CHARLIE BERNIER Esquire

CEBernierecbmcom

Ph 6103046553

wwwecbmlegalcom

prepared for the ALA by

HIPAA has been around since 1996 Why are we discussing this

Omnibus Final RuleWent into effect September 23 2013

Though the legislation has been around since 1996 the

law now applies to law firms working on behalf of

Covered Entities Business Associates of law firms AND

vendorssubcontractors of law firms

Law Firms must now comply with the

following rules

1 Security Rule2 Privacy Rule

3 Breach Notification Rule

What information are we protecting

Protected Health Information The main purpose of the new HIPAA Omnibus rule is

protection of Protected Health Information

Protected Health Information (PHI) is

anything that can reasonably be

used to identify an individual

Law Firms as business Associates are subject to HIPAA requirements in

order to protect this health information from data breaches

Who is responsible for protecting this information

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Omnibus Final RuleWent into effect September 23 2013

Though the legislation has been around since 1996 the

law now applies to law firms working on behalf of

Covered Entities Business Associates of law firms AND

vendorssubcontractors of law firms

Law Firms must now comply with the

following rules

1 Security Rule2 Privacy Rule

3 Breach Notification Rule

What information are we protecting

Protected Health Information The main purpose of the new HIPAA Omnibus rule is

protection of Protected Health Information

Protected Health Information (PHI) is

anything that can reasonably be

used to identify an individual

Law Firms as business Associates are subject to HIPAA requirements in

order to protect this health information from data breaches

Who is responsible for protecting this information

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

What information are we protecting

Protected Health Information The main purpose of the new HIPAA Omnibus rule is

protection of Protected Health Information

Protected Health Information (PHI) is

anything that can reasonably be

used to identify an individual

Law Firms as business Associates are subject to HIPAA requirements in

order to protect this health information from data breaches

Who is responsible for protecting this information

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Protected Health Information The main purpose of the new HIPAA Omnibus rule is

protection of Protected Health Information

Protected Health Information (PHI) is

anything that can reasonably be

used to identify an individual

Law Firms as business Associates are subject to HIPAA requirements in

order to protect this health information from data breaches

Who is responsible for protecting this information

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Who is responsible for protecting this information

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

What Is A Covered Entity

bullDoctors

bullClinics

bullPsychologists

bullChiropractors

bullNursing Home

bullPharmacies

A Health Care Provider

bullHealth Insurance Companies

bullHMOs

bullCompany Health Plans

bullGovernment Programs that pay for healthcare- Medicare Medicaid Military amp Veterans healthcare providers

A Health Plan

bullThis includes entities that process nonstandard health information they receive from another entity into a either a standard electronic format or standard data content

Health Care Clearinghouse

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

What is a Business Associatebull A Business

Associate of a Covered Entity (CE) is any business that does work on behalf of that CE

bull If your firm represents a Business Associate of a Covered Entity you are responsiblefor following HIPAA protocol

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

VendorsSubcontractorsbull Any business that

receives maintains or

transmits PHI on behalf

of your firm

bull A lack of a formal

contract does not

prevent a subcontractor

designation

bull Your firm is responsible

for ensuring its vendors

are all following HIPAA

security protocols

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

YOUR FIRM LLC

Legal Support Services Company

Cloud Storage Company

Document Storage Warehouse Company

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

What are the consequences for failing to protect PHI

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

bull Impose civil and monetary penalties for violations

bull Make referrals to the Department of Justice for criminal prosecution

bull State Attorney General enforcement actions

bull Private Causes of Action

bull Perform audits of law

firms

bull Subject law firms to

compliance reviews

bull HHS can investigate as

far back in history as it

desires

To Breachhellip Or Not To Breach

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Fines and Penaltiesbull 1 data breach that violates 1 HIPAA

violation can result in a fine of up to

$15 million

bull Multiple HIPAA violations can come as

a result of 1 data breach ndash Example 3 violation under 1 breach

ndash $15 mil x 3 = $45 million of fines

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

bull Stolen Laptop

bull 23000 records breached

bull $25 Million fine ndash State of Minnesota

bull Banned from doing business in MN for 6

years

bull Federal Government- Review for 20 years

bull Shareholder suit - $14 Million

bull Kicked off the NYSE

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Does This Apply To My Firm

Is your firm doing business on behalf of a

Covered Entity (CE) or on behalf of a Business

Associate (BA) of a Covered Entity

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

How can I protect my firm

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

TEACHEMPLOYEES SOUND IT JUDGEMENT

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Business Associate Agreements

