Tuesday, June 19, 2012

Briskin, Cross & Sanford, LLC

Briskin, Cross & Sanford, LLC

HIPPA/HITECH Breach Notification Rules enforcement on the up-swing – Are you prepared?

Enforcement of HIPAA/HITECH Breach Notification Rules and related regulations is being significantly stepped up. As a consequence of the new fines and penalties associated with the HIPPA/HITECH Privacy Rule, being prepared in advance for an audits is becoming increasingly critical for covered business entities.
Enforcement of the new HIPAA Breach Notification Rule is big deal. In the past, audits had been performed only at entities against whom a compliant has been filed. Under the new rule audits are called for whether or not a complaint against the entity has been lodged. This means that the HHS  can show up at a covered entity’s door and perform an audit on short notice… and woe be it to the entity which is not ready.
If a business is not ready for such audits, it can be subject to new, significantly higher fines, including a mandatory minimum of $10,000 for willful neglect of compliance. These fines can, in fact, go up to $50,000 per day. All HIPAA Covered Entities and Business Associates need to be fully in compliance and prepared for an audit at any time, or risk the penalties for non-compliance.
In some cases, multi-million dollar fines are possible. Recent enforcement actions have included a one-million dollar settlement for a breach of only192 records, as well as another one a small, two-doctor medical office, which ended up entering into a $100,000 settlement with HHS over its lack of Security Rule compliance. It appears that the days of  “slap-on-the-wrist” penalties are over and much larger fines and settlements are being levied, with more on the way.
The take-away for covered entities is that, if your compliance and audit preparation with respect to HIPPA/HITECH issues is not at 100%, now is the time to get them there! Before it is too late.

Hacked companies fight back with controversial steps | Reuters

Hacked companies fight back with controversial steps | Reuters.
This is an interesting, timely, and valuable piece examining how companies are dealing with the growing onslaught of commercial cyber-attacks.
Gone are the days when a company can take for granted that a firewall and updated anti-virus software was enough to keep its data safe.
Increasingly companies are taking more proactive, and even retaliatory, actions to deal with this onslaught.
Needless to say, companies must tread a careful line here, lest they fall victim to liability for their own action.
In any event, this is a good read to stimulate thought about how companies are coping with increasing cyber-security threats. Is your strategy up to the task? It’s a question you cannot afford not to ask yourself!

Monday, January 3, 2011

WikiLeaks Threatens Bank Exposure: Highlights Danger of Internal Leaks

The New York Times today posted an article regarding the web site WikiLeaks' recent threats to expose information that it has obtained regarding the internal workings of a major U.S. bank. [The article may be found here: NYT WikiLeaks Article] It is widely believed (although it is not confirmed) that the bank in question is Bank of America. The article discusses some of the actions being taken by BoA to insulate itself or at least mitigate any damage from the exposure of sensitive internal data.

There are two instructive lessons that are highlighted by this story. First: the fact that many such leaks of companies' sensitive information come as a result of internal leaks (or at least internal carelessness) as opposed to hacks from the outside. This ever-present threat makes clear the need for any company dealing with sensitive information to ensure that it has not only good computer security, both internally and externally, but that it also has good policies, procedures, and controls in place for the internal handling of sensitive information. Such policies can help compartmentalize access to sensitive data, making leaks or losses less likely. It can also limit the scope and impact of any such leaks or losses. Perhaps just as importantly, it also can make identifying the source of a leak or loss easier, helping to prevent future incidents and to deal with a current one.

The second point that this story raises (implicitly at least), is the incredible cost that a company may incur in dealing with data loss or data breach issues. BoA is bringing to bear staff from multiple departments (accounting, legal, and IT, just to name a few), as well as outside consultants, just to deal with the possibility that the data in question is theirs. Much of the expense and difficulty facing BoA could have been avoided, or at least minimized, by effective policies and controls in their data handling. This is a lesson for not only huge corporations but even small and medium sized businesses. Perhaps the lesson is even more acute for SMBs. BoA has the budget for dealing with a crisis of this magnitude. Does your company?

Possession of sensitive data on even a small scale can represent a significant legal liability for a business of any size. Don't let your business become road-kill on the information superhighway. 

Take the time to ensure that your business has not only the tools, but the plans necessary to handle sensitive data properly and deal with circumstances where is becomes exposed.

