The Affordable Care Act (ACA) requires health insurance issuers, self-insured health plan sponsors, government agencies that administer government-sponsored health insurance programs and any other entity that provides minimum essential coverage (MEC) to report information on that coverage to the IRS and covered individuals. This requirement is found in Internal Revenue Code section 6055.
The final regulations apply for calendar years beginning after Dec. 31, 2014. This date reflects the one-year delay provided in IRS Notice 2013-45. However, the IRS is encouraging voluntary compliance for 2014.
These reporting requirements are intended to provide the IRS with information necessary to administer other ACA mandates, such as the large employer shared responsibility penalty and the individual mandate.
Entities Subject to Section 6055 Reporting
Under the section 6055 reporting requirements, every person that provides MEC to an individual during a calendar year must report on the health coverage provided. Reporting entities include health insurance issuers, self-insured plan sponsors, government-sponsored programs and other entities that provide MEC. To ensure complete and accurate reporting, the final regulations require section 6055 reporting for all covered individuals.
Health Insurance Issuers
Health insurance issuers are responsible for section 6055 reporting for all insured coverage except:
- Coverage under certain government-sponsored programs (such as Medicaid and Medicare) that provide coverage through a health insurance issuer; and
- Coverage under QHPs through the individual market Exchange.
To avoid collecting duplicate or unnecessary information, issuers are not required to report on coverage under a QHP through an individual market Exchange. The Exchange will provide the necessary information to the IRS and the individual. However, issuers must report on QHPs in the small group market enrolled in through the Small Business Health Options Program (SHOP), because the Exchanges will not be reporting information on these plans.
Sponsors of Self-insured Group Health Plans
The plan sponsor is responsible for section 6055 reporting for a self-insured group health plan. In general, the plan sponsor is the entity that establishes or maintains the plan. The employer is the plan sponsor for self-insured group health plans established or maintained by a single employer, and each participating employer is the plan sponsor for a plan established or maintained by more than one employer (other than a multiple employer welfare arrangement).
For a multiemployer plan, the plan sponsor is the association, committee, joint board of trustees or other group of representatives who establish or maintain the plan.
For purposes of identifying the employer, the section 414 employer aggregation rules do not apply. Thus, a self-insured group health plan or arrangement covering employees of related companies is treated as sponsored by more than one employer, and each employer is required to report for its employees. However, one member of the group may assist the other members by filing returns and furnishing statements on behalf of all members.
Controlled Group Rules
Most employers that sponsor self-insured group health plans are applicable large employers (ALEs) required to report under both section 6056 and section 6055. ALEs apply the rules under section 6056 for identifying the reporting entities in a controlled group.
Employers in controlled groups that are not ALEs, and reporting entities (such as issuers) that are not reporting as employers, may report under section 6055 as separate entities, or one entity may report for the group.
Use of Third Parties
Reporting entities are permitted to use third parties to facilitate filing returns and furnishing statements to comply with section 6055 reporting requirements. However, these arrangements do not transfer the potential liability for failure to report.
In contrast, a government employer that maintains a self-insured group health plan or arrangement may designate (in writing) another governmental unit, agency or instrumentality as the person responsible for section 6055 reporting.
Coverage Not Subject to Section 6055 Reporting
Section 6055 reporting is not required for arrangements that provide benefits in addition or as a supplement to MEC. Health reimbursement arrangements (HRAs) are considered supplemental coverage to which this rule may apply.
In addition, reporting is not required for coverage that is not MEC. Thus, no reporting is required for health savings accounts (HSAs), coverage at on-site medical clinics or for Medicare Part B. However, Medicare Part A qualifies as MEC and is subject to reporting.
Wellness programs that are an element of other MEC (such as wellness programs offering reduced premiums or cost-sharing under a group health plan) do not require separate section 6055 reporting. The final regulations clarify that MEC that supplements a primary plan of the same plan sponsor or that supplements government-sponsored coverage (such as Medicare) are supplemental coverage not subject to reporting.
Section 6056 requires ALEs subject to the pay or play rules to report to the IRS and covered individuals information on the health care coverage offered to full-time employees. The final regulations provide that ALEs will file a combined return and statement for all reporting under sections 6055 and 6056.
An ALE that sponsors a self-insured plan will report on Form 1095-C, completing both sections to report the information required under sections 6055 and 6056.