BAAs are contracts that contain verbiage that holds

the vendor responsible for complying with HIPAA

guidelines

Double Edge Sword-Clients will ask your firm to sign

the BAAs as well

-Indemnity Clause

-Target HVAC company

-Law Firm Indmenification

a sample BAA can be found in your handout

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

HIRE AN IT LAW FIRM

Law firms that specialize in IT can perform an audit of your

firmrsquos security measures

It affords protection of Attorney-Client Privilege in the event of an investigation of a breachviolation

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Company Data Breach Policies

Desktop PolicySystem Use

Policy

Personal

Devise Policy

Virus Hostile

and Malicious

Code Policy

Internet Use

Policy

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

EMPLOYEE CHECKLIST

PASSWORDS Keep your passwords secure and secret

Passwords should be at least 7 characters long They should also include at least one capital letter number and

special character

NETWORK SECURITY Is everybodyrsquos responsibility

ldquoLockrdquo your computer workstation every time you get up from your desk Holding down the Windowrsquos key and

pressing ldquoLrdquo will require your password before anyone can access files or information on your workstation

without closing out of programs

Follow the businessrsquos guidelines about acceptable use of personal devices downloading software to your work

computer and transfer of sensitive data

RECOGNIZE FRAUD If it seems phishy it probably is

Emails from unfamiliar senders should be looked over carefully before you click a link open an attachment or

download a document

If it is an email from someone you usually do business with were you expecting this email Does this person usu-

ally send attachments have spelling and grammar errors or send links with no additional message

How to spot a phishing emailwebsite

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

bull Proper use of smartphones tablets laptop computers and any out-of-office device that can be used for work purposes

bull How to dispose of physical recordsndash Shredding vs throwing into a

dumpster

bull IT is part of the team ndash Suspicious emails alerts and so1048908

ware installations should be reviewed scanned or approved by your Information Technology staff member(s) These professionals make it their business to know what the bad guys are up to

EDUCATE

EMPLOYEES

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

A Breach Occurred- Now What

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Breach Notification Rule

Breaches to be notified within 60 days of discovery

not when the breach actually occurred

Parties to be notifiedbull Covered Entity

bull Individuals whose PHI has been compromised

bull The Secretary of Health and Human Services

bull The Media ndash breaches that compromise 500+ individuals

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Cost of a Breach bull The average cost per record of a data breach in

the US is $200 you multiply that by a loss of 10000

records we are at a cost of $2 million

bull At that rate it is no wonder that 60 of small

businesses close within 6 months of a cyber attack

House of Representatives Small Business

Subcommittee on Healthcare and Technology

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

How can my firm recoup these losses

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

COVERAGE COMPARISON

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

LPL With Cyber Coveragebull Only Covers Claims that come into Insured from 3rd party

bull Your Firmrsquos Losses Not coveredndash No reference to Breach Notification Costs Indemnification Reputation Damage or

Damage to Firm Hardware or Software

ndash Mentions HIPAA and other regulatory bodies but will not pay for fines we referenced

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

Exclusions to Avoid bull Encryption Exclusion

bull Failure to Maintain

bull Failure to Upgrade

bull User Error

bull Rogue Employee

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

How Your Computer Gets Hacked In Under a Minute

Source Bloomberg News ndash Sept 26 2013

bull httpmapipvikingcom

bull httpglobecyberfeednet

bull httpmapipvikingcom

bull httpglobecyberfeednet

CHARLIE BERNIER Esquire

CEBernierecbmcom

Ph 6103046553

wwwecbmlegalcom

prepared for the ALA by