Founded in 1864. An employee-owned company.

Risk Management & Loss Control Blog

Hope Still
Risk Management &
Sales Support Specialist

Marshall & Sterling, Inc.
110 Main Street
Poughkeepsie, NY 12601
845-454-0800 x-2272

Sign-up for Blog Notifications


April 14, 2017

Distracted Driving Prevention Month

[video: width:600 height:338 autoplay:0]


I’d like to start this blog post out with a quick fact: no matter how fervently we argue that it’s possible, humans are incapable of multitasking. We think we can do it, in fact we think we can demonstrate that we can do it. I mean, I’m currently writing this blog, listening to music, and sitting on hold, waiting for a conference call to begin. I think I’m simultaneously writing, listening, and thinking, but what I’m actually doing is shifting my attention to each activity individually - typing, singing off key, listening for voices on the conference call, back to typing… you get the idea. Multitasking is actually a mental juggling act between activities. While we can shift our focus in as little as a tenth of a second, with each additional activity we shift between, we diminish our finite mental resources - meaning that our working memory capacity is limited and therefore, with each additional task we shift between, we have fewer resources to allocate to that task, and take longer to shift between tasks. The end result is a severe reduction in our level of focus, quality of work, and precision in whatever we are doing. In fact, research has found that people speaking on their cell phones and walking were far less likely to notice what was going on around them, and more likely to run into other people - one study found that participants walking and talking on the phone completely missed a clown riding a unicycle past them (Hyman et al., 2009).

I share this because April is Distracted Driving Awareness month, and we, the exalters of multitasking, the do-ers of 9 million things a day, with time for 50 of them, are often guilty of diverting our attention from driving while behind the wheel. I know that we are all aware what the sources of distraction while driving are, and which ones we are personally guilty of (myself included), but let’s reinforce the reminder by running through some common ones: texting, emailing, talking on the phone (even hands free), yelling at the driver in front of you, yelling at the driver behind you, handing a toy to your child in the backseat, reaching for your coffee, spilling your coffee, digging through the glove box for napkins to clean up the coffee, looking at a map or GPS… you get the idea. By multitasking while driving, we exponentially slow our reaction time to stimuli around us. In a speeding vehicle, this translates to severe impairment in reaction time and enhanced likelihood of an accident. Drivers speaking on the phone, even hands free, while driving, can miss up to 50% of their driving environment including pedestrians and traffic signals. A recent AAA study indicated that people are distracted up to 27 seconds after they finish sending a text- not to mention, they’ve taken their eyes off the road to type it.

Tips to Reduce Distracted Driving

To minimize distracted driving, try to eat, groom, and make your phone calls before getting behind the wheel. If you must eat, try finger foods that are easily accessible, and will not cause panic if they spill onto your seats. That said, I’ll be realistic here, and say that you will likely need access to certain things that are potential distractions while driving - if you must, make sure said things - like toll money, your coffee, etc, are within easy reach and are not at risk for flying around the car as you drive. Further, try to make sure your children have everything they need in the back seat with them before you hit the road. If you are in the middle of a text “conversation”, it is advisable to the person know that you are about to get into a car and will have to continue when you arrive at your destination. If you know that you will be tempted to check your phone, fix your makeup, or do some other distracting activity, put the source of temptation completely out of reach before you start to drive. Routine vehicle maintenance is also imperative to reduce distracted driving; there’s nothing more distracting than running out of wiper fluid, or your check engine light coming on.

It’s Not Just You

Unfortunately, even if you are 100% attentive to the road, there are still those drivers who insist on multitasking, or distracted driving. So what should a driver do in the event that he or she notices a distracted driver? First, create space between you and the other vehicle. If you see the car in front of you going slow, swerving, and the driver is very obviously distracted, slow down to create more space between you. If you are in front of someone who is distracted, pull over to let them pass.

I find stoplights particularly stressful when it comes to being aware of distracted drivers. If a driver does not see the line of traffic coming to a stop, and crashes into the car at the end of the line, this could cause a chain of collisions up the line of traffic. To address this risk, I often leave space between my car and the one ahead of me so that I can move forward or to the side of the road if necessary.

