Last updated 2026-07-09

TL;DR
A security incident report documents any workplace security event, from theft and vandalism to physical assaults on workers. OSHA requires employers to record work-related assaults that cause days away, restricted work, or medical treatment beyond first aid on the OSHA 300 log under 29 CFR 1904. Write the report within 24 hours, stick to facts, and keep it for five years.
What is a security incident report?
A security incident report is a written record of any event that threatened the safety, property, or operations of a workplace. That covers a lot: an employee assaulted by a customer, a break-in after hours, a credible threat over the phone, unauthorized access to a restricted area, or an active-aggressor situation.
The document does two jobs. First, it gives you a factual timeline you can hand to law enforcement, an insurer, or an attorney without reconstructing events from memory three months later. Second, it feeds your OSHA recordkeeping when the event causes a work-related injury or illness.
Do not confuse it with a general incident report. A general incident report covers injuries, near-misses, and equipment damage. A security incident report focuses on intentional or criminal acts, plus the safety fallout that follows. One event can require both. A worker hurt during a robbery needs a security incident report and, separately, an entry on the OSHA 300 log if the injury meets recordkeeping thresholds.
Small businesses get this wrong constantly. They treat the police report as enough. It is not. The police report documents what law enforcement investigated. Your internal report documents what your business experienced, which controls failed, and what you are doing to keep it from happening again.
When does OSHA require you to record a security-related injury?
OSHA's recordkeeping rule is 29 CFR Part 1904 [1]. It applies to employers with 11 or more employees in industries that are not on OSHA's partially-exempt list. If you meet that threshold, any work-related injury or illness goes on the OSHA 300 log when it causes days away from work, restricted duty, job transfer, loss of consciousness, or medical treatment beyond first aid.
Workplace violence is work-related when it happens in the work environment. OSHA's recordkeeping guidance states: "If an employee is injured as a result of workplace violence and the case meets one or more of the general recording criteria, the case must be recorded." [1]
The Bureau of Labor Statistics reported 392 workplace homicides and 37,060 workplace violence injuries requiring days away from work in 2020, the most recent year with complete data [2]. Tens of thousands of security-related events generate OSHA recordable cases every year, and many happen at small businesses.
Here is what actually triggers OSHA recordability after a security incident:
- Employee assaulted by a customer, coworker, or stranger who then needs stitches, X-rays, prescription medication, or loses a day of work: recordable.
- Employee develops a diagnosed anxiety disorder directly traceable to a threatening workplace event: recordable as an illness.
- Robbery leaves an employee with a sprained wrist treated with over-the-counter ibuprofen, and the employee returns to full duty the next day: not recordable (first aid only).
Sexual assault at work follows the same rule. If the injury or illness meets the general recording criteria, it goes on the 300 log.
Workplace homicides work differently. Any work-related fatality must be reported to OSHA by phone or online within 8 hours, no matter your company size or industry exemption [1]. That reporting obligation is separate from the 300 log entry.
What are the required elements of a security incident report?
There is no single OSHA form built for security incidents. OSHA Form 301 covers injury and illness detail [10], but a security incident report is broader. Here is what a defensible report needs.
Incident identification block Date, time, and exact location. Incident report number (your internal numbering). Name of the person completing the report and their title.
Who was involved Full names, job titles, and contact information for every employee involved. If an outsider (customer, contractor, stranger) was involved, describe them with as much detail as you have. Do not guess at identity. Write what you observed.
Narrative description A plain, chronological account of what happened. Stick to facts you can verify. "Employee reported that at approximately 2:15 p.m., a man entered through the rear door" is correct. "The attacker had been watching the store for days" is not, unless you have evidence.
Physical evidence and witnesses List every piece of physical evidence: surveillance footage file names and timestamps, photos taken, items removed or damaged. Name all witnesses. Collect their statements separately.
Injuries or medical treatment Describe any injuries observed. List treatment provided on-site. Note if the employee went to a clinic or emergency room.
Security control failures This is the section most small businesses skip. Which controls were in place? Which ones failed or were missing? A lock that was broken. A camera with a blocked view. A policy against working alone that nobody was following.
Immediate corrective actions What did you do in the first 24 hours? Changed locks, disabled a key card, called law enforcement, sent a safety alert to staff.
