New Bill Would Toughen Calif. Dam Inspections

DWR Photo: Lake Oroville on Jan. 19, 2018 with lake levels at 707 feet.

A year after the spillway collapse at the Oroville Dam, leading to evacuations of almost 200,000 residents and a beat-the-clock patching job to avoid a break in the tallest dam in the United States, new legislation to strengthen inspections of dams awaits approval of California Gov. Jerry Brown.

The bill would require annual inspections for high hazard dams, raise inspection standards and require consultation with independent experts every 10 years, according to ABC News.

As reported by Risk Management Magazine, problems at the Oroville Dam began when the dam’s main sluice was damaged after a winter season of record rain and snowfall, following five years of drought. Torrential rainfall caused water levels to rise so quickly that large amounts needed to be released to prevent the dam from rupturing and sending a wall of water to the communities below.

A recent report of the root-cause of the spillway failure by the Independent Forensic Team (IFC), which includes members of the Association of State Dam Safety Officials and the United States Society of Dams, notes that:

There was no single root cause of the Oroville Dam spillway incident, nor was there a simple chain of events that led to the failure of the service spillway chute slab, the subsequent overtopping of the emergency spillway crest structure, and the necessity of the evacuation order. Rather, the incident was caused by a complex interaction of relatively common physical, human, organizational, and industry factors, starting with the design of the project and continuing until the incident. The physical factors can be placed into two general categories:

  • Inherent vulnerabilities in the spillway designs and as-constructed conditions, and subsequent chute slab deterioration

  • Poor spillway foundation conditions in some locations

The IFC report concludes that all dam owners in the state need to “reassess current procedures” in light of its findings.

According to the IFC:

“The fact that this incident happened to the owner of the tallest dam in the United States, under regulation of a federal agency, with repeated evaluation by reputable outside consultants, in a state with the leading dam safety regulatory program, is a wake-up call for everyone involved in dam safety. Challenging current assumptions on what constitutes ‘best practice’ in our industry is overdue.”

Initial response to the spillway failure included erosion mitigation for both spillways during the incident, sediment removal and installation of temporary transmission lines at a cost of $160 million, According to the DWR. Phase-two includes removal of the original 730 feet of the upper chute, replacing it with structural concrete.

Prepare Now for Ransomware

In 2017, a company was hit with ransomware every 40 seconds. Organizations in all industry sectors were subject to ransomware attacks, as these attacks often opportunistically take advantage of security shortcomings. The average ransom demand was more than $1,000.00—greater than three times the average in 2015. What’s more, one in five business that paid ransom never got its data back.

So, how do you protect your business? First, make sure you are insured. While traditional policies provide little, if any, coverage for damage to electronic data—and none for other costs associated with cyber extortion—they are covered by cyber extortion insurance. This is available under many cyber liability policies. Cyber extortion provisions typically cover ransom payments and extortion-related expenses such as costs incurred in negotiating the ransom and restoring or replacing data or software.

But insurance is just one aspect of the protection your business should have. Companies also need to prepare an Incident Response Plan (IRP), that establishes responses to ransomware attacks. An IRP should be a “living, breathing” document that is consistently updated to ensure that its information and procedures are accurate and up-to-date. Typical topics addressed by an IRP are:

  • The Incident Response Team. The IRP must identify the team in charge of responding to ransomware attacks. This team should include an executive and inside counsel, and should provide back-ups in case first-line members cannot be reached. The IRP should contain 24-7 contact information for all team members, including means of contact that do not rely on the business-provided phones or email that may be affected by the attack.

Additionally, the IRP should identify team members’ specific responsibilities, such as implementing security measures, investigating the attack, communicating with the extortionists, communicating with customers or the public, and notifying insurance carriers and law enforcement.