Defensive driving instructors emphasize the “What If?” strategy to help drivers better focus their attention. The strategy suggests that while driving, one should look at the vehicles, pedestrians, animals, etc, around him or her, and think about what the driver, person, or animal could potentially do that could cause a problem for him or her. If this is done each block, or each mile, the strategy helps to train our minds to be alert and prepared to act. Environmental factors should also be considered. When driving in urban areas, the heavy traffic, narrow lanes, red lights, pedestrians, and cyclists create a distinct variety of exposure to an accident, as compared to a rural environment, where speeds are typically higher, and animals, slow farm equipment, and cyclists create an exposure to risk. The “What If?” strategy thusly encourages us to think about what could potentially happen in each unique environment.

Here at Marshall & Sterling, we are committed to safe, distraction free driving. If you would like more tips on safe driving practices, defensive driving courses, or risk management resources, please contact our Loss Control Department, or send me an email by clicking here.


December 30, 2016

OSHA Clarifies Recordkeeping Obligations

The Occupational Safety and Health Administration (OSHA) has issued a final rule amending its recordkeeping regulations, effective January 18, 2017. The final rule doesn’t add any additional or new recordkeeping obligations for employers, but acts to clarify that an employer’s duty to create and maintain work-related injury or illness records is an ongoing obligation.

The rule states that an employer remains obligated to record a qualifying injury or illness throughout the five-year record storage period, even if the incident was not originally recorded during the first six months after its occurrence - the period of time during which the employer was first required to record the incident. The five year storage period begins on Jan. 1 of the year following an incident. For example, the five-year retention period for incident reports created on Jan. 23, 2015, June 15, 2015, and Nov. 4, 2015, begins on Jan. 1, 2016.

Action steps

It would be prudent for employers to review their workplace injury and illness recordkeeping procedures and ensure that they allow for accurate and timely compliance with recordkeeping requirements. Bear in mind that the recordkeeping regulations were recently updated to require certain employers to electronically submit injury and illness data that they are already required to maintain; this new rule becomes effective January 1, 2017. More information on this rule can be found here.

Further, employers should audit their injury and illness records for any missing (qualifying) incidents that have occurred in the past five-year record storage period.

Recordkeeping Requirements

OSHA requires employers to create and maintain records of workplace injuries and illnesses that meet one or more recording criteria. Specifically, employers must:

  • Create and update a log of work-related injuries and illnesses (OSHA 300 Form);
  • Create and maintain injury and illness incident reports (OSHA 301 Form); and
  • Create and display an annual summary of workplace incidents (OSHA 300A Form) between Feb. 1 and April 30 of each year.
  • Electronically submit OSHA 300A form by July 1, 2017 if required to do so.

Penalties for Noncompliance

OSHA has the authority to issue citations and assess fines against employers that violate recordkeeping laws. However, in general, the OSH Act does not allow for a citation to be issued more than six months after the occurrence of a violation.

OSHA is of the opinion that a violation exists until it is corrected. Therefore, the six-month period to issue citations and assess penalties begins on the date of the last instance of the violation. For example, if a violation that started on February 1 was corrected on May 15, the six-month period would begin on May 15, and OSHA would have until November 15 to issue a citation.

OSHA also asserts that uncorrected violations are considered ongoing violations, and that each day of noncompliance is subject to a separate penalty.

The Final Rule

According to OSHA, amendment of its recordkeeping regulations was necessary, as previous regulations did not allow OSHA to enforce an employer’s incident recording obligation as an ongoing requirement. In fact, a federal circuit court held that the former regulations did not authorize OSHA to “cite the employer for a record-making violation more than six months after the recording failure.” The court also noted a discrepancy between the OSH Act and the regulations, and that while the OSH Act allows for continuing violations of recordkeeping requirements, the specific language in the regulations does not implement this statutory authority and does not create continuing recordkeeping obligations.

The federal court interpretation of previous regulations meant that employers were no longer responsible for recording or storing workplace incidents if OSHA failed to detect and penalize employers for omitted recordable incidents within the six-month period. For this reason, OSHA issued its proposed amendments on July 29, 2015.

Impact on Employers

The final rule and amended regulations do not create additional or new recordkeeping regulations, and employers will not be required to record incidents that they were not previously required to record.