An ALE that provides insured coverage also will report on Form 1095-C, but will complete only the section of Form 1095-C that reports the information required under section 6056.
Section 6055 reporting entities that are not ALEs or are not reporting as employers (such as health insurance issuers, sponsors of multiemployer plans and providers of government-sponsored coverage) will report under section 6055 on Form 1095-B. Section 6055 information returns must be submitted to the IRS with a transmittal form, Form 1094-B.
These forms will be made available in draft form in the near future.
Information Required to be Reported
Section 6055 requires the reporting of several data elements that are not required by taxpayers for preparing their tax returns or by the IRS for tax administration. The section 6055 information return must include:
- The name of each individual enrolled in MEC;
- The name and last known address of the primary insured or other related person (for example, a parent or spouse) who submits the application for coverage (the responsible individual);
- The TIN and months of coverage for each individual who is covered under the policy or program; and
- Other information specified in forms, instructions or published guidance.
For employer-provided coverage, the proposed rules required reporting the name, address and EIN of the employer maintaining the plan and whether coverage was enrolled in through the SHOP. The final regulations do not require sponsors of multiemployer plans to report the EINs of the participating employers. The regulations require only health insurance issuers to report the EIN of the employer sponsoring an insured group health plan.
Although TINs are required for section 6055 reporting, reporting entities may report a date of birth in lieu of a TIN only if the reporting entity is informed that an individual has no TIN or the reporting entity is unable to obtain a TIN after making reasonable efforts. In general, a reporting entity acts responsibly in attempting to solicit a TIN if, after an initial, unsuccessful request for a TIN (for example, at the time of enrollment), the reporting entity makes two consecutive annual TIN solicitations. A penalty may be imposed if the reporting entity fails to make the two additional solicitations.
Time and Manner of Filing
Any reporting entity who is required to file at least 250 returns under section 6055 must file electronically. The transmittal (Form 1094-B or 1094-C) is not treated as a separate return, but must be electronically filed in the form and manner required by the IRS when the Form 1095 is electronically filed.
All other reporting entities that are required to file fewer than 250 returns under section 6055 are permitted, but not required, to file electronically. A substitute form may be used, as long as it complies with IRS procedures or other guidance.
Reporting entities must file the section 6055 information return with the IRS by Feb. 28 (or March 31, if filed electronically) of the year following the calendar year in which they provided MEC.
Statements Furnished to Individuals
Reporting entities must also furnish a statement to the covered individual on or before Jan. 31 of the year following the calendar year in which MEC is provided. Reporting entities showing good cause may be allowed the flexibility to apply for an extension of time, not exceeding 30 days, to furnish statements.
Individual statements must provide (1) the policy number, (2) the name, address and a contact number for the reporting entity, and (3) the information required to be reported to the IRS.
Reporting entities may furnish the Form 1095-B or 1095-C with the Form W-2 in the same mailing. Substitute statements that comply with applicable requirements may be used, as long as the required information is included.
Electronic delivery of statements to individuals is permitted only if the recipient affirmatively consents. The final regulations explicitly allow statement recipients to provide consent and to access section 6055 statements in response to a notice on a website. A reporting entity may simultaneously request consent to receive an electronic section 6055 statement and consent regarding other statements. However, each form must be specifically referenced.
If mailed, the statement required under section 6055 must be sent to the individual’s last known permanent address or, if no permanent address is known, to the individual’s temporary address. A reporting entity’s first class mailing to the recipient’s last known permanent address, or if no permanent address is known, the temporary address, discharges the requirement to furnish the statement, even if the statement is returned. A reporting entity that has no address for an individual should send the statement to the address where the individual is most likely to receive it.
Statements furnished to individuals under section 6055 are not required to disclose their complete TINs.
Reporting entities that do not comply with the filing and statement furnishing requirements of section 6055 may be subject to penalties for failure to file a correct information return and failure to furnish correct payee statements. However, penalties may be waived if the failure is due to reasonable cause and not to willful neglect.
The final regulations also include short term relief from penalties to allow additional time to develop appropriate procedures for data collection and compliance with these new reporting requirements. For returns and statements filed and furnished in 2016 to report coverage in 2015, the IRS will not impose penalties on entities that can show they make good faith efforts to comply with the information reporting requirements.