  • Detecting an Incident. The IRP should identify steps for employees to take if they suspect or detect a ransomware attack.
  • Approved Vendors. As you will likely need outside assistance to respond to an attack, your IRP should identify approved vendors such as outside coverage counsel, investigative and cybersecurity firms, and a PR firm to assist with external communications.
  • Reporting to Law Enforcement. The IRP should define when and how ransomware attacks must be reported to which law enforcement agencies. It should also address what evidence should be collected and preserved, and how.  Ideally, these issues should be discussed with the relevant agencies ahead of time, which also helps build a cooperative relationship with them.
  • Notifying Insurance Carriers. The IRP should identify all insurance policies that could provide coverage for a ransomware attack and detail steps to comply with each policy’s notification requirements. Outside coverage counsel can assist with both identifying relevant policies and provisions, and following notification requirements.
  • Responding to Extortionists. The IRP must identify who communicates with the extortionists and who decides whether and how to respond to their demands. This should include steps for how to make potentially required electronic currency payments.
  • Investigating the Incident. The IRP should define who is responsible for investigating a ransomware attack and include a checklist detailing specific response steps. It should also establish procedures to increase the chances of identifying the extortionists, and to detect and address security vulnerabilities.
  • Documenting the Response. The IRP should set forth steps to document both your response to and your investigation of the attack, including contacts with the extortionists, the decision-making process resulting in a response, and the technical response and investigation, including the preservation of evidence. Such documentation may be required by regulatory agencies or insurers.
  • Public Relations. To facilitate communications about the attack with customers or the public, the IRP should assign responsibility for doing so and define steps for preparing and releasing such communications.
  • User Training. End-user training of all employees, including management, is key to preventing ransomware attacks. The IRP needs to contain procedures to ensure that all employees receive such training periodically, as common threats change over time.

Appropriate insurance coverage; an IRP that is consistently updated, including through “post mortem” evaluations following attacks; and up-to-date systems security are critical to prepare your business for—and to the extent possible, protect it from—potential ransomware attacks.

Thousands of U.S. Bridges Deemed Deficient

More than 54,000 bridges along the Interstate Highway System in the United States were rated as “structurally deficient,” according to new analysis conducted by the American Road & Transportation Builders Association’s (ARTBA). This was just one of many of the concerning statistics detailed by ARTBA in its 2018 Deficient Bridge Report on Jan. 29.

Other critical details include:

  • The average age of a structurally deficient bridge is 67 years, compared to 40 years for non-deficient bridges.
  • Repair needs are identified among one in three U.S. bridges (226,837 total) and one in three bridges (17,726) along the Interstate Highway System (IHS).
  • There is the equivalent of one “structurally deficient” bridge for every 27 miles of the 48,000-mile IHS, which carries 75% of the nation’s heavy truck traffic.

The ARTBA report echoes the results of the American Society of Civil Engineers’ Report Card for 2017, wherein the U.S. received a performance of D+ based on the physical condition and needed investments for improvement. As reported by Risk Management magazine in 2017, the U.S. spends only 2.5% of its gross domestic product on infrastructure. The American Society of Civil Engineers estimated that, over the next 10 years, the gap between planned investments in infrastructure and investment needs could exceed $2.1 trillion, with the largest investment gap in the transportation sector, followed by schools, electric utilities and water/wastewater systems.

With Americans crossing these deficient bridges 174 million times daily, there is reason for concern among private citizens and companies. At the current pace of repair or replacement, it would take 37 years to remedy all of them, said Alison Premo Black, PhD, ARTBA chief economist, who conducted ARTBA’s analysis.

“An infrastructure package aimed at modernizing the Interstate System would have both short- and long-term positive effects on the U.S. economy,” she said, noting that traffic bottlenecks cost the trucking industry more than $60 billion per year in lost productivity and fuel.

The report was issued just ahead of President Trump’s first State of the Union address on Jan. 30, in which he identified a struggling infrastructure and requested legislation aimed at capital improvements:

Tonight, I am calling on the Congress to produce a bill that generates at least $1.5 trillion for the new infrastructure investment we need. Every federal dollar should be leveraged by partnering with state and local governments and, where appropriate, tapping into private sector investment—to permanently fix the infrastructure deficit.

Any bill must also streamline the permitting and approval process—getting it down to no more than two years, and perhaps even one.