This clarification simply makes it possible for OSHA to penalize employers for a recordkeeping violation within six months of the last date of noncompliance, not the first date when a violation occurs. OSHA believes that the clarification will encourage employers to comply with record-making and recordkeeping obligations even when these records are not produced within the first six months of when a recordable incident takes place. In other words, the clarification discourages employers from ignoring record-making and recordkeeping obligations solely because six months have transpired since the occurrence of a recordable incident.

This also means that OSHA now has a window of up to 66 months (five years and six months) after the occurrence of a recordable incident to enforce record-making and recordkeeping requirements.

An employer’s biggest take-away from this final rule should be an understanding that the amended regulations emphasize an employer’s ongoing duty to create and maintain records, and increasingly justify OSHA’s ability to assess penalties against a violating employer for each day of noncompliance, until the maximum penalty amount is reached or the employer corrects the violation.

For more information, contact us at


July 5, 2016

OSHA Increases Maximum Penalty Amounts


  • The 2015 Bipartisan Budget Act directed OSHA to increase civil monetary penalty amounts to account for inflation.
  • OSHA’s initial adjustment includes a 78 percent increase in penalty amounts for 2016.
  • OSHA will adjust civil penalty amounts for inflation every year, beginning in January 2017.

This past Friday, July 1st, OSHA issued an interim final rule that increases the civil penalty amounts the agency may impose on employers who violate workplace safety and health standards.  The increased amounts will apply for penalties proposed by OSHA on or after Aug. 1, 2016. These will include any penalties associated with violations that occurred on or after Nov. 2, 2015. OSHA will accept comments on the interim final rule until Aug. 15, 2016.  The increases, which are based on inflation, reflect an initial catch-up adjustment to update penalty levels that have not changed in over 25 years. The adjustment resulted in penalties that are about 78 percent higher than the current levels.

Action Steps

Employers should become familiar with the new penalty amounts and review their health and safety policies to ensure compliance with all OSHA standards.  Employers that have undergone OSHA inspections on or after Nov. 2, 2015, should be aware that the increased penalty amounts will apply to them if OSHA waits until Aug. 1, 2016, or later to propose any applicable penalties.


Under federal law, most agencies are required to account for cost-of-living increases by annually adjusting the monetary amounts they may assess as civil penalties. Because OSHA was excluded from those requirements in 1996, OSHA’s penalty amounts have remained unchanged since 1990.  On Nov. 2, 2015, however, OSHA became subject to the adjustment requirements under the Bipartisan Budget Act of 2015 (Act). The Act directed OSHA to make an initial “catch-up” adjustment through an interim final rule by July 1, 2016.  The Act also requires OSHA to make subsequent adjustments to the penalty amounts every year. The Office of Management and Budget must issue guidance for OSHA’s next increase by Dec. 15, 2016.

Catch-up Increase

On July 1, 2016, OSHA issued its interim final rule to implement the initial catch-up increases. The increased penalty amounts will become effective Aug. 1, 2016, and may apply for any violations found by OSHA since Nov. 2, 2015. The updated maximum penalty amounts are shown in the table below.

In addition to the increased maximums, the final interim rule increased the minimum penalty that OSHA may assess for willful violations. The current minimum for willful violations is $5,000. Under the interim final rule, that minimum will increase to $8,908. The Occupational Safety and Health Act (OSH Act) does not establish minimum penalty amounts for any other type of violation.  The interim final rule also clarifies that OSHA-approved state plans must provide penalty amounts that are equal to or higher than the federal OSHA penalties. State plans must make the initial increased amounts effective within six months after publication of the interim final rule (Jan. 1, 2017).

Annual Adjustments

After the initial catch-up amounts become effective on Aug. 1, 2016, OSHA must update its maximum penalty amounts based on the Consumer Price Index each year. The first annual inflation adjustment will be allowed for 2017. OSHA is required to publish annual updates reflecting the annual increases. These updates must be published in the Federal Register by Jan. 15 of each year.  If you have any questions, please feel free to reach out to Marshall & Sterling's Risk Management Department.