This relief is provided only for incorrect or incomplete information reported on the return or statement, including TINs or dates of birth. No relief is provided for entities that do not make a good faith effort to comply with these regulations or that fail to timely file an information return or statement.
Voluntary Reporting for 2014
Although these reporting requirements were delayed until 2015, reporting entities were encouraged to voluntarily comply for 2014 (that is, by filing and furnishing section 6055 returns and statements in early 2015).
Reporting entities that wish to voluntarily comply with the information reporting requirements in 2014 should do so in accordance with the final regulations. This means that reporting entities should provide both section 6055 and, if applicable, section 6056 information on a single form.
According to the IRS, real-world testing of reporting systems and plan designs, built in accordance with the final regulations, through voluntary compliance for 2014 will contribute to a smoother transition to full implementation for 2015.
Please contact The Buckner Company for more information on the ACA’s employer reporting requirements.
Source: Internal Revenue Service
On March 5, 2014, the Department of Health and Human Services (HHS) released its 2015 Notice of Benefit and Payment Parameters Final Rule. The final rule describes payment parameters applicable to the 2015 benefit year and standards relating to the:
- Premium stabilization programs;
- Open enrollment period for 2015; and
- Annual limitations on cost-sharing.
Among other provisions, the final rule also implements patient safety standards for qualified health plans (QHPs) offered in the Exchanges and includes standards related to the employee choice and premium aggregation provisions in federally-facilitated Small Business Health Options Programs (SHOPs).
Beginning in 2014, the Affordable Care Act (ACA) requires a three-year transitional reinsurance program to be established in each state. This program is intended to help stabilize premiums for coverage in the individual market during the first three years of Exchange operation (2014 through 2016) when individuals with higher-cost medical needs gain insurance coverage. This program will impose a fee on health insurance issuers and self-insured group health plans.
The final rule modifies the definition of “contributing entity” for the 2015 and 2016 benefit years to exempt certain self-insured, self-administered group health plans from the reinsurance contribution requirement.
The final rule implements a two-installment contribution schedule for the reinsurance fees. For example, the $63 per capita reinsurance contribution for the 2014 benefit year will be collected in two installments: $52.50 in January 2015 and $10.50 late in the fourth quarter of 2015. The final rule also refines the definition of “major medical coverage” to prevent more than one payment per enrollee.
In addition, the rule finalizes the annual reinsurance contribution rate of $44 per enrollee for 2015.
Open Enrollment Period for 2015
The rule finalizes the Exchange’s annual open enrollment period for the 2015 benefit year, which will begin on Nov. 15, 2014, and extend through Feb. 15, 2015. According to HHS, this schedule gives issuers additional time before they need to set their 2015 rates and submit their QHP applications, gives states and HHS more time to prepare for open enrollment, and gives consumers until Feb. 15, 2015, to shop for coverage. The rule does not change the schedule for the Exchange’s initial open enrollment period, which began on Oct. 1, 2013, and goes until March 31, 2014.
Annual Limitations on Cost-sharing
Effective for plan years beginning on or after Jan. 1, 2014, the ACA requires certain non-grandfathered health plans to comply with cost-sharing limits with respect to their coverage of essential health benefits. The cost-sharing limits include both an overall annual limit, or an out-of-pocket maximum, and an annual deductible limit.
The ACA requires that these limits be updated annually based on the percent increase in average premiums per person for health insurance coverage. The final rule establishes the cost-sharing limits for 2015, which are lower than the limits HHS originally proposed. For 2015:
- The annual deductible for a health plan in the small group market may not exceed $2,050 for self-only coverage and $4,100 for family coverage; and
- The annual out-of-pocket maximum for all health plans is $6,600 for self-only coverage and $13,200 for family coverage.
Source: Department of Health and Human Services
Fun in the sun is even better when you have a swimming pool in your backyard to stay cool on hot, summer days. Despite all the entertainment that a swimming pool offers, there are also homeowner liabilities. To help you minimize your risk, we’ve gathered some safety tips to keep you in the know as you swim.
Sink Swimming Pool Dangers
To Minimize Drowning Risks:
- Install safety fences around the pool with a locked latch and place a cover over the pool when you are not using it. This should deter unwelcome guests from entering your property and trying to swim.
- Always supervise welcome swimmers at all times.
- Do not allow swimmers to dive in shallow water.
- Keep lifesaving equipment near the pool and learn how to properly use it.
- Do not allow swimmers to horseplay in the pool.