Follow-up actions and responsible party Longer-term fixes. Who owns each item and by what date.
Keep the finished report for at least five years. OSHA 300 logs and 301 forms carry a five-year retention requirement under 29 CFR 1904.33 [1]. Match your security report retention to that same clock so the records stay together.
How do workplace violence prevention requirements connect to security incident reporting?
OSHA has no standalone workplace violence standard for most industries. It enforces workplace violence prevention under the General Duty Clause, Section 5(a)(1) of the OSH Act, which requires employers to provide a workplace free from recognized hazards likely to cause death or serious physical harm [3].
For healthcare and social assistance employers, OSHA has issued enforcement guidance through its Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers [4]. California went further. It became the first state to enact a workplace violence prevention standard for healthcare (effective 2024) and now enforces SB 553, which requires almost all California employers to have a written Workplace Violence Prevention Plan by July 1, 2024 [5].
The link to incident reporting is direct. A written Workplace Violence Prevention Plan, whether your state requires it or you adopt it voluntarily, must include a procedure for reporting incidents and near-misses. OSHA's healthcare guidelines say employers should "create and maintain a log of incidents to assess the nature and magnitude of workplace violence" [4].
If your business sits in a state with its own OSHA plan (there are 22 state plan states plus two covering only state and local government workers), check your state's specific requirements [6]. Some state plans go past federal OSHA. Washington State's WISHA, for one, has detailed recordkeeping rules for certain healthcare settings.
Here is the practical takeaway for most non-healthcare small businesses. Even without a specific standard, OSHA can cite you under the General Duty Clause if you had a pattern of violent incidents and did nothing. Your security incident reports are the evidence trail. They show you recognized the hazard and acted, or they show you did not.
What industries face the highest workplace violence risk?
The BLS data tells a consistent story. A handful of industries account for most workplace violence injuries. Knowing where your industry lands tells you how hard you need to build out your security incident reporting.
| Industry | Violent injuries per 10,000 workers (2020 BLS data) | Notes |
|---|---|---|
| Psychiatric hospitals | 290+ | Highest rate of any subsector [2] |
| Residential care facilities | 80-100 | Direct care workers [2] |
| Emergency departments | 70-90 | Patient-on-worker violence [2] |
| Convenience stores | ~15-20 | Robbery risk; late-night hours [2] |
| Taxicabs and ride-share | ~10-15 | Solo worker, cash handling [2] |
| Security services | ~8-12 | Job function exposes workers [2] |
| All private industry average | ~2 | Baseline for comparison [2] |
These ranges come from BLS Survey of Occupational Injuries and Illnesses and BLS Census of Fatal Occupational Injuries data for 2020 [2]. Rates shift year to year, so treat these as order-of-magnitude comparisons.
If you run a healthcare setting, a retail store, or any operation with late-night hours and cash on hand, a strong security incident reporting procedure is not paperwork overhead. It is the difference between catching a dangerous pattern early and reading about it in an OSHA citation.
Retail owners underreport all the time because they file shoplifting as inventory loss, not as a security incident. If a shoplifting confrontation ends with an employee getting shoved, hit, or threatened with a weapon, that is a security incident. If the employee misses work or gets medical care, it is recordable.
How do you write a security incident narrative that holds up legally?
The narrative section gets subpoenaed. OSHA compliance officers read it. Plaintiff attorneys read it. Write it accordingly.
Four rules will save you.
Rule 1: Facts, not conclusions. "Employee stated she was struck in the left arm" is a fact. "Employee was attacked" is a conclusion. Write what people observed and stated, not what you infer.
Rule 2: Attribute everything. "According to witness Jane Smith, the man entered through the back door at approximately 2:10 p.m." The attribution tells the reader where the information came from and how much to trust it.
Rule 3: Skip the blame language. "The employee failed to lock the door" creates liability. "The rear door was found unlocked" is neutral and just as accurate. You can dig into causes in a separate root-cause analysis. Keep the incident report narrative descriptive.
Rule 4: Finish it within 24 hours. Memory degrades fast. A report written the next morning beats one written a week later by a mile. Make 24 hours your firm internal deadline.