May 12, 2016

Summer Employment: Spotlight on Employing Minors

As Summer approaches, many teens will enter the workforce.  While employment of young workers has its benefits, employment of youth, who more are often than not, inexperienced, carries with it unique risk factors. The following are some tips to help mitigate those risks.  

  • First, be cognizant of your compliance with The Department of Labor’s Fair Labor Standard Act’s (FLSA) child labor provisions, which specify the hours and jobs that young workers can perform. For more information as it pertains to New York State Labor law, see here for non-agricultural employment, and here for agricultural employment. See below for some quick tips.
  • Recognize potential workplace hazards, particularly those that an inexperienced worker may be particularly vulnerable to.
  • Eliminate any issues present in your workplace that could injure a young worker (or any worker, for that matter!)
  • Ensure that the equipment to be used by the young worker is not only safe, but legal. There are quite a few regulations on use of machinery by minors, which is available in the link above.
  • Supervise young workers. Be sure to plan and provide for proper supervision should you or the young worker’s supervisor be unavailable.
  • Inform supervisors and other workers of the tasks that the young worker should not perform. Consider color-coding the young worker’s uniform so that others know they may not perform a certain task. Follow up with supervisors regarding young workers’ adherence to policy.
  • Label the equipment that the young worker cannot use.
  • Educate young workers to ensure that they recognize hazards and are competent regarding safe working practices. Training should include how to prepare for fires, accidents, violent situations and protocol for injuries. Young workers need to know that they have a right to file a claim to cover their medical benefits and lost work time if they are injured.
  • Ask young workers to demonstrate that they can perform their assigned tasks safely and correctly.
  • Implement a mentoring or buddy system for new young workers. Have either an adult or an experienced teen worker act as a buddy, and answer questions to help the inexperienced worker learn the ropes of the new job.
  • Keep your illness and injury prevention program updated.

Quick Tips – Employment of Minors


  • Keep records of a young employee’s date of birth, even after the minor has ended his or her time with your organization. Employers are required to maintain and preserve certain records, including the date of birth for all employees who are under 19. (See 29 CFR § 516.2(a). Employers may protect themselves from unintentional violation of the child labor provisions by keeping on file an employment or age certificate for each minor employed to show that the minor is the minimum age for the job. Although the Wage and Hour Division no longer issues age certificates, certificates issued under most state laws are acceptable for the purposes of the FSLA.
  • In general minors 13 years and under are too young for employment under the Federal child labor provisions. Permissible exceptions include delivering newspapers, babysitting, acting, and working for a parent who is a sole proprietor (in occupations other than mining, manufacturing, or anything prohibited by an HO). See 29 CFR § 570.2.
  • Minors 14 and 15 may not work more than 40 hours in a week when school is not in session. They may not work more than 18 hours in a week when school meets. They may work up to 8 hours on weekends, but not more than 3 hours on a school day. They may not be employed before 7 a.m. on any day. See 29.CFR § 570.35.
  • From June 1 to Labor Day, minors 14 and 15 may not work past 9 p.m. From labor Day to May 31st, they may not work past 7 p.m. See 29 CFR §570.35.
  • While 14 and 15 year old works are permitted to be passengers in motor vehicles, the minor may not be employed as a helper on motor vehicles. See 29 CFR. § 570.29, 29 CFR§ 570.34.
  • Minors under 18 generally may not drive any type of motor vehicle or work as an outside helper on public roads or highways. There is a limited exception to this provision that permits 17 year olds to drive an automobile or truck for limited periods of time when certain conditions are met. These condition include that the minor has a valid drivers license, the driving is only during daylight hours, the driving does not involve urgent time sensitive deliveries, such as delivering a pizza to a residence, and the driving is only occasional. See 29 CFR 570.52.

