries.
  • Violating environmental laws.

Bill Would Make Collecting Health Information for Wellness Plans Easier

blue double helix models on background

Legislation has surfaced in Congress that would allow employers to collect biometric and genetic information from employees and their family members as a precondition for participation in a company wellness program.

The bill would essentially repeal a portion of the Genetic Information Non-discrimination Act (GINA), which in part bars employers from collecting genetic information on employees or members of their family for certain wellness programs.

The GINA bars health insurers and employers from discriminating against people based on information that their genes carry – say, a family history of heart disease or stroke.

The law contains an exception for employers that collect information from employees for a voluntary wellness program, the kind with no carrots or sticks for participation.

It is aimed at wellness programs that offer employees discounts on their health insurance in exchange for participation. Wellness plans may require participation in a health risk assessment or that the employee meet certain fitness or health goals.

Under the Affordable Care Act, employers can offer discounts of up to 30% on health insurance to employees that participate in wellness plans. In some cases, the employer can offer up to a 50% discount if the employees meet certain health targets.

HR 1313 would allow employers to collect biometric information from employees and their family members as a prerequisite for participation in wellness programs that provide discounts or other financial incentives.

Employer groups have decried the GINA’s strict rules, which they say inhibit their ability to help employees improve health metrics like high blood pressure and obesity, among others.

 

Bill’s key language

HR 1313’s key language states that:

The collection of information about the manifested disease or disorder of a family member shall not be considered an unlawful acquisition of genetic information with respect to another family member as part of a workplace wellness program.”

The bill passed along party lines in the House Education and the Workforce Committee, (22 Republicans for and 17 Democrats against). It still has other committees to clear before the full House votes on the legislation and sends it to the Senate.

Proponents of the bill, like the American Benefits Council, say that it would preserve wellness plans, which they say have suffered under the GINA.

Why You Can’t Afford to Not Have Professional Liability Insurance

At some point, most businesses are involved in some type of legal dispute, be it over an alleged physical or property damage to a third party or financial injury to a competitor, client or vendor.

And you’d surely want an insurance backstop in case you are targeted, to help pay for legal costs and any settlements or judgments. The type of liability that your business is going to face will depend on the type of work that you do.

If you’re in a service trade, the chances of your work causing someone physical damage or harm are remote, but you could still be sued for not living up to your part of a contract or if your services caused a client to lose money.

The costs of defending against a lawsuit of that type could quickly mount, even if you come out victorious in the end. Those costs would have to be borne out of pocket if you didn’t have the appropriate insurance.

The costs of not carrying professional liability insurance in many services trades can be a disaster to your finances as a lawsuit can catch you by surprise, even for work that you may have done years ago.

 

The unfunded lawsuit

Here’s a scenario that could leave you scrambling for funds. You run an engineering firm and a manufacturer sues your business after one of the machine parts that you designed failed, causing one of the client’s machines to seize up, resulting in $58,000 in damage to the machine and production downtime.

The lawsuit accuses your firm of negligence. Your business could be facing serious financial hardship as the suit asks for the cost of repairs and the lost production.

Here’s what you’re looking at:

  • Attorneys’ fees – Depending on where you live, these can range from $150 to $400 an hour, or more if you go with a topflight law firm.
  • Court expenses – Fees for copying, filing and other miscellaneous tasks all add up.
  • Other legal fees – You may need to call expert witnesses, as well.
  • Damages or settlements – Even if you try to reach a settlement with your client, they may opt to take the case to trial in hope of winning the full amount of the damages they are claiming.

 

You can see how the costs can quickly mount and if it gets to a damages or settlements stage, the costs will increase significantly.

You should know too that even if the case was frivolous, you’d still have to pay attorneys to defend it and file motions to have it tossed out of court. That alone could run you at least $5,000 in legal fees – a lot of money to pay out of pocket.

In fact, the U.S. Small Business Administration estimated in a recent study that legal costs for litigation ranged from $3,000 to $150,000, and only one-third of small business owners reported spending less than $10,000.

And there can be other fallout, as well. Perhaps word has gotten out about the lawsuit, damaging your reputation and ability to attract new clients and retaining existing ones.

And if one client has sued, others who may have held off and had similar experiences could also file suit.

 

Professional liability insurance

Insurance could have saved you from these significant expenses. The coverage, which is relatively inexpensive, is what’s known as “claims-made” coverage.

That means your policy must be active when the alleged incident occurred and when the claim is filed, in order to receive your benefits.

Client allegations that your work caused them a financial loss are often covered by a professional liability policy.