A common mistake is folding the incident report and the corrective action plan into one document. Keep them separate. The incident report is a factual record. The corrective action plan is your operational response. Mixing them creates a document full of both facts and opinions, which is harder to use in either a legal or an operational setting.
Some employers stamp security incident reports "attorney-client privileged" or "prepared in anticipation of litigation." That can shield certain investigative documents from discovery, but it requires actual legal counsel involvement. Do not slap a privilege header on a document and hope it sticks. Talk to your attorney first.
What is the difference between a security incident report and an OSHA 301 form?
These are two different documents that sometimes cover the same event.
OSHA Form 301 (Injury and Illness Incident Report) is required for every OSHA recordable case [10]. It captures the employee's name and job title, date of injury, where the event happened, what the employee was doing, how the injury happened, the nature of the injury, and the body part affected. OSHA offers Form 301 as a free download, and employers can use equivalent forms that capture the same information.
A security incident report is broader. It covers events whether or not anyone was hurt. A bomb threat that ends in a building evacuation with no injuries still needs a security incident report. A theft with no employee contact still needs one for insurance and law enforcement. The security report also documents physical evidence, control failures, and prevention follow-up, which Form 301 does not touch.
When a security event causes a recordable injury, you need both. The OSHA 301 goes into your recordkeeping file. The security incident report stays in your security files and may go to law enforcement and your insurer.
One practical note. OSHA 300 and 301 records must be kept for five years and made available to current and former employees, their representatives, and OSHA on request [1]. Your security incident reports are separate documents and are not automatically subject to that same employee-access rule, though other legal processes may require you to produce them.
How should small businesses set up a security incident reporting system?
You do not need expensive software. You need a defined process your people will actually follow at 2 a.m. when something goes wrong.
Start with a paper or fillable-PDF template. Put it somewhere every manager can find it in 30 seconds. Physically posted in the manager's office, not buried in a shared drive folder nobody has bookmarked.
Define who reports. Any employee who witnesses or is involved in a security incident should be able to start a report. The manager on duty completes it. You, the owner, review it within 24 hours.
Define what triggers a report. Be specific. Our recommended minimum list:
- Any physical assault or credible threat of assault against an employee
- Any robbery, burglary, or theft involving employee contact
- Any unauthorized access to restricted areas
- Any weapon seen on premises (used or not)
- Any incident requiring police response
- Any bomb threat, even an obvious prank
- Near-misses where any of the above were narrowly avoided
Build in a law enforcement coordination step. Your report should note the police report number, the name of the responding officer, and the case number. That links your internal records to the official investigation.
If you need to build a written safety program that includes workplace violence prevention and incident reporting procedures, a tool like SafetyFolio can generate a full program in about 15 minutes instead of starting from a blank page.
Review your security incident reports quarterly. Look for patterns. Three reports tied to the same employee entrance in six months tells you something about that entrance. Two incidents in the same shift window points to a staffing or lighting problem. The whole point of keeping records is to catch patterns before they turn into tragedies.
Businesses that run hazard communication programs or have workers doing lockout tagout procedures already know this structure: a written procedure, training, documentation of incidents. Security incident reporting follows the same discipline.
How long do you have to file a security incident report, and who gets a copy?
There is no universal federal deadline for the internal security incident report itself. OSHA's recordkeeping rules say you must record a qualifying injury or illness on the OSHA 300 log within seven calendar days of learning about the case [1]. That seven-day rule is for the 300 log, not your internal security report. Complete the internal report within 24 hours while the facts are fresh.
For workplace fatalities or hospitalizations that trigger OSHA's reporting requirement, the clocks are:
- Fatality: report to OSHA within 8 hours [1]
- In-patient hospitalization of one or more workers: report within 24 hours [1]
- Amputation or loss of an eye: report within 24 hours [1]
For these, you call OSHA's 24-hour hotline (1-800-321-OSHA) or report online at osha.gov.
Who gets a copy of the security incident report? Here is a working distribution list for most small businesses:
- Your file (the original, kept five-plus years)
- Your general liability and workers' compensation insurer (required for any claim)
- Law enforcement (on request, with your attorney's sign-off if the matter is complex)
- OSHA (if they request it during an inspection; you generally must hand over records relevant to an investigation)
- The employee involved (some states give employees rights to their own incident records; check your state)
Do not post security incident reports where other employees can read them. They often contain personal information and details about your security vulnerabilities. Treat them as confidential business records.
