HIPAA Compliance for Medical Practices
59.9K views | +9 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

How HIPAA applies to the burgeoning world of mobile health

How HIPAA applies to the burgeoning world of mobile health | HIPAA Compliance for Medical Practices | Scoop.it

The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.

 

 

To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."

 

 

"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.

When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.

"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."

 

 

Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:

 

  • A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.

 

  • An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.

 

  • A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.

 

  • A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."

 

  • Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.

 

 

"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."

 

 

Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Hospital email hack compromises PHI of 4,400 patients

Hospital email hack compromises PHI of 4,400 patients | HIPAA Compliance for Medical Practices | Scoop.it

Hackers gained access to the email accounts of employees at St. Mary’s Health in Evansville, Indiana, by uncovering their usernames and passwords. The hack exposed the PHI of nearly 4,400 St. Mary’s patients, according to a breach notice.

What’s more, some have speculated that St. Mary’s may have violated the HIPAA Breach Notification Rule as it appears it did not notify individuals of the breach within 60 days of initial discovery. On December 3, 2014, St. Mary’s learned that its employees’ usernames and passwords were compromised. After launching an investigation, the healthcare facility discovered January 8 that the compromised email accounts contained patient PHI. St. Mary’s posted a breach notification letter on its website March 5 stating that it would also notify affected individuals by mail and alert media outlets.

PHI linked to the compromised email accounts included:

    Names
    Dates of birth
    Gender
    Dates of service
    Insurance information
    Limited health information
    Some Social Security numbers


more...
No comment yet.
Scoop.it!

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C., should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions. In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

Your Right to Know: Health Data Often Kept Secret

Recently, I was told by a court official in Outagamie County that federal law prohibited the release of the name of a man I had just heard speak in open court.

He was a participant in the county’s Drug and Alcohol Treatment Court. He had been charged with driving while intoxicated as a fourth offense, but was offered a chance to go through a treatment program instead of serving jail time.

I attended the proceeding as a reporter for the Appleton Post-Crescent, working on a story for Gannett Wisconsin Media’s statewide probe into repeat drunken drivers. The man had made a point about the costs of the program and I wanted to verify his charge history.

But when I asked for his name, the court official said it could not be released, citing the federal Health Insurance Portability and Accountability Act of 1996. That law, commonly called HIPAA, protects private health information.

It also, as this episode attests, is often misapplied.

In this case, there was no valid reason for withholding the man’s name, and after a discussion with the circuit judge, I was able to obtain it. I ended up using his comment but not naming him in my story.


This was a public program, run by publicly paid officials, involving criminal defendants serving court-ordered sentences. The decision of whether to use this person’s name should be up to the media, not the court official.

As the Reporters Committee for Freedom of the Press has noted, HIPAA remains a “prickly” obstacle for journalists. To help reduce conflicts and confusion, the group has sorted out just who and who isn’t impacted.

Health care organizations like hospitals, life insurers, ambulance services and public health authorities are all subject to HIPAA rules. Firefighters, police, court officials, reporters and patients themselves are not.

Neither are public officials who have nothing to do with the delivery of health care services. And yet, in one instance, a Louisiana State University representative told reporters he couldn’t discuss a player’s knee injury. “Due to these new medical laws, our hands are tied,” the official said.

Often, the most valuable information available to reporters is found on health facility directories, which are not protected by HIPAA. Hospitals may release an individual’s name, location in the facility and general condition. HIPAA also doesn’t bar reporters from interviewing patients in a waiting room.

Statistical information related to hospitals, including their billing data, is not covered by HIPAA. Much of this information can be released electronically without names attached.

The Association of Health Care Journalists has produced another useful list of what HIPAA does not protect, including police and fire incident reports, court records, birth and autopsy records.

Felice Freyer, the association’s treasurer and a member of its Right to Know Committee, said HIPAA overreach is widespread.