Construction, Landscaping, and Industrial

  • Minors under 18 may not be employed in most occupations in trenching and excavation, including working in a trench more than 4 feet deep. See 29.CFR § 570.68. They may not be employed in roofing operations. See 29.CFR § 570.67.
  • Minors under 18 may not use, assist to operate, set-up, adjust, repair, or clean circular saws, band saws, or guillotine shears, except machines equipped with a full automatic feed and ejections. They may not use chain saws, wood chippers, or abrasive cutting discs. See 29 CFR § 570.65.
  • Minors 14 and 15 may not be employed in any construction activities or on a construction site. A limited exception would apply for office work when not performed at the actual construction site. See 29 CFR § 570.33.
  • Minors age 14 and 15 may not be employed in any manufacturing or processing occupation. They are prohibited from working in or about any plant or processing establishment, or in any workroom or workplace where goods are manufactured, processed, or where explosives or articles containing explosive components are stored. See 29 CFR §750.33.
  • Minors are 14 and 15 may not be employed in warehousing and storage occupations. A limited exception would apply for office work. See 29 CFR § 570.33.
  • Minors under 18 may not operate or assist in the operation of an elevator (except passenger),  crane, derrick, hoist, or high-lift truck, and may not perform any work which involves riding on a manlift, high-lift truck, or on a freight elevator (except when freight elevator is operated by an assigned operator). They may not operate a forklift, backhoe, bobcat loader, front end loader, skid loader, schissor lifts, cherry pickers, boom trucks, and work assist platforms. See 29 CFR § 570.58.
  • Minors age 14 and 15 may not load or unload goods to and from conveyors, trucks, railroad cars or tanks, trucks, boats, planes, or other means of transportation.  See 29 CFR § 570.33. Such minors may load onto motor vehicles and unload from motor vehicles the light, non-power driven, hand tools and personal protective equipment that the minor will use as part of his or her employment at the worksite. See 29 CFR § 570.34.
  • Minors age 14 and 15 may not perform work involving operation, tending, or hoisting equipment whether power driven or operated manually or by gravity. Such equipment includes forklifts, scissor lifts, motorized hand trucks, patient lifts, winches, cart caddies, or QuickKart (used to move large strings of shopping carts) See 29 CFR § 570.33.
  • Minors 14 and 15 may not perform work requiring the use of ladders, scaffolds, or their substitutes. See 29 CFR § 570.33.
  • Minors 14 and 15 may not perform any work in connection with maintenance or repair of an establishment, machines, or equipment. See 29 CFR § 570.33.

Outdoor Recreation

  • Minors 15 years old may be employed as lifeguards and swimming instructors at traditional swimming pools, and most facilities of water amusement parks (except for at the top of elevated water slides) when certain conditions are met. The lifeguard must be trained and certified by the American Red Cross, or a similar certifying organization, in aquatics and water safety. The lifeguard must also be certified as an instructor if he or she will be acting as a swimming instructor. Such youth must be employed in compliance with all of the other applicable provisions of the federal child labor rules contained in the Child Labor Regulations No. 3, including the restrictions on the hours and times of day that 15 year olds may be employed. Youth 16 and older may not be employed as lifeguards at natural facilities such as rivers, streams, lakes, ponds, quarries, reservoirs, wharfs, piers, or ocean-side beaches. See 29 CFR 570.34.

Food Service

  • Minors under 16 are prohibited from performing any baking duties, including the weighing, mixing, and assembling of ingredients and the operation of pizza ovens and convection ovens. The use of warming devices to maintain the heat of cooked food is permitted. See 29 CFR § 570.33, 29 CFR § 570.34.
  • Fourteen and 15 year olds may perform cooking in the context of 1) the use of electric and gas grills that do not entail cooking over an open flame and 2) the use of deep fat fryers which are equipped with and utilize devices which automatically raise and lower the “baskets” but not pressurized fryers. See 29 CFR §570.33, 29 CFR §570.34.
  • Minors 14 and 15 may not perform work using a meat slicer. See 29 CFR § 570.33.
  • Minors 14 and 15 are prohibited from working in freezers and meat coolers. They may momentarily enter freezers, but not meat coolers, to retrieve items. See 29 CFR §  57-.33, 29 CFR §  570.34.
  • Minors 14 and 15 may clean, maintain (including the changing, cleaning, and disposing of oil or grease and oil or grease filters), and repair cooking devices (other than power-driven equipment) when the surfaces of the equipment or liquids do not exceed a temperature of 100 degrees Fahrenheit.

As you can see, there are quite a few regulations surrounding employment of youth, and this was just a very limited snapshot of the information that the Department of Labor requires employers to be aware of.