What should a security incident report template look like?
A template you will actually use beats a thorough one nobody completes. Here is a structure that works for small businesses.
SECURITY INCIDENT REPORT TEMPLATE
| Field | Details |
|---|---|
| Report number | (your internal numbering) |
| Date of incident | |
| Time of incident | |
| Exact location | |
| Date report completed | |
| Completed by (name, title) | |
| Type of incident | Assault / Theft / Threat / Unauthorized access / Other |
| Was law enforcement contacted? | Yes / No / Pending |
| Police report number |
Persons involved
- Employee(s): name, job title, contact
- Other parties: description (name if known, otherwise physical description)
- Witnesses: names and contact information
Narrative (facts only, chronological) (Five to ten sentences minimum; use additional pages if needed)
Injuries or medical treatment
- Injuries observed:
- Treatment provided on-site:
- Referred to clinic/ER? Yes / No
- Meets OSHA recordability criteria? Yes / No / Under review
Physical evidence
- Surveillance footage retained? Yes / No (file name/timestamp:)
- Photos taken? Yes / No
- Items involved:
Security control assessment
- Controls in place at time of incident:
- Controls that failed or were absent:
Immediate corrective actions taken
Follow-up actions (owner, deadline)
Supervisor signature and date Reviewer signature and date
Keep this as a fillable PDF, a printed pad in the manager's office, or a short form in your safety management system. The format matters less than the habit of completing it every time.
For a full written incident report system that handles general workplace injuries alongside security-specific events, set up OSHA's Form 301 and your security template to share the same filing system so nothing slips through the cracks.
What are the consequences of not documenting security incidents?
Weak security incident reporting hurts a small business four ways.
OSHA penalties. Failing to record a qualifying injury on the OSHA 300 log is a recordkeeping violation. As of 2024, OSHA's penalty for serious violations can reach $16,131 per violation, and willful or repeated violations can reach $161,323 per violation [7]. OSHA has adjusted these figures annually for inflation since the 2016 inflation-adjustment amendments. A pattern of unrecorded workplace violence injuries is exactly what shows up during a programmed inspection.
Workers' compensation disputes. If an injured employee files a workers' comp claim and you have no documentation, you have almost no factual basis to contest any detail. The employee's account becomes the only account.
Civil liability. If a violent incident repeats and an employee is seriously hurt, the absence of prior incident reports can feed a negligence argument. You knew or should have known about the hazard (the earlier incidents you never documented) and failed to act.
Inability to spot patterns. This one is underappreciated. Businesses with no records cannot see trends. If three different employees have been threatened in the parking lot over eight months and nobody reported it, you have no way to know that lot needs better lighting or a camera.
The business that keeps thorough records is the same business that can say, in a legal proceeding or an OSHA inspection, "here is what we knew, here is when we knew it, and here is what we did about it." That is the strongest position a small business can hold.
Does cybersecurity count as a security incident for OSHA purposes?
Short answer: a cybersecurity breach does not, on its own, create an OSHA recordkeeping obligation. OSHA's recordkeeping rules cover physical injuries and illnesses to workers, not data or systems [1].
A cyber incident can still trigger OSHA-relevant consequences. If a ransomware attack causes a manufacturing plant to lose control of a process and a worker is injured, that injury is recordable. If employees suffer clinically diagnosed psychological harm (stress-related illness) directly and primarily caused by a documented cyber event, that illness could in theory be recordable, though this is a gray area OSHA has not addressed head-on.
For most small businesses, cybersecurity incident reports live in a different system than workplace safety reports. Cyber incidents fall under state breach notification laws and, in some sectors, federal rules (HIPAA for healthcare, the FTC Safeguards Rule for financial businesses). Those sit outside OSHA's scope.
The practical guidance: keep cybersecurity incident reports in your IT security files. Keep physical security and workplace violence incident reports in your OSHA-adjacent safety records. Different documents, different purposes. If a cyber incident ever causes a physical workplace safety consequence, document it in both systems.
To understand the OSHA landscape before building these programs, the osha training resources at OSHA.gov are free and cover both recordkeeping requirements and the General Duty Clause in plain language.
