Jason Cannon
A recent study conducted by data collection experts SOAX, utilizing data from the Identity Theft Resource Center on the number of data violation cases from 2020 to 2023 by industry, revealed the United States experienced a total of 3,205 data breaches in 2023, a 78% increase from 2022.
The transportation industry saw 101 data violation cases last year. The number of cases is up more than 181% from the year before and the 101 incidents logged last year matches the total number of cases from 2020, 2021 and 2022 combined. In all the segments ranked by SOAX, no other industry saw a year-over-year increase larger than transportation, with only the financial services sector coming close (177%).
Trellix
“While the study highlights a significant increase in cyberattacks across all sectors, the particularly steep rise in the transportation sector underscores the urgent need for enhanced cybersecurity measures,” Stepan Solovev, CEO and Co-founder of SOAX told CCJ. “Cyberattacks affecting public services such as transportation could majorly affect the day to day lives of average Americans, as shown by the staggering 12 million victims who were impacted by cyberattacks within the transportation sector in 2023.”
Troubling news for trucking’s transition to battery electric trucking is that, despite ranking fourteenth with just 44 data breach incidents, the utilities industry had the highest number of victims in 2023, according to SOAX. A staggering 73 million individuals were affected by data breaches within this sector, highlighting its vulnerability and making it the most at risk for aggressive cyberattacks targeting people.
“The study has identified a concerning sharp rise in cyber incidents across all US industries in 2023, which is particularly alarming,” said Solovev. “The increase in attacks demonstrates that cybercriminals pose an increasing threat. Industries must adapt and evolve with these technological advancements to ensure they are protected from cyberattacks.”
The transportation and shipping sectors generated 53% and 45% of global ransomware detections, according to data from cybersecurity company Trellix.
“The last six months have been unprecedented – a state of polycrisis remains and everything from elections to warfare to law enforcement activity have accelerated cyber threat actor activity globally. We’re seeing radical shifts in behavior,” said John Fokker, Head of Threat Intelligence at Trellix. “The cat and mouse game of cybersecurity is becoming more complex. Security leaders need more operational threat intelligence in order to outpace cybercriminals.”
Todd Dills & Max Heine
Clark Freight Lines, with 180 trucks, used to routinely file lots of DataQs RDRs (Requests for Data Review) but met with little success, said Vice President Danny Schnautz. He gave the example of a violation for an air leak that wasn’t in fact a safety violation.
“What we found out was it made the police department really mad,” he said, particularly when the challenge was filed with little in the way of hard evidence. “Now we don’t dispute it unless we have real proof.”
Depending on what the violation is, and how attentive to the allegation any individual operator was during the inspection, such well-backed cases might be few and far between. Even photographic proof, sometimes, doesn’t do the trick if it’s less than conclusive, Schnautz said.
He and others bring plenty of advice to the table about pursuing RDRs.
Navigating the system itself can be one challenge, but the most common hurdle is gathering enough evidence to make a persuasive case.
Focus on evidence and facts
As Schnautz suggests, setting up a successful DataQ begins at the scene of the crash or routine roadside or weigh station inspection. “I’ve worked with thousands of DataQs,” said Chris Turner, CVSA’s director of crash and data programs and a former Kansas Highway Patrol officer. “The best thing you can do as a carrier is to make sure your DataQ is legitimate.” Before ever filing, have the evidence on hand to communicate “not just where you feel something is wrong. Make sure you have an underlying set of facts that this is wrong.”
In Eagle Express owner Leander Richmond’s case detailed in the first part of this series, he came armed with the set of facts that accompanied his driver being pulled over and inspected, where a violation of the federal handheld-cell-use regulation was noted in an inspection report. He pointed to the language of that regulation, also adopted in Michigan state code (where his driver had been stopped), to show the rule as written was not violated by his driver.
Be savvy with your attitude
Eagle Express owner Leander Richmond eventually had to bring to enforcement’s attention the language of the federal handheld-cell-use regulation to finally convince them that his driver had not violated the law.Turner, formerly a trooper and leader with the Kansas Highway Patrol’s truck-enforcement unit, urged those receiving a violation to “ask the officer to explain it” at roadside. Too often, when drivers are stopped they “freeze up a little bit.” He encourages fleet managers to train drivers to really engage with the officer about his thinking when violations are written in the first place.
Understanding the officer’s rationale, if it turns out to be in contradiction with whatever regulation he/she believes you’re violating, will give you part of what you need in any eventual challenge.
An officer’s writeup might be clearly incorrect, but in RDR filing “you don’t necessarily want to tell the officer they’re wrong because it’s not going to be received that well,” said Christopher Haney, director of safety and human resources for Payne Trucking, a 130-truck fleet based in Fredericksburg, Virginia. Instead, focus on “the regulatory perspective.” Make sure you or your drivers know enough to be able to collect the evidence to show where an officer “may have misunderstood the situation.”
