Those of you familiar with safety management systems know that one of the four so-called pillars of SMS is safety promotion. (For those not familiar with SMS, the other three pillars are safety policy, safety risk management, and safety assurance.) As one of the critical components of any SMS program, safety promotion includes communicating to relevant employees information necessary for them to do their jobs safely.
While the FAA’s SMS rule currently applies only to Part 121 air carriers at this time, many aviation companies—especially Part 135 air carriers that fly to Europe—have adopted SMS programs because of the safety benefits and because such programs frequently result in cost-savings by reducing or eliminating the costs of incidents and accidents, including injuries to employees and damage to property. The FAA’s rule—Federal Aviation Regulation Part 5 https://ecfr.io/Title-14/pt14.1.5—includes “safety communication” as a component of its safety promotion requirement. The rule includes the following requirement, among others: “The [air carrier] must develop and maintain means for communicating safety information that, at a minimum…conveys hazard information relevant to the employee’s responsibilities.” The rule does not define the word “conveys,” so we can assume its ordinary dictionary definition, one synonym being “communicate.”
But is it really enough to just “communicate?” Or should we be including a requirement to ensure that your message is read, understood—and most importantly—acted upon appropriately? I have been a long-time proponent of safety management systems and have co-authored three textbooks on the subject. But even being immersed in the subject, I sometimes struggle with how to accomplish some of the most basic tenets of an SMS program—in this case, safety communication. Sure, it’s easy to give employees information, but harder to ensure that they receive and act appropriately on it. Especially in the age of email, texts and other electronic means of sending messages, you can reach a worldwide group of employees in seconds. But have you successfully communicated? One of my pet peeves when I was a Member of the National Transportation Safety Board was asking an employee if something was successfully accomplished and hearing the response, “Yes, I sent him an email.”
I’m pondering all this because of an interesting podcast I’ve been listening to called Breach https://www.carbonite.com/podcasts/breach/, which looks at some of the world’s biggest data breaches. Cybersecurity is not only a critical privacy and national security issue, but I also see it as having implications for the safety of our transportation system. The podcast examines how several major data breaches occurred and includes interviews with cybersecurity experts at the U.S. General Accountability Office or GAO—Congress’s investigative agency—regarding the major breach two years ago at the credit reporting company, Equifax. I was particularly struck by the analysis of what led to the Equifax breach, because it has such implications for aviation’s communication of critical safety information. I decided to dig deeper and review the GAO’s report.
A short recap of the Equifax breach https://www.gao.gov/products/GAO-18-559 : “In March 2017, unidentified individuals discovered the presence of a known vulnerability in software running on Equifax’s online dispute portal that could be used to obtain access to the system. In May of that year, attackers exploited the vulnerability and began to extract data containing PII [personally identifiable information] from Equifax’s information systems.” The breach “resulted in the compromise of records containing the PII of at least 145.5 million consumers in the U.S. and nearly 1 million consumers outside of the U.S.”
I highlight the words “known vulnerability” because Equifax had been informed by a little-known agency within the Department of Homeland Security—U.S. Computer Emergency Readiness Team (US-CERT) —that a vulnerability in certain software had been discovered. The mission of US-CERT is to catalog vulnerabilities and disseminate them to government agencies and the public so they can be addressed. Of course, disseminating them to the public means hackers also become aware of the vulnerabilities so companies have to act fast when they’re notified of a problem.
According to the GAO, Equifax did act quickly on the information it received and sent out an email to some 430 employees with information on the software vulnerability and the patch to be applied. “According to Equifax officials, the [software] vulnerability was not properly identified as being present on the online dispute portal when patches for the vulnerability were being installed throughout the company. After receiving a notice of the vulnerability from the United States Computer Emergency Readiness Team in March 2017, Equifax officials stated that they circulated the notice among their systems administrators. However, the recipient list for the notice was out-of-date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch.”
So, basically, 145.5 million people had their identities put at risk of being stolen because an Equifax email list of system administrators had not been updated! In addition, it appears that Equifax did not have a system for ensuring that mandatory patches were actually applied—in other words, ensuring that an email sent to hundreds of people responsible for protecting the private information of hundreds of millions of people had been properly acted upon.
So, the moral of the story here is, if it can happen to Equifax it can happen to any one of us who sends important safety messages out into the ether and expects them to be read, understood and acted upon. This is true whether the message goes to one person or to hundreds or even thousands.
Of course, I’m not suggesting that we stop using electronic means of communication. And I’m certainly not suggesting resorting to word of mouth – the game of telephone comes to mind. But I am suggesting that for every critical safety email or other electronic message sent, there be a system for verifying that it was received by the correct people and properly acted upon.