To Minimize Disease Risks:
- Keep the pool water properly filtered and chemically treated.
- Do not allow swimmers with open wounds or illnesses to go in the water.
- Do not allow babies to swim unless they are wearing swim diapers. Regular diapers do not provide protection in water and will not protect against accidents.
- Keep pets out of the pool.
- Before going in the pool, make all swimmers take a shower.
- Do not allow swimmers to drink pool water.
To Minimize Chemical Risks:
- Avoid over-shocking the pool; keep chemicals at the proper levels.
- Follow manufacturer’s instructions carefully when adding chemicals to the pool or filtration system.
- Keep pool chemicals stored and locked away, so they are out of children’s reach and those who may try and enter your property to use the pool without your permission.
- Store chemicals in a cool, dry place where they are away from fire hazards and lawn care products.
Helping you to avoid claims is just one of the many value-added services we provide. Call us today to learn more about all of our personal risk management solutions for your auto, home and life.
Smoke detectors are one of the most important safety devices you can install in your home to protect your personal belongings and your family. The good news is, they are inexpensive, too. Once you’ve installed smoke detectors, it is absolutely necessary to test them regularly to ensure that they will sound during a fire. After all, what good are they if they are not working when you need them the most!
Types of Smoke Detectors
When selecting a smoke detector, keep the following in mind:
- Photoelectric units are better for smoldering fires, such as electric fires in the walls, so they are ideal for kitchens and bathrooms where these fires tend to occur.
- Ionization units give nearby air an electrical charge and then measure whether the charge stays constant or whether a fire is consuming oxygen in the air. These units are better suited to areas where fires get out of control, such as a basement near a furnace.
Testing a Smoke Detector
To ensure that smoke detectors are working properly, test them on a regular basis. To do so:
- Press the test button on the unit and wait for it to sound.
- Light a candle and hold it six inches below the detector so the heated air will rise into the detector.
- If the alarm does not sound within 20 seconds, blow out the candle and let the smoke rise.
- If the alarm still does not sound, open the detector up and clean the unit. Also make sure that all of the electrical connections are in good working order.
- Then, test the unit again. If it is still not working, replace it immediately.
Helping you to avoid claims is just one of the many value-added services we provide. Call us today to learn more about all of our personal risk management solutions for your auto, home and life.
Staying safe on the road can be a challenge, especially when it involves an unexpected deer or other animal jumping across the road. The Centers for Disease Control and Prevention estimates that nearly one-quarter of all animal and vehicle crashes result in some form of bodily injury or vehicle damage. Whether you’re driving in the city or the country, here are some tips to keep you safe on the road.
Safe Driving Tips
Animal and vehicle collisions are especially commonplace between October and December when animals are migrating to other habitats for the winter months to find food and to breed. Drivers should be aware of this danger and take the necessary precautions to remain accident-free.
- Remain alert at all times and watch out for animals.
- Slow down if you see an animal up ahead, as it is generally unpredictable. Sound your horn with a long blast to scare it away.
- Slow down at designated animal crossing areas marked by road signs. These signs indicate that the area has a lot of animal traffic and an increased potential for accidents.
- Watch your speed, especially during dusk and at night.
- Use your high beams at night to see animals easier.
- Have your vehicle’s brakes and tires checked regularly to ensure that they are in safe working order.
- Watch out for movement and shiny eyes on the roadsides. Slow down if you see anything suspicious.
- If you see an animal in front of you, do not swerve because it may cause you to hit another vehicle, side rail or lose control all together. BRAKE!
- Slow down on blind curve areas of the roadway.
- Always wear a seat belt—it’s your best safety defense.
Helping you to avoid claims is just one of the many value-added services we provide. Call us today to learn more about all of our personal risk management solutions for your auto, home and life.
Auto Accident Reaction Tips
- Get out of your vehicle and provide assistance to anyone who is injured.
- Call the police or highway patrol immediately. They can then contact emergency personnel for you, if needed.
- Take photographs of your damaged vehicle and the scene. Note the date and time that the images were taken.
- Protect the accident scene by setting up flares, putting up cones or moving your vehicle off the road. Keep these items in your trunk at all times in the event of an accident.
- Once the police arrive, give them as much information as you can about what occurred. Do not admit fault; simply give the facts.
- Ask the investigating officer for a copy of the police report, as you may have to submit it with your insurance claim.