As you make your summer hires, please keep the risk mitigation tips and the compliance information above in mind, and feel free to reach out to Marshall & Sterling’s Loss Control team with any questions you may have about employment of youth.


March 25, 2016

Disaster Recover Plans & Terror Threat Assessment

The recent tragic events in Brussels, while still fresh in our minds, and sitting densely knotted in the pit of our stomachs, have woken many of us from the prosaic slumber of our daily routines. Some of us may have taken extra care to survey our surroundings during our morning commute, or taken an extra moment to reflect on life. The reality is, however, that after the shock wears off, and the media coverage all but disappears, many of us will fall back into the false security of thinking that this type of tragedy is a distant, remote threat.

Unfortunately, it is this mindset that leaves many unprepared in the event of a disaster, be it natural or human caused. Creating and maintaining a disaster recovery plan can prove critical to the wellbeing of your employees, customers, (and business). By planning ahead, you will be compelled to think through the best course of action for a variety of emergencies from the pre-event stage, through post- event stage, with a clarity of mind not present in the midst of chaos.

Disaster Recovery Plan

Some basics for creating a disaster recovery plan include:

  • Determine conditions under which the plan would be implemented, or the disasters that could potentially occur in your area. Identify backups for essential operations, supply chains, personnel, business functions, data processes, and communication channels.
  • Outline the steps that individuals will take in the event of different types of events (fire, severe weather, hazardous chemical spill, workplace violence etc). For example, during a severe weather or fire emergency, a headcount will take place in a previously agreed upon location.
  • Establish a clear chain of command, and designate tasks, such as who will take head counts and who those counts will be reported to.
  • Designate an emergency coordinator, who will be responsible during the initial phase of an emergency (generally this stage is defined by: discovery, activating the alarm, evacuation, employee accounting, initial response by off-site emergency services, etc.)
  • Maintain a 911 notification system, or method that is to be used in the event of an emergency to call outside services, such as police, fire, or EMS.
  • Maintain an emergency alarm or notification system, as a means by which to notify personnel on the premises of an emergency.
  • Create evacuation routes and maps, as well as a means by which to take accounting for personnel in the event of an evacuation. (This is one reason why having visitors sign in is important!) Be proactive with personnel who may have disabilities that may impair their ability to evacuate, and discuss with them ahead of time arrangements for evacuation. If you have non-English speaking employees, have the plans and procedures available in their language.
  • Discuss with and train employees on emergency procedures. This involves more than just handing them a booklet to read. Safety meetings, and emergency drills are critical to your employees and visitors safety in the event of an emergency.
  • Revise and update your disaster recovery plan regularly.

While this is just a brass tacks outline of the contents of a disaster recovery plan, thinking about these elements and collaboratively putting them to paper with your management team is a good place to start. Assessment of exposure to disasters and what such exposures entail is one of the most critical elements of disaster preparedness and recovery plan efficacy.

Terror Threat Assessment

Due to the nature of the Brussels event, I will now outline in greater detail how to assess for exposures to a terror attack, to keep in mind during the creation of your disaster prevention and recovery procedures.

Most attacks are not directly at a single business or individual, therefore, it is important to be aware of the general characteristics of terror-related incidents. The Department of Homeland Security and the University of Maryland recently released the latest statistics on the types of terrorist attacks that occur most often.

  • Bombings and explosions: 54 percent
  • Armed assault: 23 percent
  • Facility and infrastructure attacks: 7 percent

Because the most common types of terrorist attacks have the potential to devastate the infrastructure within a large area, it’s important to take structural vulnerability into consideration. Additionally, effective risk assessment must also take into consideration not only the safety of employees and customers, but also nearby pedestrians.

The first step is a general assessment. During your initial assessment, you should determine the standoff distance around the entire perimeter of your facility. This is the distance at which you can prevent an unscreened person or vehicle from approaching your business, and it is determined by the effectiveness of your facilities, employees and security procedures.