What OSHA standards or guidelines apply specifically to workplace violence prevention?
There is no single 29 CFR standard titled "workplace violence" for general industry. OSHA enforces through a few mechanisms.
General Duty Clause (Section 5(a)(1) of the OSH Act [3]). OSHA cites employers under this clause for failing to address recognized workplace violence hazards. To sustain a citation, OSHA must show the employer recognized the hazard, the hazard was causing or likely to cause death or serious harm, and a feasible means existed to reduce it.
OSHA's voluntary guidelines. OSHA has published industry-specific guidelines. They are not enforceable standards, but they help define what a "recognized hazard" means:
- Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers [4]
- Recommendations for Workplace Violence Prevention Programs in Late-Night Retail Establishments [8]
State standards. California's SB 553 (effective July 1, 2024) requires most California employers with 10 or more employees to have a written Workplace Violence Prevention Plan, train workers, and keep a violent incident log [5]. Several other states are watching California's approach.
OSHA's recordkeeping standard (29 CFR Part 1904 [1]). This is where the documentation requirement lives for recorded injuries from violent incidents.
For employers in osha-covered industries who want to know exactly which rules apply, OSHA's compliance assistance specialists (reach them through your regional OSHA office) can walk you through the applicable standards without triggering an inspection. That is a legitimate and underused resource.
For a full picture of how OSHA operates, including how citations happen and what enforcement looks like, the SafetyFolio osha overview covers the basics in plain terms.
Frequently asked questions
Is a security incident report the same as an OSHA 300 log entry?
No. The OSHA 300 log is a required recordkeeping form for work-related injuries and illnesses under 29 CFR Part 1904. A security incident report is a broader internal document that captures facts about any security event, including ones where no one was injured. When a security event causes a recordable injury, you need both: an OSHA 300 log entry and a separate security incident report.
Does OSHA require businesses to have a written workplace violence prevention program?
Federal OSHA does not require a written workplace violence prevention program for most private employers. California's SB 553 (effective July 1, 2024) does require one for most employers in that state. Federal OSHA can still cite employers under the General Duty Clause if they fail to address recognized workplace violence hazards, so a written program is strong evidence you took the hazard seriously.
How long do you have to complete a security incident report after an event?
There is no federal deadline for the internal security incident report itself. Best practice is within 24 hours while memories are accurate. For OSHA recordkeeping, any qualifying injury must be entered on the OSHA 300 log within seven calendar days of learning about it. A workplace fatality must be reported to OSHA within 8 hours; a work-related hospitalization, amputation, or eye loss within 24 hours.
Can employees see their own security incident reports?
Employees have a right to see their own OSHA 301 Injury and Illness Incident Report forms under 29 CFR 1904.35. A separate security incident report is an internal business record, and employee access rights vary by state. Some states give employees the right to review records related to their own incidents. Check your state law and consult an attorney if an employee requests their security report.
What if the person who caused the security incident was an employee, not an outsider?
Document it the same way: facts, chronology, witnesses, evidence. If a coworker assault causes a recordable injury, it goes on the OSHA 300 log like any other work-related injury. You will also likely have HR and possibly criminal processes running in parallel. Keep those records separate from the OSHA safety records, and consult employment counsel before any disciplinary action to avoid retaliation claims.
Do small businesses with fewer than 10 employees need to file security incident reports?
Small businesses with 10 or fewer employees are exempt from OSHA's routine 300 log recordkeeping under 29 CFR 1904.1. They must still report fatalities and hospitalizations to OSHA, and the General Duty Clause applies regardless of size. Keeping internal security incident reports is still smart for insurance, legal protection, and spotting patterns, even when you are exempt from the 300 log.
Should a near-miss security event get a report even if nothing happened?
Yes. Near-miss reporting is one of the most valuable things you can do. A near-miss is a warning that your controls almost failed. OSHA's voluntary guidelines for workplace violence prevention specifically recommend logging near-misses. A threat that did not lead to contact, a stopped attempted entry, a verbal confrontation that de-escalated: all belong in your incident log so you can spot patterns before someone gets hurt.
What should you do if an employee refuses to file a security incident report?