- Write down the names and addresses of all drivers and passengers involved in the accident. Also, note the license plate number, make, model and year of each car involved. You should also note the name of the other driver’s insurance company and driver’s license numbers.
- Write down the name and contact information for all witnesses to the accident.
- Note the name and badge numbers of the police and emergency personnel who assisted with your accident.
- Write down as many details as you can remember about the accident, and then call The Buckner Company to report your claim.
- Keep all records of correspondence that you have regarding your claim, including the date, name and title of the person that you talked to about the accident.
- Keep a record of any expenses that you incurred as a result of the accident. Depending on your policy, you may be entitled to reimbursement for those expenses.
We do more than just help you to avoid claims and arrive at your destination safely. Contact us today to learn more about all of our insurance solutions for your auto, home and life!
Because of the convenience they offer, smartphones and tablet devices have become a ubiquitous presence in the modern business world. As usage soars, it becomes increasingly important to take steps to protect your company from mobile threats, both new and old.
The need for proper phone security is no different from the need for a well-protected computer network. According to computer security software company McAfee, cyber attacks on mobile devices increased by almost 600 percent from 2011 to 2012—and experts expect that number to increase again in 2013.
Gone are the days when the most sensitive information on an employee’s phone was contact names and phone numbers. Now a smartphone or tablet can be used to gain access to anything from emails to stored passwords to proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.
Lost or Stolen Devices
Because of their size and the nature of their use, mobile devices are particularly susceptible to being lost or stolen. According to a 2012 study by the Ponemon Institute, nearly 40 percent of organizations experienced a data breach as a result of a lost or stolen mobile device. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, gaining physical possession of the device is one of the easiest ways for unauthorized users to access private information.
To prevent someone from accessing a lost or stolen device, the phone or tablet should be locked with a password or PIN. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in. Depending on your cellphone provider, there are also services that allow you to remotely erase or lock down a device if it is lost or stolen. Similarly, it is possible to program a mobile device to erase all of its stored data after a certain number of login failures.
Mobile devices have the potential to be just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. Less than 20 percent of mobile devices have antivirus software installed, which is practically an open invitation to a thief or hacker to pillage whatever information they want from an unprotected device. Furthermore, it doesn’t matter what operating system the devices use, whether it be Android, Apple’s iOS, Blackberry or Windows Mobile—all are vulnerable to attacks.
As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications (apps) are especially threatening as a way for malware to install itself onto a device. These apps can then purchase and install additional apps onto the phone without the user’s permission. Employees should never install unauthorized apps to their company devices. Apps should only be installed directly from trusted sources.
Hackers can use “ransomware” to restrict a user’s access to their device’s data, contacts, etc., and then demand a ransom to get it back. Even if the user pays the ransom, there is no guarantee that they will get the data back. Employees should know not to ever pay the ransom if this type of software finds its way onto a company device.
A big difference between mobile devices and laptops and other computers is the ability to accept open Wi-Fi and Bluetooth signals without the user knowing. Hackers can take advantage of this by luring devices to accept connections to a nearby malicious device. Once the device is connected, the hacker can steal information at will. To prevent this, make sure all mobile devices are set to reject open connections without user permission.
While the current mobile device security landscape may look bleak, there are plenty of ways to be proactive about keeping company devices safe from threats.
- 1. Establish a Mobile Device Policy
Before issuing smartphones or tablets to your employees, establish a device usage policy. Provide clear rules about what constitutes acceptable use as well as what actions will be taken if employees violate the policy. It is important that employees understand the security risks inherent to smartphone use and how they can mitigate those risks. Well informed, responsible users are your first line of defense against cyber attacks.
- 2. Establish a Bring Your Own Device (BYOD) Policy
If you allow employees to use their personal devices for company business, make sure you have a formal BYOD policy in place. Your BYOD security plan should also include the following:
- Installing remote wiping software on any personal device used to store or access company data.
- Educating and training employees on how to safeguard company data when they access it from their own devices.
- Informing employees about the exact protocol they must follow if their device is lost or stolen.
- 3. Keep the devices updated with the most current software and antivirus programs.
Software updates to mobile devices often include patches for various security holes, so it’s best practice to install the updates as soon as they’re available.