Wednesday, December 22, 2010

Hacked Sightseeing Company may be first Major Test of Massachusets Data Privacy Law

Threatpost, Kapersky Labs' security news blog, reported today that a New York Based tour company who's web site was hacked, exposing customer credit card information, may be the first real test of Massachusetts' stringent new data privacy laws. See the full article here.

The Massachusetts law, which went into effect on March 1, 2010, is particularly aggressive as it covers the treatment of sensitive data of Massachusetts citizens by individuals and companies outside of Massachusetts.

This case is likely to be instructive of the dangers faces by companies which handle and/or retain sensitive data, and points up the need to have comprehensive policies and procedures to deal with data handling and, in worst case scenarios, data breaches.

Unfortunately, the Massachusetts data privacy law makes it clear that these policies and procedures must be compliant not only with local laws, but also with  the laws of other jurisdictions such as Massachusetts which extend the reach of their privacy laws beyodn their own borders.

All of this begs the question: Are your company's data policies and procedures up to date and sufficient to protect your company?  If not, or if you are not sure, the time to remedy this is now!

Wednesday, March 17, 2010

Interesting Article on Data Retention in the Medical Industry

I follow a number of blogs and other online publications dealing with business, technology, and data privacy issues. I recently came across an interesting article on data retention practices on a blog called "Life as a Healthcare CIO". The article discusses a number of the issues that businesses (both within and outside the medical industry) who deal with sensitive data struggle with. Here is a link to the article:


 This article gives a good sense of the importance of having well thought-out policies and procedures for data handling and retention, both from a purely technological standpoint and from a legal and risk-management standpoint.

Hopefully it will stir your thoughts on these issues.

Thursday, March 11, 2010

Give your company’s employment policies a “self-check”

As I am fond of repeating, “An ounce of prevention is worth a pound of cure.” Maintaining and following good, current employment policies and procedures is one of many things that businesses can and should do on an ongoing basis to reduce the likelihood  that they will be sucked into the quagmire of disputes (or worse, lawsuits) with their employees. As part of good legal and risk-management regime, it is a good idea for companies to perform a periodic “self-check” on their policies and procedures. (Note that such a “self-check” is not a substitute for getting regular advice from a qualified attorney, but it is a helpful adjunct, and well worth a company’s time and effort.)

Identified below are a few areas which companies should think about when performing a self-check and in discussing with their attorney what sort of policies and procedures make the most sense for them: 

1.         Review the company’s classification of employees as exempt from overtime under federal and state wage and hour laws.  Lawsuits and investigations based on improper classifications of employees can result in significant awards against employers.  For a quick overview of proper classification standards, go to the U.S. Department of Labor’s Fairpay website at www.dol.gov. If your classifications are not in compliance, it is important to fix them promptly.

2.         Review the company’s harassment policy with employees. Incorporate a review of the company’s discriminatory workplace harassment policy in their first employee meeting of the new year. Reviewing the harassment policy periodically with employees reminds employees what behavior is not tolerated, shows that the company takes harassment issues seriously, and can bolster the employer’s defenses to most harassment claims. Be sure to include nonharassment on the basis of genetic information under the Genetic Information Nondiscrimination Act (see below).

3.         GINA compliance. The Genetic Information Nondiscrimination Act of 2008 (GINA) restricts the collection and use of genetic information by group health plans, insurers, employers and labor organizations.  Title II of GINA, which applies to employers and labor organizations went into effect on November 21, 2009.  Title I of GINA, covering group health plans, is effective for plan years beginning on or after December 7, 2009.  Genetic information includes, but is not limited to, family medical history and genetic diseases for which an employee believes he or she might be at risk.  The restrictions in GINA can affect how employers run wellness programs, including prohibiting incentives, such as premium discounts, rebates, or other rewards, for employees who complete a Health Risk Assessment for the wellness program.  In addition, employers may not discriminate against employees or applicants on the basis of genetic information or retaliate against individuals who oppose practices made unlawful by GINA.  Employers should update their Equal Employment Opportunity and harassment policies to cover genetic information, revise hiring and medical examination practices to ensure that they do not request prohibited genetic information, ensure that their record keeping practices protect the confidentiality of any genetic information that may be provided by an employee, and post the supplement to the “Equal Employment Opportunity is the Law” poster.  The supplement for the poster can be found at http://www.eeoc.gov/employers/upload/eeoc_gina_supplement.pdf.