“Often times, people are unsure about the law and can’t be bothered to check so it’s easier to say ‘no’ and refer to HIPAA,” said Freyer, a health care reporter for the Boston Globe. “Frequently, hospitals say they can’t let you talk to a patient, but that’s not true.”

No one disputes that people have a right to privacy when it comes to personal medical matters. But that right should not be taken to absurd lengths, beyond what the law prescribes.



more...
No comment yet.
Scoop.it!

Will 2016 be Another Year of Healthcare Breaches?

Will 2016 be Another Year of Healthcare Breaches? | HIPAA Compliance for Medical Practices | Scoop.it

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”

 

This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 

 

This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.

 

The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.

 

Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.

 

Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?

 

For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?

 

The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.

 

A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.

 

At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”

 

Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.

more...
Guillaume Ivaldi's curator insight, April 2, 2016 10:18 AM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Elisa's curator insight, April 2, 2016 5:47 PM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Scoop.it!

Risk Management Lessons from Anthem Hack

Risk Management Lessons from Anthem Hack | HIPAA Compliance for Medical Practices | Scoop.it

The recent cyber-attack against health insurer Anthem Inc. which exposed a database that reportedly contained information on as many as 80 million individuals, is a "call to action" for the healthcare sector to adopt a much more sophisticated approach to risk management, says security expert Lisa Gallagher.

Healthcare organizations need to have "a very near-term focus on understanding this cyberthreat that we're facing, and the kinds of things needed to address it" says Gallagher, vice president of technology solutions at the Healthcare Information and Management Systems Society.


That heightened focus requires taking critical measures, including sharing cyberthreat information with healthcare sector peers as well as government agencies, Gallagher says in an interview with Information Security Media Group.

"This is something that we have to focus on every day, so that you don't just do a risk analysis and be done," she says. "[Rather] you're monitoring for risks and threats every day. That's part of what we have to do to protect the data assets that we have. It's really time to come together to have an approach to deal with cyberthreats across the industry."

Gallagher stresses that healthcare organizations "need to get to the next level of sophistication in the types of analysis we do, such as ongoing security risk assessments; deploying network monitoring and detection tools; and conducting fuller forensics analysis, including post-risk analysis on any kind of breach." It's also critical "to understand the threat actors, their motivation, and what they're after, why, and how to protect against that," she says.

The bottom line: "This is a call to action for a whole new paradigm to face the cybersecurity risk that we're facing," Gallagher says.

In the interview, she also discusses:

  • Why the healthcare sector is becoming a bigger target for hackers;
  • The use of encryption and other safeguards to protect health data stored in databases - Anthem has reportedly said data in its hacked database was not encrypted;
  • Advice for consumers affected by the Anthem breach.

Before becoming HIMSS' vice president of technology solutions, Gallagher was the association's senior director for privacy and security. In her current role, she is responsible for HIMSS' efforts in business and financial systems; privacy and security; cloud computing; identity management; and other technology areas. She's also a member of the Health IT Standards Committee, which advises the Office of the National Coordinator for Health IT.


more...
No comment yet.
Scoop.it!

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware | JD Supra

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.

As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.

In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.



more...
No comment yet.
Scoop.it!

Does your company have insurance coverage for a data breach?

Does your company have insurance coverage for a data breach? | HIPAA Compliance for Medical Practices | Scoop.it

According to the Ponemon Institute, the average total organizational cost for a data breach in the United States in 2014 is $5.85 million. Forbes reports that Target has incurred costs of $236 million related to the December 2013 breach, with some analysts predicting the total cost of the breach including attorneys’ fees and liability from lawsuits to exceed $1 billion. Some of Target’s costs will be offset by applicable insurance policies, but the financial impact will be prodigious. The frequency and cost of data breaches is growing exponentially, yet cyber insurance premiums make up only a fraction (less than 1/600) of the world’s total non-life insurance premiums. In light of the recent tidal wave of breaches, it is essential that your company has adequate insurance to cover a data breach.

