How the hours of service rules for truck drivers ever became a safety regulation is a question that has vexed many in the industry.
Source: Where Did the Hours of Service Rules Come From, Anyway?
Although the electronic logging device mandate went into effect in December, the full-enforcement of the rule – and all of its penalties – is fast approaching on April 1.
By Linda Chiem
Law360, New York (January 17, 2018, 7:40 PM EST) — The D.C. Circuit’s finding that the
U.S. Department of Transportation can be sued for mishandling safety citation records that potentially hurt truck drivers’ job prospects may expose the agency to fresh litigation and force it to better manage its information systems, experts say.
Now that two drivers in the Owner-Operator Independent Drivers Association Inc.’s suit can pursue claims that the Federal Motor Carrier Safety Administration failed to maintain accurate driver safety and accident data that is released to prospective employers, the agency will face heightened pressure to shore up how it manages the databases that commercial motor carriers rely on to vet drivers, according to industry observers.
Even though the D.C. Circuit’s Jan. 12 ruling dealt mostly with the FMCSA’s so-called Motor Carrier Management Information System database of trucker citations for state-law safety violations, experts say trucking companies will view it as a fresh tool to challenge the FMCSA’s controversial management of other databases.
“The facts underlying the decision illustrate, once again, that FMCSA has some distance to go in order to get its house in order,” said Marc S. Blubaugh, partner and co-chair of Benesch Friedlander Coplan & Aronoff LLP’s transportation and logistics group. “From a broad perspective, FMCSA does not inspire deep confidence in its information systems, whether MCMIS or otherwise.”
A notable recent example, according to Blubaugh, is the early December hack of the FMCSA’s National Registry of Certified Medical Examiners, which has been mostly down for the past month.
Commercial truck drivers rely on the online registry because they are required to get physical examinations every two years from a certified medical examiner. FMCSA said earlier this month that no driver or carrier information was compromised during the hack.
“FMCSA plainly needs to improve its cybersecurity program,” Blubaugh said. “A driver who concludes that his or her personal information was compromised as a result of this hack of the medical examiner registry will undoubtedly be heartened by last week’s OOIDA decision, which applies Spokeo in a less rigorous way than many other courts.”
The D.C. Circuit panel referenced the U.S. Supreme Court’s 2014 Spokeo ruling throughout its analysis determining whether the drivers alleged enough actual harm to have standing to sue.
The two drivers whose claims were revived — Klint Mowrer and Fred Weaver Jr. — had their citations for safety violations included in the federal MCMIS database even though they had successfully challenged them in state court.
Their records, which weren’t updated to reflect the outcome of their court challenges, were shared through the DOT’s Pre-Employment Screening Program, which provides trucking employers with reports containing drivers’ crash data from the previous five years and inspection data from the previous three years.
Prasad Sharma, a partner with Scopelitis Garvin Light Hanson & Feary PC, told Law360 that the D.C. Circuit got it right in that the Supreme Court’s Spokeo ruling established a more nuanced bar for standing. Here, the two drivers whose inaccurate information was actually disseminated had standing.
But the mere retention of inaccurate information in a database without any imminent disclosure is not the type of concrete injury that confers standing, Sharma said.
“In this case, OOIDA was making the argument that the FMCSA has the duty to ensure the accuracy of the data in MCMIS, and the court agreed that Congress did impose that duty. But it did not give a private right of action,” Sharma said.
States primarily collect and report to the FMCSA the data that’s ultimately contained in the MCMIS, and are required to ensure that this data is “accurate, complete and timely motor carrier safety data,” but the DOT is ultimately responsible for “ensuring, to the maximum extent practical, all the data is complete, timely and accurate,” the drivers have maintained in court filings.
The information in MCMIS feeds into other agency databases, including the Safety Measurement System, or SMS, the agency’s rating system for scoring commercial motor carriers based on their on-road safety performance. Attorneys say it’s a controversial and statistically dubious scoring process that can end up penalizing motor carriers with low safety scores for accidents or road safety violations that might not even be their fault.
The D.C. Circuit decision offers a beacon of light not only for drivers, but trucking companies, which have long criticized the DOT and FMCSA for providing only limited avenues to appeal or challenge safety records that can be outdated or inaccurate, according to Mark J. Andrews of Strasburger & Price LLP.
“The interesting thing the court seems to be saying, under certain circumstances, is there’s a private right of action for damages or injunctive relief if there’s dissemination of inaccurate information with regard to the safety performance of either a carrier or a driver,” Andrews told Law360. “The court goes into some detail on what it would take in terms of standing for such an action to prevail.”
Andrews said SMS data for carriers is disseminated much more widely and frequently than the data disseminated through the Pre-Employment Screening Program at the heart of this dispute. He explained that there’s an entire cottage industry of consultants that mine SMS data to pair up shippers with brokers deciding which motor carrier to use to haul goods.
“There could be a much bigger issue here, and I would expect that people will try to use this decision to extend the same standards to SMS,” Andrews said.
At the very least, the ruling shines a bright spotlight on the FMCSA’s wheelhouse of databases feeding into its programs for safety compliance and enforcement and will force the agency to bolster its procedures for better managing or protecting drivers’ and motor carriers’ data.