There are many options to choose from when it comes to antivirus software for mobile devices, so it comes down to preference. Some are free to use, while others charge a monthly or annual fee and often come with better support. In addition to antivirus support, many of these programs will monitor SMS, MMS and call logs for suspicious activity and use blacklists to prevent users from installing known malware to the device.
- Backup device content on a regular basis.
Just like your computer data should be backed up regularly, so should the data on your company’s mobile devices. If a device is lost or stolen, you’ll have peace of mind knowing your valuable data is safe.
- 5. Choose passwords carefully.
The average Internet user has about 25 accounts to maintain and an average of 6.5 different passwords to protect them, according to a recent Microsoft study. Obviously, this lack of security awareness is what hackers count on to steal data. Use the following tips to ensure your mobile device passwords are easy to remember and hard to guess:
- Require employees to change the device’s login password every 90 days.
- Passwords should be at least eight characters long and include uppercase letters and special characters, such as asterisks, ampersands and pound signs.
- Don’t use names of spouses, children or pets in the password. A hacker can spend just a couple minutes on a social media site to figure out this information.
The Buckner Company can help your company with cyber liability and risk management. Contact us today.
Laptop computers are integral devices in the workforce today. As more and more companies issue laptops to employees, the chances of losing a laptop (and the data stored on it) to theft are much greater. Follow these guidelines to help keep your laptops safe.
Communicate Employee Responsibility
If your company issues laptops to employees, be sure to communicate that your employees have a responsibility to care for them.
Employees’ work laptops may have their personal information on them (stored website sign-in information, name, address, work documents, etc.)—and they may not realize it. Making employees aware that the theft of a work laptop could personally affect them can be an incentive for them to protect the computer.
It may be beneficial for you to provide a security cable lock when you issue laptops to employees. A cable lock works similarly to a bike lock—one end of the cable has a lock that goes into the laptop’s security slot and the other end is attached to a heavy stationary object, such as a desk. This type of lock works as a visual deterrent as well, making the laptop less appealing to a thief.
Give your employees frequent laptop safety reminders and updates on new scams or theft tactics. Laptop safety is not a one-time thing—making security a habit will keep your company’s property and information safe.
Laptops That Don’t Leave the Office Are at Risk, Too
A laptop that never leaves the office should not be considered safe from theft. If the laptop is not locked to a docking station or desk, it is vulnerable.
An employee who is planning to quit or who is feeling disgruntled may see stealing a laptop as an easy score. One way to protect your company laptops is to apply tamperproof metal labels with your company name and contact information to each laptop. There are many types of tamperproof labels available, such as labels that etch a permanent message or break into tiny pieces when removed. The labels can also be used to track inventory and software updates.
Deterring theft can also be achieved by engraving the company name on laptops. This will discourage employees from stealing them, because the permanent engraving decreases the resale value.
Use Encryption Software
The physical loss of a laptop may not be as devastating as the loss of the information and data stored on that laptop.
Encryption software uses mathematical algorithms and an encryption key to encode data so that only someone who has the encryption key can read it. There are three different encryption methods you can use, based on the sensitivity of your data. Make sure you choose the right level of protection for your company.
- Full disk encrypts an entire disk, including all its data. This method is used to encrypt laptops, desktops and mobile devices.
- Individual file encrypts a single file or creates an encrypted repository for file storage.
- Data transit encrypts during a transfer, but does not guarantee encryption once the data reaches its destination.
To protect the interests of your company and employees, all devices should be encrypted and require passwords for access.
Install Tracking Software
Tracking software is often called “anti-theft” software—it tracks your laptop to its current location using IP address locations, GPS or Wi-Fi positioning. A stolen laptop can be easier to recover if you’ve installed tracking software before the theft.
Some software can take a photo of the thief if the thief turns on the computer, showing his or her identity. If the thief sells the laptop to someone, capturing the new user’s identity is helpful for finding the thief.
Tracking software can also take screenshots of what the thief is doing on your computer, which is helpful if the thief signs in to his or her own personal accounts. Some software can lock the thief out to prevent him or her from logging on to your computer at all, and some software can remotely delete sensitive data from the hard drive if you tell it to.
Keep in mind that tracking software alone does not prevent theft—your employees’ actions and habits play a major role, too. Contact The Buckner Company today to learn more about defending your company’s laptops against theft.
If your company stores data and information digitally, you should have a cyber risk management program that addresses prevention, disclosure, crisis management and insurance coverage in the event of a data breach. Good cyber risk management requires the planning and execution of all four of these components.
