Just when you think it's safe to go back in the water... We have taken a look at the complexities of the new GDPR (General Data Protection Regulation) in past issues, but now we have the even newer CCPA (California Consumer Privacy Act) which is scheduled to take effect 01/01/2020. The GDPR is a European Union regulation, but of course it impacts every organization which has any activity in the EU. Likewise, the CCPA is a California state regulation, but it is specifically extraterritorial and impacts every organization with business in California or which involves citizens of California. Since the Golden State is over 10% of the US economy, the chances are pretty good that, whatever your industry, wherever your home office, CCPA probably impacts you.
CCPA appears to be even more sweeping than the GDPR. If you're just getting up to speed on this development, you might want to check out a GDPR/CCPA cheatsheet* recently put out by the Wirewheel organization which may help you organize your response to the CCPA, assuming you already have a GDPR compliance project underway. Wirewheel also has more detailed "how-to" materials for CCPA on their website. For a deeper dive, there are several compliance starter kits available on-line. We like the neat summary provided by Dentons** for its clarity and brevity.
The point is that CCPA blazes its own trail with its own definitions of key privacy concepts. The one thing that the CCPA does not do is make clear what exactly compliance looks like, so good faith errors are a distinct possibility until court decisions fill in the blanks. That shouldn't take more than another, oh, say five to ten years. In the meantime, plant as many risk hedges as you can around both CCPA and GDPR. CCPA is big and it has the potential to become ugly as we all scramble to figure out what it really means.
*Need we add that this is not qualified legal advice? This little cheatsheet should be used only as a thought jogger to help you outline your efforts to develop CCPA compliance.
PT: Cause or Cure?
Most of us with comp claims dirt under our fingernails have wondered about the use of physical therapy in treating typical musculoskeletal industrial claims. How much is too much? Is there a point at which further PT promotes lost time costs rather than prompt RTW? Two researchers at the Department of Population Health at the Dell Medical School at UT Austin have delved deeply into this question. Their report in the August issue of The Journal of Occupational and Environmental Medicine (JOEM) (available only to members of the American College of Occupational and Environmental Medicine) provides some well-researched observations and conclusions based on their study of some 192,197 closed comp claims in Texas.
This summary cannot reflect the careful nuances of their presentation, but the short answer is that more than 15 PT visits in a given claim may be either ineffective or counterproductive. In their analysis, more extensive use of PT did not correlate with enhanced claim outcomes at MMI. Quite the opposite. As the authors note, "of particular concern was the observation that injured workers who were subject to 15 physical therapy visits had excessive medical claim costs and lost time." They go on to note that these excessive costs do not appear to be related to or justified by more severe injuries. In other words, the overuse of PT is often not driven by appropriate clinical indicators. The authors note that limits on PT are built into evidence based clinical guidelines. Their dry conclusion: "Our study indicates that these restrictions may be appropriate."
The course of PT treatment for a given claim is prescribed by the treating physician, subject to review as part of the claims management process. Our takeaway from this tightly argued and well researched report is that it underscores one more element in the importance of physician panels and the consistent use of those panels. This JOEM report is one more piece in a growing body of research that shows that clinical guidelines work. Are you and your TPA on the same page here?
An early example of clinical guidelines - for treating wounded people in air-raid shelters during the Blitz in 1939. Not a radically new concept.
Quick Take 1:
The Printer Did It
The CEO of Red Balloon, a New York City based cybersecurity company recently said, "This is probably the most important cybersecurity threat that we have today because these computers control every single aspect of our critical infrastructure that we depend on every single day." Now then, fellow risk mavens, what computers might he have been referring to - servers? Laptops? LANS? Eh? According to an article published on CNBC last week, he was referring to your peripherals - your printers, your office phone system, even your building's HVAC control system - any embedded computers which use microprocessors. Any one of these units can become a highway into your system environment. The big Target hack of a couple of years ago entered their system through peripherals which reported to their point of sale system.
The Internet of Things has a very dark side. It's simply a new version of the "weakest link" attack. Does that phone on your desk support IP for internet calls? If so, it's really another computer disguised as a mild- mannered hand set - and it can probably be hacked. So, what other devices does your phone communicate with? Camera security systems have been hacked. Even baby monitors have been hacked, although you probably don't have many of those in your operations. The point is, each device, each class of devices has to be scrutinized for possible security lapses.
Until recently, we thought of systems security in terms of big, honking firewalls, two factor authentication, anti-phishing awareness, and other company-wide processes and applications. That's not enough nowadays. It may not be your imagination, friend. Maybe your desktop printer really is spying on you. And what about that new refrigerator in your kitchen?
Quick Take 2:
Invoking Article 5
An item in the UK's Daily Telegraph caught our attention a few days ago. Perhaps it should catch yours as well. The Secretary General of the North Atlantic Treaty Organization (NATO) warned last week that a cyber strike similar to the computer hack that crippled National Health Service hospitals in the UK in 2017 could trigger a revenge attack from all NATO allies. Secretary Jens Stoltenberg was explicit: a similar attack could in the future trigger Article 5 of the NATO founding treaty, which commits member nations to treating an attack on one member as an attack against all.
Faithful readers of this Journal will recall that a major insurance carrier recently denied an enormous claim caused by a highly destructive international hack under the subject policy's act of war exclusion. Looks like NATO just endorsed the concept that certain types of hacks are indeed acts of war. Where does this leave you? What happens if the Cold War concept of MAD (Mutually Assured Destruction) is applied to cyber war and your systems become collateral damage? Bear in mind that corporate systems are the soft targets in this kind of warfare.
Do the policies you rely on for recovery and restitution after a cyber attack have act of war exclusions? Do you, your broker, and your carrier have a mutually clear understanding of how/when those provisions do or do not apply? There are no front lines in our new three-way cold war in cyber space and there are no non-combatants. Are you ready if NATO invokes Article 5?
Whose server farm was that?
FINALLY! The Penny Drops in Baltimore
You'll recall that Baltimore recently became the poster child for the slow on the uptake movement so popular with local governments when they declined to act on their first hack attack and then got hit with another, far more serious exploit. The Baltimore Sun recently covered the story of Baltimore's halting return to grace. Yes! The Sun tells that "Baltimore officials on Wednesday voted to transfer $6 million from a fund for parks and public facilities to help pay for the devastating impact of the May ransomware attack on the city." Not only that, they are now seriously pursuing a new insurance plan to cover any future cyber attacks.
Ecclesiastes had it right: The words of wise men are heard in quiet more than the cry of him that ruleth among fools.