Document the scene and equipment
“After a crash,” Turner added, “make sure everybody’s OK, then take the time to walk from one side of the scene to the other and snap photographs and take pictures of any violation – you want as many of the violations to be [marked] post-crash as possible.” Equipment problems that resulted from the crash “won’t be counted in your [carrier] SMS or [driver] PSP” profiles, where violations records are kept and made available to the public and prospective employers.
Carriers and drivers who are diligent during roadside stops and post-crash inspections “have a way higher success rate” than others, Turner said.
In one case for Payne Trucking, the company had a crash reported to its profile because the officer recorded the car in the collision as requiring a tow-away from the scene. (Accidents are recordable and become associated with a carrier’s record if there’s a fatality, an injury, or vehicle damage sufficient to require a tow-away.) However, a dashcam in the Payne truck “showed the officer getting into the car and driving it around … to where the truck picked it up.” The evidence effectively removed the crash from the carrier’s profile.
Haney echoes Turner when it comes to post-crash inspections, too, and the need for on-scene diligence for any driver. A driver’s notes and pictures about post-accident damage can mitigate against an inspector’s failure or error in designating violations as caused by the accident, a problem Haney says has gotten less prevalent in recent years.
“If they don’t identify on the inspection that these were post-accident damage, then it gets counted on the CSA BASIC,” he said. Such errors must be challenged, he said. In some cases, “this determines whether or not you get insurance next year.”
Another source of on-the-scene facts can be notes made by the inspecting officer, Haney said, which many truckers and carriers don’t realize they can request. Those notes can provide helpful information, such as giving insight to the officer’s rationale behind a violation.
Preparing to file a DataQ
If you’ve never filed an RDR, you’ll need a Federal Motor Carrier Safety Administration portal login set up if you’re a carrier with authority to use to access the system. If you’re a driver or leased owner-op, establish a login directly within the DataQs system itself, via DataQs.FMCSA.DOT.gov. There you’ll see the login module and the “My DataQs” section, where you start any review request.
“Make sure you get all your ducks in a row before you submit the DataQ,” said Trooper Jeremy Disbrow of Arizona. He said the fairly intuitive system guides you through the process to attach evidence, whether photos or electronic-log data downloads or other supporting documents.
Before starting, though, make certain you have what an FMCSA spokesman, speaking on background, referred to as the “report number” for the record you’re challenging. That should be shown in the CSA Safety Measurement System profile for your business or the Pre-Employment Screening Program report if you’re a driver or leased operator.
A police accident report, for instance, will likely have a different report number, the spokesperson said, so be sure to use the right one. If you provide the right record number and the inspection and violation are already within the system, DataQs will pre-populate much of the other information that the agency normally requests — the inspection report number, the issuing state and date of inspection.
Be thorough and professional in filing
In your RDR, use language that shows intent to “be thoughtful, clear and concise in describing what the error is believed to be,” said the FMCSA spokesman, keeping in mind there are hardworking folks in the various state jurisdictions and in FMCSA itself on the other side of the computer “reading, reviewing and, ultimately, making a decision … The FMCSA team strives to conduct themselves with courtesy, professionalism and respect – and such mutuality is appreciated.”
By submitting all required and otherwise pertinent information up front, said Disbrow, “it helps us get through more quickly” once the request makes it way to the appropriate state jurisdiction, if need be. “Usually, doing a back-and-forth over the span of weeks is what delays that process when we have to keep requesting documents.”
Don’t forget the final step in the process. Too many filers “do not carefully read and follow the instructions on the DataQs website,” said the agency spokesman. “Occasionally, we will learn about requests being automatically closed or otherwise rejected for the simple reason that the requestor failed to click ‘submit.’”
After you’ve filed
Expect to wait a few weeks, or longer if you’re asked to submit other documents. The time to close reviews averages around two weeks, federal DataQs data shows.
If your request is denied, don’t be afraid to appeal, said CVSA’s Turner. While there’s not an actual “appeal” button in the system, Turner advises to use the “reply again” function to “ask for an appeal to a secondary level or for a state training officer to look at it. They can usually look at it and say, ‘Yeah, that’s right,’ or not.”
Some states, like Minnesota and Arizona, have appeals review boards they convene for intractable disputes, but most don’t. When requesting an appeal above the first level, Turner notes the possibility of asking for review of any officer-shot video or inspection notes if it conceivably would back your argument.