Develop Strategies to Prevent a Data Breach
Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy, so make sure you know whether you need to encrypt the devices or not.
Your strategies may also include educating employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true.
Analyze your cyber risks from three different perspectives: technology, people and processes. This risk assessment will give you a clear picture of potential holes in your security. Revisit and revise your plan regularly, because new risks arise often, sometimes even daily.
Know Your Disclosure Responsibilities
If you experience a data breach, you may be legally required to notify certain people. If your company is publicly traded, guidelines issued by the Securities and Exchange Commission (SEC) make it clear that you must report cyber security incidents to stockholders—even when your company is only at risk of an incident.
The SEC advises timely, comprehensive and accurate disclosure about risks and events that would be important for an investor or client to know. It’s important to evaluate what information and how much detail should be released.
Notifying a broad base when it is not required could cause unnecessary concern for those who have not been affected by the breach.
Some extreme cases of a data breach may cause you to go further than just assessing and disclosing the information. You may have to destruct or alter data depending on its sensitivity.
Your Crisis Management and Response Plan
Preparedness is key when developing your cyber risk management program. When you experience a data breach, you need to be prepared to respond quickly and appropriately. This is where your crisis management and response plan come into play.
Determine when and how the breach occurred, what information was obtained and how many individuals were affected. Then assess the risks you face because of the data breach and how you will mitigate those risks.
While managing a crisis, let your clients know what actions you are taking, but also be sure you’re not disclosing too much information. It’s a delicate balance. Focus on improving future actions—this will restore trust in your stakeholders and clients.
Your in-house lawyers, risk managers and IT department should work together to create and refine your plan. Everyone should be on board and know their responsibilities when a breach happens.
Protect Your Data—and Your Business
Your cyber risk management program should include cyber liability insurance coverage that fits the needs of your business.
Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure.
Your cyber liability insurance policy can be tailored to fit your unique situation and can be written to include the costs of disclosure after a data breach. Contact The Buckner Company to learn more about cyber liability insurance and how you can protect your business from a data breach.
Gone are the days when only the desktop computer in your office is at risk for a data breach. Technology changes quickly, and the latest developments are used in law firms today more than ever before. Information is stored electronically and accessed from laptops, tablets, smartphones, cloud computing systems, and USB or flash drives. Risks for a data breach are everywhere, and law firms are especially susceptible.
Law Firms Are Attractive Targets
Law firms have a reputation for being easy to hack, making them appealing targets to data thieves. In late 2009, the FBI issued an advisory to law firms warning that they were specifically being targeted by hackers.
Law firms are also desirable for computer hackers because they store a large amount of sensitive material about clients, lawsuits and the firm itself. These materials could include details about high-profile lawsuits, business deals, mergers and acquisitions. Information like this could be leaked or sold to the media, the opposing party in a lawsuit or other interested parties.
Lower Your Risks and Exposures
The size of a law firm does not make it more prone to attack than another. However, firms are more prone to attack if they exhibit a weakness that attackers know how to exploit. For example, if your firm’s network can be accessed remotely, and if a portable device used to access it is left in an unlocked car, forgotten in a hotel room or lost at the airport, it would be easy for a data thief who picks up the device to access your network and the information on it.
You can do a lot to decrease the chances of a data breach at your firm. Many actions may seem obvious (such as using strong passwords or setting up firewalls), but others may be less clear-cut. Here are some steps you can take to increase your cyber security:
- Use different passwords and usernames for everything. This way, even if a hacker finds one set of logon credentials, the rest are still safe.
- Change your passwords regularly. Your network may be set up to automatically prompt you to do this after a certain amount of time. If not, set your own schedule.
- Be sure your laptop and other devices (including USB drives) are encrypted so if they are stolen or lost, your data is still protected.
- Control how much access your employees have to your data. Not everyone needs access to your case files, for example.
- If you have social media accounts, check them often to make sure they have not been compromised. Update passwords and other sign-in information regularly.
- Dispose of old devices properly. Wipe the device clean of all data, even if you don’t consider the data to be sensitive.
Cyber risks and exposures are a relatively new threat for law firms, and the ways hackers can access your network or cloud are constantly changing. Contact The Buckner Company today to talk about your cyber risks and learn how you can protect your firm and clients.