Professional liability insurance can cover errors and oversights with your work, as well as legal fees and the cost of settlements or judgments.

Cost: The average yearly cost of professional liability insurance for a small business, regardless of the limits chosen or the industry of the business, was $985.49 in 2015, according to the Insurance Information Institute. The median was $758.00.

GOP Releases Legislation to Gut and Replace ACA

House Republicans have filed legislation that would repeal most of the Affordable Care Act, including measures to eliminate the employer and individual mandates.

But from the get-go the legislation – backed by the House leadership – was panned by the GOP’s conservative wing, which said it doesn’t go far enough to completely get rid of the ACA, casting doubt on the prospects of it getting passed.

And Congressional Democrats immediately voiced their absolute opposition to the bill, vowing to vote ‘No’ on the legislation.

While passage in the House would be a bit easier, the slim 51-49 vote edge that Republicans hold in the Senate means it’s unclear whether the bill can pass in its present form.

But for now, this is the only piece of viable legislation that’s been floated to gut the ACA, and replace it with a scaled-down version.

The leadership is mindful that they cannot do an outright repeal, since it would affect some 20 million people who have been able to secure health insurance under the ACA.

The bill, called the American Health Care Act, would be phased in over time and would keep the ACA’s premium subsidies for policies purchased through insurance exchanges until 2020, as well as fund Medicaid expansion under the ACA for the same time.

This is just the first draft, and because of the opposition from conservatives in the Republican Party, the current version will not likely be the final one.

House Speaker Paul Ryan has said he wants to see the bill passed by Congress by the end of April. In other words, there will be a lot of work to do in very short order.

 

Here are some of the major provisions of the bill:

  • Eliminating the employer mandate that requires employers with 50 or more full-time or full-time equivalent workers to offer health insurance.
  • Eliminating the individual mandate requiring Americans to be covered either through their employment or by purchasing coverage on the open market or a health insurance exchange.
  • Ending the funding for Medicaid expansion as of 2020.
  • Converting the Medicaid to a program of capped per-capita federal grants to the states, starting in 2019.
  • Eliminating the subsidies available under the ACA and replacing them with age-based, refundable premium tax credits to help people buy insurance. Under the ACA subsidies are based on income, not age, and the proposed age-based tax credits generally would be smaller than the ACA’s.
    The tax credits proposed by House Republicans would start at $2,000 a year for a person under 30, rising to a maximum of $4,000 for a person 60 or older. A family could receive up to $14,000 in credits.
  • Removing ACA taxes and penalties (adding a premium incentive for continuous coverage and allowing insurers to tack on a 30% surcharge for people who let their policies lapse).
  • Protecting employer exclusion (tax write-off for employers and pre-tax for employees).
  • Retaining the “Cadillac tax” on high-value plans, but delaying its implementation to 2025 from 2020.
  • Eliminating the requirement that plans must offer minimum essential benefits.
  • Offering states $100 billion over nine years to establish high-risk pools or other mechanisms for stabilizing the individual insurance market.
  • Allowing insurers to charge older individuals five times higher premiums than they charge younger people. That’s compared with the 3 to 1 ratio under the ACA.
  • Expanding and promoting health savings accounts.

 

 

The fate of the legislation remains to be seen and under the proposal, it would surely not live up to President Trump’s promise that individual plans would be better and less expensive under the GOP’s ACA replacement.

 

We will keep you posted as the legislation develops.

 

 

 

Republicans Consider Axing Tax Exclusion on Employer-sponsored Plans

Money grinding in gears.

As work on trying to overhaul the Affordable Care Act continues, lawmakers are considering a bold and what would likely be a controversial move to eliminate the tax exclusion for employer-sponsored health benefits.

The amount of taxes that are not collected as a result of the exclusion amounts to about $216 billion a year according to the Tax Policy Center, and is therefore a significant pool of untapped funds.

The current exclusion has its roots dating back to World War II when the government ordered that wages be frozen and tax-free health insurance be available. The notion of now taxing the benefit would likely not go down well with anyone who currently receives employer-sponsored health insurance.

While economists have long hated the tax exclusion, workers and employers love it. Depending on how much you pay in taxes, the savings on the cost of expensive health benefits can be substantial. Most Americans under 65 benefit from tax savings associated with this policy.

The outline details how funds raised through the collection of these taxes would be spent on various aspects of the health insurance system like Medicaid, tax benefits for health savings account enrollees, and a universal tax credit-based system that would help individuals buy insurance on the open market.

The House committees are also struggling to deal with the tax credits established by the ACA to help individuals buy coverage on government-operated health insurance exchanges, and how to eliminate that system.