Many companies have comprehensive general liability (CGL) insurance policies and assume that they are protected. While there are circumstances under which CGL polices cover losses related to a data breach, courts have been inconsistent on deciding whether these policies cover data breach losses. There are limited court decisions on this issue; however, the courts have gradually shifted from favoring the policyholders to favoring the insurance carriers. It is therefore important to understand how the courts have recently ruled on questions of insurance coverage for cyber losses.

In February 2014, a New York state court ruled that Zurich American Insurance Company did not have a duty to defend Sony under a CGL policy for liability arising out of the hacking of Sony’s PlayStation online services. The court analyzed the portion of the CGL policy providing coverage for “oral or written publication in any manner of material that violates a person’s right of privacy.” The court found that the hackers’ act of taking personal information constituted a “publication,” but coverage did not apply because the hackers, not Sony, were the actual “publishers.” The court ultimately concluded that “publication in any manner” did not include the actions of the third-party hackers.

CGL coverage for a data breach was denied in a 2014 Washington case on different grounds. A class action was filed against Coinstar for the marketing and dissemination of customers’ personal information, alleging that this use of customers’ personal information by a Coinstar subsidiary constituted a violation of the federal Video Privacy Protection Act. Coinstar’s insurer, National Union Fire Insurance Company, filed a declaratory judgment action asking the court to find that there was no insurance coverage. The Washington District Court ruled that an exclusion in the CGL policy for violation of a statute “that addresses or applies to the sending, transmitting or communicating of any material or information, by any means whatsoever” precluded coverage for the allegations concerning the Act.

Both of these cases contradicted a 2013 California decision finding coverage under a Hartford Casualty Insurance Company CGL policy for a data breach involving the unauthorized posting of approximately 20,000 patients’ private health information on a public website. In that case, the California District Court ruled that the insurer, pursuant to its CGL policy, was liable for damages caused by personal and advertising injury, which included “oral, written or electronic publication of material that violates a person’s right of privacy.”

Because of the inconsistencies in the courts’ policy interpretations, most new CGL polices contain explicit cyber-exclusions and will not provide data breach coverage unless cyber endorsements are selected. As such, companies need to carefully review their policies and confirm that cyber coverage is included. It is of paramount importance that companies familiarize themselves with their business partners’ cyber insurance coverage. As we have learned from recent large-scale data breaches like the Target breach, third party vendors with access to confidential customer information present a vulnerability to companies that are otherwise well-protected. In order to ensure that your company is not liable for a vendor’s shortcoming, vendor contracts should contain warranties for compliance with privacy laws, specific indemnification provisions for data breaches, and the requirement that vendors maintain adequate cyber insurance. It is also important for companies to conduct meaningful audits to make certain that vendors maintain compliance.

Cyber liability insurance provides a wide spectrum of benefits. In order to obtain cyber liability insurance, the insured is evaluated for cyber risks during the underwriting process. Depending on the risk level, insurers may require the insured to employ additional security measures to protect private customer information as a condition of coverage. The underwriting process provides an opportunity for companies to evaluate current security practices and ensure compliance with industry standards. Once evaluated, insurers offer a variety of cyber-options ranging from coverage for third party claims to coverage for initial forensic response, repair of network damages, notification of breach victims, lost revenues, business interruption, cyber extortion and reputational damages. The available coverage depends on the language of the insurance contract, the endorsements offered and the insurance company involved. Therefore, it is critical that officers and directors, who are charged with a fiduciary duty to protect company assets, communicate carefully with insurance brokers to ensure the proper insurance product is selected.

The legal landscape for data breaches is ever-changing. Class action attorneys are pursuing novel legal theories, while shareholders and business partners are filing lawsuits seeking large-scale contractual damages. As the stakes increase, so does the importance of having reliable cyber insurance protection.



more...
No comment yet.