You cannot force an employee to cooperate, but you can document the event yourself from what you observed and what other witnesses reported. Note in the report that the involved employee declined to give a statement. Never retaliate against an employee who reports or declines to report; retaliation is a separate OSHA violation under Section 11(c) of the OSH Act. Bring in employment counsel if the refusal is part of a larger dispute.
Does a customer assault on an employee count as a workplace injury for OSHA purposes?
Yes. If a customer physically assaults an employee and the injury meets OSHA's recording criteria (days away from work, restricted duty, medical treatment beyond first aid, loss of consciousness, or diagnosis of a significant injury), it is recordable on the OSHA 300 log regardless of who caused it. The test is whether the injury is work-related, and an assault during work hours at the work location qualifies.
What is the OSHA penalty for not recording a workplace violence injury?
As of 2024, OSHA can issue penalties up to $16,131 per serious violation for recordkeeping failures, and up to $161,323 per violation for willful or repeated violations. Penalties are adjusted annually for inflation. OSHA can also cite each individual unrecorded case, so a pattern of non-recording at a single site can add up to a substantial total penalty.
Can security incident reports be used against you in court?
Yes. Internal documents, including security incident reports, are generally discoverable in civil litigation and can be subpoenaed. That is actually an argument for writing accurate, factual reports rather than vague or self-serving ones. A thorough report that shows you identified a hazard and took corrective action is far more defensible than one that tries to minimize what happened, which can look like concealment.
What industries are most commonly cited by OSHA for workplace violence violations?
Healthcare, social assistance, and late-night retail see the most OSHA enforcement activity related to workplace violence. OSHA has issued significant citations under the General Duty Clause to hospitals and residential care facilities for failing to address patient-on-worker violence. Retail establishments, especially those open late at night with single employees, have also been cited for inadequate anti-robbery controls.
Is a verbal threat a reportable security incident?
A verbal threat alone, with no resulting physical injury, is not OSHA-recordable as an injury or illness. But it belongs in your internal security incident report system without question. Verbal threats often come before physical violence, and documenting them builds the evidence base for a hazard assessment. If a threat causes a clinically diagnosed psychological illness (like an acute stress disorder), that illness could become OSHA-recordable.
How do you handle security incident reports for remote or work-from-home employees?
Work-related injuries at a home office are recordable under 29 CFR 1904 if they meet the general criteria, but OSHA limits this: an injury is work-related at a home office only if it happens while performing work tasks. A home invasion that injures a remote worker during work hours is a gray area OSHA has not settled. Document it, consult counsel, and make a reasonable recordability determination based on the facts.
Sources
- OSHA, Recordkeeping Rule (29 CFR Part 1904): OSHA recordkeeping requirements including 300 log, 301 form, seven-day recording deadline, five-year retention, fatality/hospitalization reporting timelines, and employee access rights
- Bureau of Labor Statistics, Census of Fatal Occupational Injuries and Survey of Occupational Injuries and Illnesses, 2020: 392 workplace homicides and 37,060 workplace violence injuries requiring days away from work in 2020; industry-specific violence rates for healthcare, retail, and other sectors
- OSHA, OSH Act Section 5(a)(1) General Duty Clause: Employers must provide a workplace free from recognized hazards likely to cause death or serious physical harm; basis for workplace violence enforcement
- OSHA, Guidelines for Preventing Workplace Violence for Healthcare and Social Service Workers (OSHA 3148): OSHA recommends employers create and maintain a log of incidents to assess the nature and magnitude of workplace violence; sector-specific guidance for healthcare and social services
- OSHA, State Plans: 22 state plan states plus two covering only state and local government workers have their own OSHA-approved plans that may exceed federal requirements
- OSHA, Penalties (adjusted under Federal Civil Penalties Inflation Adjustment Act): As of 2024, OSHA serious violation penalties up to $16,131 per violation; willful or repeated violations up to $161,323 per violation
- OSHA, Recommendations for Workplace Violence Prevention Programs in Late-Night Retail Establishments (OSHA 3153): OSHA voluntary guidance for late-night retail establishments on workplace violence prevention including reporting procedures
- OSHA, Injury and Illness Recordkeeping Forms (300, 300A, 301): OSHA Form 301 is required for every recordable case; equivalent forms may be used if they capture the same information; forms available as free downloads