In place of the ACA subsidies, the House bill starting in 2020 would give tax credits – based on age instead of on income. For a person under age 30, the credit would be $2,000. That amount would double for beneficiaries over the age of 60, under the proposal.

Republicans are considering various proposals for the tax exclusion:

  • Cap the tax exclusion at a certain level, such as $10,000 in benefits.
  • Eliminate the tax exclusion altogether.
  • Phase out the exclusion over time.

 

The outline did not specifically state that any captured taxes would specifically be used to pay for tax credit, but analysts say that it would be funded this way.

 

Capped tax exclusion

If the capped method is implemented, it would likely set a maximum amount of benefits that would not be taxed – and any benefits over that amount would be taxed as salary.

 

Cap example

If Congress sets a cap of $8,000 for single coverage, a worker who receives $9,500 worth of health coverage paid for by his employer would not pay taxes on the first $8,000 in benefit. However, the remaining $1,500 would be treated as ordinary income and the full range of tax would be levied on the amount.

Both the employer and the employee would be exposed to the tax.

The danger is that the move could also spur states to adjust their laws to match federal law so that state income taxes are also captured on the benefit.

If talk of a cap sounds familiar, that’s because this is kind of how the ACA “Cadillac tax” was supposed to work. Under that measure, any health plan that is worth more than an established amount would be taxed at 40% for every dollar over the threshold.

The whole idea behind the Cadillac tax was that it would levy health plans that are deemed overly generous and hence do nothing to curtail the use of health services. But eliminating or capping the tax exemption would have no such effect, experts say.

We will keep you posted as the process develops.

 

Ransomware Becomes Biggest Cyber Threat Facing Businesses

ransomware

Ransomware is turning out to be the biggest cyber threat facing companies in 2017 after attacks more than quadrupled in 2016 from the year prior, according to a new study.

If you are not familiar with this fast-evolving cyber threat, typically the perpetrators will essentially lock down your database and/or computer system and make it unusable, then demand that you pay a ransom to unlock the system.

The “Beazley Breach Insights Report January 2017” highlights a massive and sustained increase in ransomware attacks.

Another report, the “2017 SonicWall Annual Threat Report,” found that cyber criminals are shifting their attention from malware and other types of threat to ransomware – as evidenced by a significant decline in the former types of attack and a dramatic increase in the latter.

Here’s what SonicWall saw in 2016:

  • Unique malware attacks fell to 60 million from 64 million in 2015, down 6.25%.
  • Total malware attack attempts fell to 7.87 billion from 8.2 billion, down 4%.
  • Ransomware attacks exploded to 638 million attempts in 2016 from 3.8 million in 2015, up a massive 166 times!

SonicWall’s report estimates that around $209 million in ransoms was paid in the first quarter of 2016 alone.

“It would be inaccurate to say the threat landscape either diminished or expanded in 2016 – rather, it appears to have evolved and shifted,” said Bill Conner, president and CEO of SonicWall. “Cybersecurity is not a battle of attrition; it’s an arms race, and both sides are proving exceptionally capable and innovative.”

The unprecedented growth of ransomware was likely driven as well by easier access in the underground market, the low cost of conducting a ransomware attack, the ease of distributing it and the low risk of being caught or punished.

Ransomware is also growing in both sophistication and type of attack, and the hackers are proving to be inventive in how they can cripple your business enough to elicit the ransom.

When you are most vulnerable

And there are some times that businesses are more susceptible than others in being targeted for an attack.

“Organizations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods,” the report states. “Evolving ransomware variants enable hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the more valuable files unencrypted.”

Ransomware enters a company’s system in a variety of ways.

The most common method is when an employee clicks on a link in a bogus e-mail that opens the door to malicious code to start rifling through your systems. But more often, an employee unintentionally clicks on a link or sends information.

The types of attack will vary from industry to industry.

How Ransomware Infiltrates 

  • Hack or malware: 40%
  • Insider: 7%
  • Unintended disclosure 28%
  • Physical loss: 6%
  • Portable device: 6%
  • Other/unknown: 9%

Source: Beazley Plc (numbers for financial services industry)

Horror stories

  • Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to regain access to its data in February 2016.
  • Lansing Board of Water & Light paid ransomware attackers $25,000 after they had paralyzed the company’s information system in April 2016.
  • A four-star hotel in the Austrian Alps paid 1,500 euros (about $1,600) in bitcoin after ransomware had locked up the computer running the hotel’s electronic key lock system, leaving guests unable to enter their rooms.