Don’t neglect adjudicated citations
In 2014, FMCSA announced this policy for dealing with inspection-report-noted violations with associated citations adjudicated in a court of law. With the exception of a conviction of a lesser charge or the levy of punitive fines and court costs, adjudication of a citation can result in removal of the associated violation from carriers’ Safety Measure System profiles and drivers’ Pre-Employment Screening Program reports. The SMS record can be a key element of a carrier’s ability to do business with freight partners and obtain affordable insurance. Hiring carriers rely on drivers’ PSP reports in vetting backgrounds before a hiring decision is made.
Perhaps the simplest route toward success in a violation challenge is when you’ve received a not-guilty verdict on in the court system for something associated with the citation/ticket. In 2014, FMCSA introduced a policy to remove violations from its system or reduce severity weighting if a ticket was thrown out by the court or if the cited driver was convicted of a lesser charge.
While this can prove to be low-hanging fruit, it can take a lot of time. The agency will ask for the inspection report number, the issuing state and date of inspection. For the citation, then, it wants the citation/ticket number and associated violation codes on the inspection report. Copies of court documentation, too, are required, and copies of both the ticket and inspection report are recommended.
As illustrated in the graphic from Part 3 of this package, violation challenges associated with citation adjudication are more likely than any other category to be successful, so don’t neglect to file a DataQ after a favorable court resolution of a ticket.
In some cases, this isn’t an option. Inspection-reported-noted violations that accompany written warnings, such as for speeding, can’t be taken to court – and therefore adjudicated – because no citation was issued.
Doug Marcello
WHY IT MATTERS: Safety protects profits, not draining it as an expense burden many erroneously believe.
WHAT’S THE PROBLEM: Too many view safety as just an expense. A burden. A drain.
The folks in finance who live-and-die by the P & L statements, myopically see “safety” on the expense lines rather than what it is—an investment.
They look at money spent on safety as a hemorrhage of profits. The result—safety expenditures are internally challenged. They are shortsightedly cut to puff profits.
Like an owner-operator reducing maintenance during tough times. Short term return, but a long term loss.
The reality is that reducing expenditures for effective safety programs can actually cost more off the bottom line.
I had a client with a $1 million deductible. He would tell me that how his company did at year end depended on how I did in the courtroom.
WHAT IS THE REALITY: Safety saves. Lives. Injuries. And Money.
This is especially true in today’s world of trucking companies taking on risk to reduce the amount that their insurance will increase. It’s their deductible. Their “retention.”
The result is that companies pay for the first $X per accident up to the amount of their deductible. Where does that money come from? Off the bottom line.
Safety is an investment to prevent the incidents that drain revenue. Prevent the “death by a thousand cuts” of the “costs of defense payments” made even when there is no fault or no injuries.
That starts with safety. Investment in safety. Investment in technology. But also investment in a culture that puts safety above all else.
No compromise. Safety compromises cost.
SUPPORTED BY STUDY: ATRI issued its study on the issue, “The Rising Insurance Costs of the Trucking Industry.” A key takeaway from the study is that premium is no longer the sole determination of costs. It is just the start.
Instead, the key is “Total Costs of Risk”—premium plus deductible payments plus safety investment. And the result?
It found that, “Carriers that increased deductibles or [self-insured retention] levels as a strategy for lowering premiums successfully lowered our-of-pocket costs more often than other carriers,,,”
Eighty (80) percent of those that increased retention and deductibles decreased their MCMIS crash rates the following year. “This counter-intuitive finding appears to result from a heightened awareness of increased liability and exposure that leads to increased safety investment.” (Emphasis added)
And how did they do it? “As noted in the research, this likely requires a top-down emphasis on safety culture starting with the senior executives who authorize changes in coverage, deductibles and/or SIR levels.”
Further, ATRI recommends carrier evaluate all costs associated with risk, including coverage, deductibles and/or SIR levels, financial and litigation liability exposure, safety technology investments, driving hiring and training, and out-of-expenses.”
“Safety technology investments.” That’s the perspective.
SAFETY IS “ANTI-REPTILIAN”: Investment in safety is not just preventative. It is also a proactive defense against a Reptilian attack.
The Reptile Theory isn’t about the accident. Nuclear verdicts rarely, if ever, detonate because of the facts of the accident.
The Reptile lawyer preys upon “Systemic Failures”. Things you do on a ongoing basis that can be levered to inflame the jury and explode a verdict.
Your “safety investment” deprives them of the explosive source. The “systemic failure.”
Rather than reeling in the deposition to the Reptilian inquisition, you can respond, “I’m glad you asked that question. Let me tell you about safety program.”
BOTTOM LINE: Safety profits. Rather than a drain, safety keeps money on your bottom line. And the bottom line is, well, the bottom line.