Once you have completed your general assessment, you can use the information you gathered to determine the potential impact of an attack on your business to help you focus your resources on preventing or mitigating the damage of an attack. There are three key exposures or areas of vulnerability to bear in mind when conducting your assessment:

  • Structural stability:  Analyze how various locations around your facility could be damaged by an explosion or bomb. Remember to consider explosions that originate from both inside and outside the building.
  • Personnel vulnerability: Consider where your employees and customers are usually located in and around your business. If they are all centrally located, they will be much more vulnerable during a terrorist attack. Make sure that everyone in the building has easy access to multiple exits in the event of an attack.
  • Operational continuity: Consider the vulnerability of any key equipment or other vital materials. An attack could cripple your operations if important equipment or data is lost. If possible, don’t keep all of your resources in just one area, and make sure that all of your records are backed up at a separate location.

Using the information gathered through your initial and risk assessments, you will be able to create a set of procedures to include in your disaster recovery plan in the event of a terrorist attack. My hope is that said plan will never have to be used, but having one in place can prove lifesaving.

Strategic assessment and planning is critical to the development of a disaster recovery plan and terror threat assessments. Should you require any assistance in developing these, Marshall & Sterling’s Risk Management team is here to help.


February 28, 2016

Managing Cyber Security During a Merger or Acquisition

Amidst the commotion of a merger or acquisition, company data becomes particularly vulnerable to cyber attack. Data transfers must proceed without a hitch, or companies risk damaging reputation, losing customers, and hurting future sales. All the while, legal responsibilities must be considered and upheld before, during, and after the data transfer process.

To be sure that you’ve covered all of your cyber security bases, consider the following:

  • Identify all data assets that will need to be transferred.
  • Gather and merge all data standards, policies and processes from employees at both companies.
  • Identify potential risks that could occur during data transfer.
  • Prior to any data transfers, ensure data is backed up.
  • Run background checks on any employee who will be involved in the data transfer process.
  • Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will be occurring.
  • Assign one high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred.
  • Legally transfer ownership of data assets as quickly and completely as reasonably possible.
  • Host training sessions on new data standards, policies and processes.
  • Update disaster recovery plans, business continuity plans and emergency plans to include newly acquired data assets.
  • Update the risk profiles for newly acquired assets.

Preparing for Data Transfer

Planning for data transfer should begin as early in the merger or acquisition process as possible. It is wise to assign one person the task of overseeing all data transfers to minimize risk of miscommunication or error. That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer, and making sure the data transfer is in compliance with federal or provincial law, but the person in charge should be aware of the current status of all tasks at all times. This person should also manage the implementation of the interim business continuity plan so that daily operations are disturbed as little as possible.

Keep in mind that if the acquired company has already completed portions of the data transfer or consolidation tasks, the work already done will need to be thoroughly reviewed to ensure accuracy.

Consider relocating IT employees from the acquired company early so that they can help with the data transfer and risk identification process, as they will be more familiar with their data and systems. Sufficient time should be mapped out to allow any older data to be converted for use in newer software and programs; doing this sooner rather than later can also save you from unexpected delays in data transfer in the event that the data conversion does not go as smoothly as planned.

Finally, ensure that your system configuration records are up to date prior to any data transfers or consolidations. This will help isolate any issues that might occur and allow for an effective fix.

Good Practices for Data Transfer

Even if your company is completely prepared for the data transfer, it’s still possible that issues will arise during the process. The following are some good practices your company can utilize to minimize these risks:

  • Try to avoid using any kind of removable media to transfer data from one place to another. If the only method you can use is removable media, then take extreme care to be sure all records are encrypted, especially if they involve personal information.
  • If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
  • Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your system or large, messy mistakes.
  • Consider halting some of your company’s cyber services until all data has been switched over in order to protect the services from being adversely affected by the transfer. Another option would be to run a similar service until data has been transferred.
  • Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions can be uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company structure. Update all clearances and access capabilities for employees based on new roles and duties.

The Big Picture

Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this time, and basic duties and responsibilities should be quickly and accurately laid out and assigned to employees before, during, and after the transition. Data transfer is not just about preventing and managing a compromise or interruption to services; your customers’ and stakeholders’ needs and concerns must also be kept in mind. Most importantly, ensure your new and existing clients know that you’re keeping their data safe.

If you have questions regarding data transfer during a merger or acquisition, or regarding cyber security in general, Marshall & Sterling’s Loss Control Department is here to help!