“While I don’t profess to be an IT wizard, it nevertheless seems to me that reliably running some of these systems should be a cakewalk but is apparently a Herculean task for FMCSA,” Blubaugh said. “I am hopeful that the Department of Transportation will focus on shoring up existing information systems and practices before embarking on new adventures.”
–Editing by Philip Shea and Kelly Duncan.
All Content © 2003-2018, Portfolio Media, Inc.
Over the years friends have called me, informing me that this “Forensic Files” episode is in frequent rerun – check out the entire episode here. “Headquarters”, season 10 episode 6; We help one of our clients track down a killer.
See what the software and hardware looked like back in the 1990s. Everything is smaller, cheaper, and better now – but the principals remain the same.
There is increasing evidence that the supply of trucks available to move freight is outpacing demand, based on a flurry of recently released reports – but it’s also helping push freight rates higher. What’s behind the capacity crunch?
Source: Trucking Capacity Crunch Leading to Record Freight Rates
By Michael Lasky
These past two years have been particularly devastating for data security, with a number of well publicized hacks, attacks, ransoms, and even extortion attempts. Millions of records have been stolen. Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information,” Slain notes.
Here are the top 25 most-hacked passwords, by rank, password and whether or not their position on the chart has changed from 2016. You’ll note that numbers one and two are still reigning champs.
Presenting SplashData’s “Worst Passwords of 2017”:
1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)
And yours truly must confess to having tweaked a ridiculously simple password in the naïve belief that I was making it “more secure.” This password, which I no longer use, is #19 on the worst list: passw0rd.
Yeah, I figured – and so apparently did thousands of others—that by changing the letter O in password to a zero would make it foolproof. (There is no proof to that assumption, and I apparently was the fool. Pun intended.)
So how did SplashData determine the worst passwords? It evaluated over five million leaked passwords and looked for patterns.
The company estimates that almost 10% of people have used at least one of the 25 worst passwords on this year’s list. When it drilled down to particular passwords, about 3% have used the worst password, 123456.
Although only the top 25 worst passwords are highlighted, there is a full list of Top 100 Worst Passwords 2017 and it can be found here.
It’s all well and good that SplashData compiles the annual worst password lists which shows off our bad habits, but do they have any advice to change our password behavior?
The company’s security experts do offer three tips to safer passwords:
Wait a minute: 12 character passwords? That’s seem a bit much and if that’s the route we have to take to be safe, then password managers would seem to be essential since they automatically login to websites instead of us manually typing in 12 characters.
And, yes, with the unnerving prospect of 12 character passphrases or all the different shorter ones at all the sites we visit, there are also a few password tricks for the memory-limited to even get around to signing on to password managers. But first …
As Lance Whitney pointed out last March, “Password managers may not be the perfect solution, but they’re far better than the alternative of using simple passwords or using the same password at every website. Until the industry is able to offer a truly superior and secure website login method, password managers are your best bet”.
His review of the pros and cons of password managers covers four of the most popular apps, Dashlane, LastPass, 1Password, and RoboForm. Add to this the aforementioned SplashID. While they all will automatically login to sites you visit, each has a host of extra features such as saving credit card information and handling form filling such as addresses, phone numbers, and other personal data. All are locked with one master password (the only one you have to remember so write it down just in case).
I have been devoted to LastPass for years on my PC and mobile devices, loading it in each of the browsers I use as an extension or plug-in.
If you are hesitant to sign on to yet another browser add-on, check out my August 1, 2017 coverage of Windows 10 password alternatives [link] which includes fingerprints, facial recognition, and for touchscreens, pattern drawing in lieu of a password.
Speaking of patterns, here is a method for devising different passwords for each site you visit that are easier to remember. Create a boilerplate phrase of 10 lower and up case letters. You will use this as the beginning of each passphrase. Then as you visit a website which requires a login, enter your boilerplate phrase and add three or four characters unique to that site perhaps using the characters in the site’s name.
For example, say you are entering an account at bookstore.com. You would enter your boilerplate phrase such as Sample$Coin as the beginning of your password for this site and add the extra mnemonic three or four characters unique for this site, such as BooK. So the password for bookstore.com would be Sample$CoinBook. Accordingly the only part of the password unique for this site would be the Book.
At Amazon.com it might change to Sample$CoinAmaZ or sometime like that. All you would need to remember if the AmaZ part since the boilerplate beginning stays the same. Of course if you then use a password manager it will remember each of these and auto log you in after the first instance.
While this method might seemingly contradict the rule for not using the same or altered passphrase at each site, the combination of the boilerplate and the additional characters unique to each site, especially with adding upper and lowercase and special symbol characters, should keep the hackers guessing ad infinitum.
Of course for banking and health account enabling two-factor authentication, as Google does for its accounts, is the safest routine. You enter your password and then receive a text or voice message with an instant one-time code to get connected. Text is best for cellphones and voice for landlines.
To end with a laugh, I love repeating the advice offered by Mad Magazine. How about making your password Password Incorrect. If anyone tried to break into your account they will keep getting a Password Incorrect message.
