As technology evolves, unfortunately, so do ways to hack that technology. The recent cyberattacks in several casinos in Las Vegas are just one recent example of the growing concern about cyberattacks on businesses and the tremendous consequences and liability that may result from such attacks.
Could OSHA be one such concern? At first blush, any direct connection between cyberattacks and safety and health issues may seem tenuous. For certain, there is no specific OSHA standard addressing cyberattacks as a workplace hazard. Theoretically, cyberattacks might have an effect on workplace safety and health. For example, if a cyberattack compromised an electronic guarding system, which resulted in an employee injury, a guarding-related standard may arguably be relevant. Similarly, if a cyberattack compromised the use of robotic machinery, which then injured an employee, certain OSHA standards might be implicated, such as lockout-tagout, depending on the underlying facts. However, even these conceptual ties to specific standards would be a novel interpretation.
In the recent casino cases, cyberattacks appeared to have disrupted certain parts of business operations, including access to rooms using key cards. If the ability to access certain areas created a safety issue or if the cyberattacks shut down power and lighting in certain areas and employees were injured directly due to those conditions, then arguably, OSHA’s general duty clause would need to be considered. Of course, the general duty clause requires employers to take “reasonable” steps to prevent or lessen recognized hazards. Even in today’s evolving technological world, it would be a stretch to interpret the general duty clause so aggressively as to require employers to take certain affirmative steps to prevent cyberattacks as an OSHA compliance issue.
That said, it may be a matter of time before one of these cyberattacks results in a serious employee injury. If such injuries become more common, OSHA might consider the application of the general duty clause. Even with whether OSHA eventually ventures into this area, it is clear for numerous other business reasons. All employers need to carefully consider strategies to protect themselves against cyberattacks to avoid what could be a tremendous liability, including but not limited to breach of personal data.