4.         FMLA compliance.  If your company has 50 or more employees, make sure that you post the FMLA poster that the US Department of Labor issued in 2009.  Update your FMLA forms and policies, if you have not done so already.  The DOL prototype poster can be found at http://www.dol.gov/whd/regs/compliance/posters/fmla.htm (Check out whether you are in compliance with other federal posting requirements by using the DOL compliance advisor at http://www.dol.gov/elaws/posters.htm). 

5.         Review and revise your company’s written vacation policy.  Review you company’s written vacation policy to ensure that the policy provides proper notice of forfeiture, carryover, and accrual of vacation consistent with company practice or to make any desired changes before employees accrue vacation in the new year.  In most states, employers are required to provide vacation benefits according to their policies.  This means that if a policy provides that employees are awarded vacation hours at the beginning of the new year but does not state that employees forfeit accrued vacation on termination, the employee can quit on January 2, 2010 and be entitled to pay for his accrued unused vacation.  Note that specific rules apply in some states (such as California) prohibiting forfeiture of any accrued vacation, even with notice.

6.         Update your company confidentiality agreement and have employees who have access to company confidential information sign a copy.  A strong nondisclosure and confidentiality agreement is a key way to protect your company’s proprietary information against any employees who attempt to depart with important company records.  The economic upheaval of the past few years has made competition stiffer and has made employees facing termination more willing to take risks in order to obtain employment elsewhere.  As a result, there has been a corresponding surge in employees taking their employer’s confidential, proprietary, and trade secret information to use in new employment.  The laws on what a confidentiality agreement can and cannot contain vary from state to state. For this reason, it is important to check the applicable law in the states where you have employees.  It is also helpful to review your confidentiality agreements and policies to ensure they do not prohibit employees from discussing their wages or terms and conditions of employment with their fellow employees.  Although employers can prohibit disclosure of confidential pay strategies and plans to outsiders, a prohibition on employees discussing terms and conditions of employment may be viewed by the National Labor Relations Board as an interference with concerted activity and a violation of the labor laws, even if your company is not unionized.
7.         Institute other processes and protections for confidential information and trade secrets.  Implement policies requiring storage of any hard copies of sensitive documents in locked cabinets.  Password protect electronic copies.  Consider implementing clean desk rules and prohibiting or limiting removal of confidential records from the office.  Restrict access to sensitive documents to those employees who need to know the information to do their jobs.  These steps do not replace the benefits of having a good confidentiality agreement with employees.  Rather, they enhance protections against employee misappropriation and may be essential in maintaining legal protection of trade secrets.  These steps also dovetail with companies’ efforts to comply with state and federal data privacy and protection laws. 

8.         Data Privacy and Protection compliance. Data privacy and protection laws are quickly coming into being at both the state and federal levels. It important that businesses understand what laws and regulations may apply to them and the data they collect and retain. Good, detailed data privacy and data protection policies and procedures which discuss the collection, retention, safeguard, and destruction of sensitive information, including but not limited to customer information, credit card numbers, social security numbers, employee healthcare information, etc. are increasingly essential. It is important to not only have such policies but to make employees aware of them and to monitor compliance. Consider reviewing these policies and procedures with employees annually, and conducting regular, period internal check-ups to ensure compliance.

9.         Update your technology resources policy. Increasingly employees are downloading, transferring, destroying, or emailing to their home computers and portable storage devices confidential or sensitive company information.  The federal Computer Fraud and Abuse Act (and similar laws in some states) prohibit such conduct when it is unauthorized.  A good technology resources policy (covering computer, internet, telephone, and email systems use) can help employers succeed on CFAA claims by clearly defining what actions by an employee are unauthorized.  A well-worded policy can give employers a powerful investigation tool by making clear that employees do not have a right to privacy in their use of these resources and by requiring employee consent to employer searches of employee computers and other devices. It is important to note, however, that the law on workplace privacy and employer’s ability to monitor their employees use of company technology resources is constantly evolving.  A periodic review of these types of policies by a qualified and experienced lawyer is essential.  There has also been an increase in employees harming their employers’ reputation — and even disclosing trade secrets — through postings on blogs, social networking websites, and video sharing websites.  A good technology resources policy can address what sorts of uses of such social media outlets are proper and provide a basis for discipline if it does occur.  It can also help a company harness the power of its employees’ use of social media to benefit the company, if properly implemented. If you company does not already have a technology resources policy, implement one sooner rather than later.