Alex Lockie
The Federal Motor Carrier Safety Administration recently revoked three electronic logging devices in a two-week span (One Plus ELD, ELD ONE and Nationwide ELD). Now, an ELD service provider is speaking up about what he feels has changed — and possible signs your ELD could be next on the chopping block.
Mike Riegel, who owns Blue Ink Tech (provider of the BIT ELD), recently wrote this story outlining how the FMCSA goes about reviewing and revoking ELDs. Riegel believes the agency is currently “cracking down on ELD providers who sell products that don’t 100% align with the ELD mandate,” and notes that any time a driver is transferring their hours data to an inspector, the inspector is checking that not just the driver, but the ELD itself, is compliant.
If the inspection does find issues with the ELD provider’s data, that provider gets an email like the one below, received by Riegel.
Messages like this from the FMCSA go out to ELD providers citing issues in the technical parameters, and requesting fixes.Courtesy of Mike Riegel
It’s important to note that Blue Ink Tech itself isn’t at risk of falling out of compliance and having its ELD revoked. “When an ELD data transfer is found to have errors, the FMCSA technical team will highlight the errors and request a plan of action to fix the issues within 72 hours,” Riegel wrote. “If there is no reply to the email, it is likely that more attempts will be made to get a plan of action, and if nothing comes back the provider will be revoked.”
But if the ELD provider does get back with a plan of action, he added he feels “the FMCSA will be pretty lenient and allow the provider the time they need to take the corrective action.”
Riegel provided context for the email above in response to Overdrive queries. It directly followed a roadside inspection of “one of our ELD customers,” he said. “It looks like their system is getting more advanced at picking out items that do not align 100% with the mandate. Our issues were small, and about the length of notations for [records of duty status] and the resolution of the GPS data while on Personal Conveyance. I think this advancement of finding issues during roadside inspections could be why the FMCSA is able to crack down on more of the ELD providers that are not following the mandate.”
The FMCSA wouldn’t say outright if there’s any new crackdown underway, or some new methodology, but didn’t deny it either.
“FMCSA has been actively monitoring compliance of ELDs since the implementation of the rule,” said an FMCSA spokesperson. “Our investigative process has certainly evolved, resulting in more efficient and sophisticated methods of identifying ELD vendor compliance issues, as well as ELD misuse.”
Riegel is also correct that roadside stops play a role in finding issues with ELDs, but FMCSA Compliance Investigations staff’s in-person carrier audits and other reviews “also play a vitally important role in identifying potential ELD issues,” the FMCSA spokesperson added.
How to tell if your ELD will be revoked
The FMCSA’s complete technical standards, with which ELD providers must comply, are laid out in voluminous detail in regulation. The revocation process is laid out there, too, and it includes required notice by the agency to the provider, a time frame for response, and consequences that follow. You can find that process in the “Removal of Listed Certification” section at the previous link. For an owner-operator, determining whether or not a provider is 100% complying with technical standards might seem an impenetrable task, but Riegel laid out what he felt could be common signs that an ELD isn’t long meant for the FMCSA’s certified-device registry.
His first recommendation boils down to this: If it sounds too good to be true, it probably is.
If your ELD allows you to edit automatically recorded drive time, that’s never going to be compliant. “A common example of drive time editing is when a driver forgets to indicate Personal Use before moving their truck to a different parking spot. If you are able to edit that Driving status to PC or Off Duty, or if you are able to delete the status altogether, this should be cause for concern,” he wrote.
During the early days of the ELD mandate, the prior Automatic Onboard Recording Device standard did allow for editing automatically recorded drive time, though not by the driver. Under the AOBRD standard, those “back office” or administrator-account edits weren’t visible to roadside inspectors, either. The AOBRD grandfather period ended in late 2019, however, and under the current ELD standard, such drive-time edits are impossible. All edits otherwise, too, are visible at roadside with data transfer.
Other issues center around customer service and staying updated, in Riegel’s view. Poor technical support and customer issue resolution? Don’t expect that provider to be very responsive with timely communication to the FMCSA, either, in the event their compliance checks flag an issue. The ELD isn’t compatible with other APIs? Could be another bad sign that the ELD doesn’t play well with others, or might not be keeping up with the latest updates, wrote Riegel.
He also felt that “white-labeling,” when one company sells an ELD supported by another company’s technology, held potential to create barriers to timely updates. There’s nothing illegal about the practice of white labeling, of course. But if for instance the FMCSA reaches out to the original provider with an email like the one shown above, he felt the white-label version might miss the necessary updates to the original — opportunity for it, thus, to pop out of compliance.
Finally, he advised, it’s good practice to occasionally check in at the provider’s website for updates and timeliness. The FMCSA frequently reaches out to ELD providers to make updates. If the website feels like the lights are on but nobody’s home, it could be a sign that noncompliance looms just behind the next update.
