Date post: | 21-Jul-2015 |
Category: |
Technology |
Upload: | brynneashton |
View: | 102 times |
Download: | 0 times |
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
HIPAA has been around since 1996 Why are we discussing this
Omnibus Final RuleWent into effect September 23 2013
Though the legislation has been around since 1996 the
law now applies to law firms working on behalf of
Covered Entities Business Associates of law firms AND
vendorssubcontractors of law firms
Law Firms must now comply with the
following rules
1 Security Rule2 Privacy Rule
3 Breach Notification Rule
What information are we protecting
Protected Health Information The main purpose of the new HIPAA Omnibus rule is
protection of Protected Health Information
Protected Health Information (PHI) is
anything that can reasonably be
used to identify an individual
Law Firms as business Associates are subject to HIPAA requirements in
order to protect this health information from data breaches
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
HIPAA has been around since 1996 Why are we discussing this
Omnibus Final RuleWent into effect September 23 2013
Though the legislation has been around since 1996 the
law now applies to law firms working on behalf of
Covered Entities Business Associates of law firms AND
vendorssubcontractors of law firms
Law Firms must now comply with the
following rules
1 Security Rule2 Privacy Rule
3 Breach Notification Rule
What information are we protecting
Protected Health Information The main purpose of the new HIPAA Omnibus rule is
protection of Protected Health Information
Protected Health Information (PHI) is
anything that can reasonably be
used to identify an individual
Law Firms as business Associates are subject to HIPAA requirements in
order to protect this health information from data breaches
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Omnibus Final RuleWent into effect September 23 2013
Though the legislation has been around since 1996 the
law now applies to law firms working on behalf of
Covered Entities Business Associates of law firms AND
vendorssubcontractors of law firms
Law Firms must now comply with the
following rules
1 Security Rule2 Privacy Rule
3 Breach Notification Rule
What information are we protecting
Protected Health Information The main purpose of the new HIPAA Omnibus rule is
protection of Protected Health Information
Protected Health Information (PHI) is
anything that can reasonably be
used to identify an individual
Law Firms as business Associates are subject to HIPAA requirements in
order to protect this health information from data breaches
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
What information are we protecting
Protected Health Information The main purpose of the new HIPAA Omnibus rule is
protection of Protected Health Information
Protected Health Information (PHI) is
anything that can reasonably be
used to identify an individual
Law Firms as business Associates are subject to HIPAA requirements in
order to protect this health information from data breaches
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Protected Health Information The main purpose of the new HIPAA Omnibus rule is
protection of Protected Health Information
Protected Health Information (PHI) is
anything that can reasonably be
used to identify an individual
Law Firms as business Associates are subject to HIPAA requirements in
order to protect this health information from data breaches
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Who is responsible for protecting this information
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
What Is A Covered Entity
bullDoctors
bullClinics
bullPsychologists
bullChiropractors
bullNursing Home
bullPharmacies
A Health Care Provider
bullHealth Insurance Companies
bullHMOs
bullCompany Health Plans
bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers
A Health Plan
bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content
Health Care Clearinghouse
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
What is a Business Associatebull A Business
Associate of a Covered Entity (CE) is any business that does work on behalf of that CE
bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
VendorsSubcontractorsbull Any business that
receives maintains or
transmits PHI on behalf
of your firm
bull A lack of a formal
contract does not
prevent a subcontractor
designation
bull Your firm is responsible
for ensuring its vendors
are all following HIPAA
security protocols
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
YOUR FIRM LLC
Legal Support Services Company
Cloud Storage Company
Document Storage Warehouse Company
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
What are the consequences for failing to protect PHI
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
bull Impose civil and monetary penalties for violations
bull Make referrals to the Department of Justice for criminal prosecution
bull State Attorney General enforcement actions
bull Private Causes of Action
bull Perform audits of law
firms
bull Subject law firms to
compliance reviews
bull HHS can investigate as
far back in history as it
desires
To Breachhellip Or Not To Breach
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Fines and Penaltiesbull 1 data breach that violates 1 HIPAA
violation can result in a fine of up to
$15 million
bull Multiple HIPAA violations can come as
a result of 1 data breach ndash Example 3 violation under 1 breach
ndash $15 mil x 3 = $45 million of fines
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
bull Stolen Laptop
bull 23000 records breached
bull $25 Million fine ndash State of Minnesota
bull Banned from doing business in MN for 6
years
bull Federal Government- Review for 20 years
bull Shareholder suit - $14 Million
bull Kicked off the NYSE
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Does This Apply To My Firm
Is your firm doing business on behalf of a
Covered Entity (CE) or on behalf of a Business
Associate (BA) of a Covered Entity
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
How can I protect my firm
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
TEACHEMPLOYEES SOUND IT JUDGEMENT
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Business Associate Agreements
BAAs are contracts that contain verbiage that holds
the vendor responsible for complying with HIPAA
guidelines
Double Edge Sword-Clients will ask your firm to sign
the BAAs as well
-Indemnity Clause
-Target HVAC company
-Law Firm Indmenification
a sample BAA can be found in your handout
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
HIRE AN IT LAW FIRM
Law firms that specialize in IT can perform an audit of your
firmrsquos security measures
It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Company Data Breach Policies
Desktop PolicySystem Use
Policy
Personal
Devise Policy
Virus Hostile
and Malicious
Code Policy
Internet Use
Policy
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
EMPLOYEE CHECKLIST
PASSWORDS Keep your passwords secure and secret
Passwords should be at least 7 characters long They should also include at least one capital letter number and
special character
NETWORK SECURITY Is everybodyrsquos responsibility
ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and
pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation
without closing out of programs
Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work
computer and transfer of sensitive data
RECOGNIZE FRAUD If it seems phishy it probably is
Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or
download a document
If it is an email from someone you usually do business with were you expecting this email Does this person usu-
ally send attachments have spelling and grammar errors or send links with no additional message
How to spot a phishing emailwebsite
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes
bull How to dispose of physical recordsndash Shredding vs throwing into a
dumpster
bull IT is part of the team ndash Suspicious emails alerts and so1048908
ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to
EDUCATE
EMPLOYEES
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
A Breach Occurred- Now What
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Breach Notification Rule
Breaches to be notified within 60 days of discovery
not when the breach actually occurred
Parties to be notifiedbull Covered Entity
bull Individuals whose PHI has been compromised
bull The Secretary of Health and Human Services
bull The Media ndash breaches that compromise 500+ individuals
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Cost of a Breach bull The average cost per record of a data breach in
the US is $200 you multiply that by a loss of 10000
records we are at a cost of $2 million
bull At that rate it is no wonder that 60 of small
businesses close within 6 months of a cyber attack
House of Representatives Small Business
Subcommittee on Healthcare and Technology
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
How can my firm recoup these losses
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
COVERAGE COMPARISON
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party
bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or
Damage to Firm Hardware or Software
ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
Exclusions to Avoid bull Encryption Exclusion
bull Failure to Maintain
bull Failure to Upgrade
bull User Error
bull Rogue Employee
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
How Your Computer Gets Hacked In Under a Minute
Source Bloomberg News ndash Sept 26 2013
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
bull httpmapipvikingcom
bull httpglobecyberfeednet
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by
CHARLIE BERNIER Esquire
CEBernierecbmcom
Ph 6103046553
wwwecbmlegalcom
prepared for the ALA by