10.       Make sure your health care plan provides required notices to employees regarding Michelle’s Law.  Michelle’s Law, effective for new plan years effective October 9, 2009 and after, amends ERISA to allow dependent college students who are seriously ill or injured to take up to a year of medical leave without losing their health insurance coverage.  Group health plans must receive written certification by the student’s treating physician stating the child is suffering from a serious illness or injury and that the leave, or change of enrollment, is medically necessary. A student on leave is entitled to the same benefits that he or she would have received if the leave had not been taken.  The extended coverage may end earlier if the student ages out of dependent eligibility by exceeding the plan’s normal dependent eligibility age.  Plans must provide notice of the Michelle’s Law requirements with any notice requiring certification of student status for coverage under the plan.

11.       Conduct an internal I-9 audit.  Ensure that you company has verified work authorization for every employee hired on or after November 6, 1986 and that the company has filled out and kept a Form I-9 for each such employee. In November 2009, U.S, Immigration and Customs Enforcement (the “ICE”) announced that it was issuing more than a thousand new I-9 audits of U.S. employers. Don’t wait until you received a notice that you are being audited by the ICE to find out if you have a problem.

Keep in mind that even the best policies and procedures need to be reviewed and updated regularly, as the employment law is constantly evolving, laws and regulations are being amended, and new laws and regulations are coming into existence.  For example, final EEOC regulations on the Americans with Disabilities Act Amendment Act (the ADAAA) are expected sometime in 2010 and will likely broaden further the employees and applicants who will be covered by the protections of the ADAAA.  Employers need to carefully assess an employee’s or applicant’s condition before refusing to offer or provide a reasonable accommodation.

It is important to understand that this list is by no means intended to be an exhaustive list of issues for employers to consider implementing and maintaining good employment policies and procedures. Rather, these are just a few of the key areas that often present serious problems for employers when they either fail to create or fail to implement appropriate polices.

While keeping up with good employment polices procedures can seem cumbersome, remember that cost (both in real dollars and in opportunity cost) of even a single dispute arising out of employment law issues can dwarf the costs of implementing and updating good policies. As always, an once of prevision is worth a pound of cure.

Wednesday, March 10, 2010

Study Shows: Data Breach Costs Exceed $200 Per Customer Record

A recent article in NetworkWorld (link: http://www.networkworld.com/news/2010/012510-data-breach-costs.html) discusses a new study which has revealed that the average cost to a company suffering from a data breach in 2009 has risen to approximately $204 for each customer record compromised.

Placing such concrete numbers on the costs associated with data breached underscores both the potentially devastating effects of such a data breach on a company and highlights the cost-effectiveness of solid data protection, privacy protection, and data security policies and procedures.

Monday, December 21, 2009

BCS makes new law regarding corporate debt collections

On November 18, 2009, the Georgia Court of Appeals embraced the argument put forward by the law firm of Briskin, Cross & Sanford, LLC and established a significant new precedent in civil litigation.

Law firm Partners Alan Briskin and Byron Sanford succeeded in convincing the Court to extend existing case law to restrict judgment debtors from fraudulently transferring assets to avoid collection on court judgments. This decision makes strides to protect the ability of individuals and businesses to collect sums awarded to them by the courts, arguably one of the most burdensome issues faced by parties seeking justice through the civil courts.
Byron Sanford stated, "In civil lawsuits, justice is served not through the mere verdict of the court, but through the ability of the winning party to benefit from the court's judgment in its favor. In most cases, the burden of collecting the benefits justly granted by the court falls on the shoulders of the winning party, whose available instruments for collection are costly and limited by their available means." 

This transfer, which significantly diminished the value of the court-levied stock and the winning party's ability to collect on the awarded sums, was declared by the trial court to be unlawful and not authorized by proper corporate authority since the stock was in the hands of the sheriff.

In arguing before the Court of Appeals, Briskin and Sanford sought to have the trial court's ruling upheld and to have the Court of Appeals restrict transfers by the corporation while its stock was under levy by the trial court. In its ruling, the Georgia Court of Appeals agreed with the arguments set forth by Briskin and Sanford and declared that such transfers are void and without effect. The Court further agreed with the position of Briskin and Sanford that the trial court had both the jurisdiction and the authority to void this sale of assets.

Regarding the Court of Appeal's ruling Sanford further stated, "Our firm is deeply gratified with this ruling on behalf of our client. We are proud to have had a part in extending Georgia precedent to prevent judgment debtors from using fraudulent transfers to avoid the duties imposed upon them by law."