National Public Radio reported that the White House initially called for a $1 trillion rebuilding plan but raised the stakes during the address, and specifically called out certain phrasing.

“That word ‘generates’ is important,” wrote NPR contributors in an analysis of the speech, “because this would not mean the U.S. government is spending $1 trillion.” President Trump has allocated $200 billion in federal spending on infrastructure. “The bulk of the $200 billion would go toward leveraging state and local money and private investment,” NPR’s David Schaper reported.

Workplace Sexual Harassment: More HR Guidance Needed

From news anchors, to titans of the entertainment industry, to corporate executives, and elected officials, headlines show no one is above the fallout of sexual harassment in the workplace. Millions of dollars have been paid in settlements and the once mighty have fallen in disgrace.

Yet, a belated resignation or termination doesn’t absolve the employer from legal action—and often leaves the aggrieved and/or juries wondering how the employer might have handled the situation better.

How can risk managers, human resources (HR), executives and companies they serve help prevent sexual or other forms of harassment? The question becomes more pressing now with the “Ending Forced Arbitration of Sexual Harassment” bill. The proposed legislation voids forced arbitration and allows disputes to proceed in court rather than in a confidential arbitration setting. Proponents believe the prospect of making these cases public will reduce such activity in the workplace.

Smart employers aren’t waiting on legislation to make workplaces safer, however. They are planning and training now to reduce sexual harassment to mitigate risk, and therefore, potential damage claims affecting executives and employees across employer ranks. Ensuring such a workplace should result in fewer acts and reports of harassment and insurance claims. As all employers are interested in the bottom line as well as a positive work environment, a more defensible posture against future claims should be top-of-mind for every risk manager and HR Executive.

Old policies prohibiting harassment must be dusted off, reviewed, updated and publicized. These policies protect those whose accusations are proven to have merit or are brought in good faith, they create consequences for those proven to have abused others, and should clearly define expectations and ramifications.

These strategies can help risk managers, HR teams, and employers keep their organizations out of the headlines:

  • Review internal policies and procedures. When was the last time your organization reviewed the HR policies and procedures manual? Older manuals may ineffectively address the issue, including under the Equal Employment Opportunity Commission (EEOC) guidance. Once updated, make the document available to the workforce in print and online. However, a manual of policies is only the beginning.
  • Training is not a one-time event for select individuals. To paraphrase Aristotle, inclusion training in the workplace is not an act, but a habit. Hire a professional skilled in workplace diversity and inclusion training, and make courses mandatory from the rank and file to the C-suite. Refresh the training every few years, and make sure every new hire is trained as part of onboarding.
  • Create a “See something, say something” culture. Sexual harassment is avoided best in organizations with a culture of transparency and accountability. Management must welcome reports of unwanted sexual advances, and then investigate such claims. Such activity reported but not acted upon can worsen the environment, and become powerful evidence for claimants in harassment lawsuits.
  • Establish a realistic reporting procedure. If protocol urges an aggrieved employee to report harassment to a direct supervisor—and that supervisor is the alleged perpetrator—an obvious conflict arises. Encourage employees to speak directly to HR or a high level manager such as a division, general or plant manager. The reporting procedure should ensure that certain steps are taken so complaints are not swept aside.
  • Empower HR to investigate all claims. If HR receives a complaint, it has a legal obligation to investigate further. Even if the complainant fears an investigation could jeopardize the alleged harasser’s job, the law is clear that a prompt investigation occur to stop any alleged harassment from continuing. Termination or disciplinary action are not necessarily required; often, claimants just want the behavior to stop. It could be immature or otherwise benign playfulness that crossed the line—behavior a simple discussion could remedy. Follow up with the complainant to ensure the behavior has stopped and to document that follow-up occurred.

Effective policies and procedures in place and rigorously followed can help employees know the organization takes sexual, racial, and other forms of harassment seriously; insurers know you’ve established policies designed to protect both employees and the organization against incidents of harassment; and for those who might see million-dollar claims in the news and think they could be next, that you’ve set up your defenses.