Archive for April, 2015

Workers, Employers Contribute Less to HSAs

Even though covered employees are paying more on average for their health insurance and out-of-pocket medical costs, fewer of them are contributing to their health savings accounts – and those that do, contribute less than in the past, a new study says.

The study, by the Employee Benefits Research Institute (EBRI), found that the percentage of people contributing nothing to their HSAs more than doubled to 23% between 2011 and 2014. At the same time, the percentage of people who contribute $1,500 or more per year to their HSA dropped from 44% to 30%.

The study found that employers are also contributing less to their employees’ HSAs.

The trend among HSA holders goes against the grain, since these individuals could benefit from paying for their medical and insurance costs with pre-tax dollars that they can set aside from each paycheck.

HSAs are typically tied to consumer-driven health plans, which generally have higher deductibles than typical insurance policies. They are paired together to ensure that the covered employee sets aside money for health and medical expenditures over the year, as they’ll have to foot a good chunk of those expenses until the deductible is covered.

 

While the study does not indicate why this is happening, it could be due to the fact that many people have built up account balances over time, according to the EBRI.

Unlike flexible spending account balances, in which money is generally lost if unused at year-end, HSA balances accumulate and can be used in future years even if workers change jobs.

Health savings accounts were established in 2003 as a way for people to save for future out-of-pocket medical expenses. The money is deposited, accumulates and can be withdrawn tax-free. The accounts must be linked to a health plan with a deductible of at least $1,300 for individual coverage and $2,600 for family coverage in 2015.

Another notable development was that fewer employees said they received employer contributions to their HSAs to 67% in 2014, compared to 71% the year prior.

Also notable is the fact that participation and employee contribution levels are waning, even though more companies are offering plans linked to HSAs.

In 2014, 73% of companies with more than 1,000 workers offered HSAs, up from just 51% in 2009, according to another study, the Towers Watson/National Business Group on Health annual employer health care survey.

 

The Triple Tax Benefits of HSAs

One way you can communicate to your staff the importance of contributing to an HSA is that they will be benefiting financially in multiple ways by contributing to a plan.

HSAs offer a triple tax advantage to account holders, according to the Employee Benefits Research Institute:

  • Contributions reduce the employee’s taxable income.
  • The accounts build up interest earnings, which are not taxed.
  • Reimbursements for qualified medical and health expenses from the account are not taxed.

 

Also, they can roll over any unused funds to the next year, so they don’t have to worry about losing any money they set aside.

 

health_savings_account_2

Cyber Threat Mounts with Human Error and Ransomware

Two new reports show two significant trends in the increasingly busy area of cyber security: Careless employees are a prime reason many companies’ databases are getting “phished” for data; and the rising tide of ransomware, where hackers freeze up a computer and demand payment to release it.

And in a majority of cases, it is small and mid-sized firms that are being targeted.

Don’t think you need to worry? Think again.

When these malicious code-bearing e-mails (phishing and ransomware alike) are sent, there is an 11% chance that an employee will click on the link that will let the phishing program gain entry into your database. If 10 employees receive such an e-mail, there is greater than a 90% chance that one of them will click on it.

Even worse, nearly 50% of users open e-mails and click on phishing links within the first hour. The median time to first click is just one minute, 22 seconds. You can see how the odds are stacked against you, since it’s so difficult to control the human factor.

In a more disturbing trend, Symantec Corp. noted in its “Internet Security Threat Report” that 60% of all targeted attacks strike small- and medium-sized organizations.

“These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver e-mail attachments. This puts not only the businesses, but also their business partners, at higher risk,” Symantec wrote in its report.

It’s important you understand these growing threats to your organization, and that you take steps to minimize the chances of your firm being hit.

 

Phishing

Phishing is an attempt to gain access to a database by masquerading as a trustworthy entity in an electronic communication. Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack.

In phishing, tainted e-mails, disguised as coming from a trustworthy source, are sent to employees and if just one person clicks on the link, it allows hackers to gain entry into the company’s database. At that point, they can write code to camouflage the presence of the malicious software, which will allow the hackers to root through the database to acquire sensitive information such as user names, passwords, and credit card details (and sometimes, indirectly, money).

While phishing seemed to be fading in 2013, Verizon Communications Inc., in its annual “Data Breach Investigation Report”, notes that the practice made a resurgence in 2014 largely thanks to employees clicking on links in bogus e-mails.

This human-error dynamic is a significant frustration for businesses that erect firewalls and use other cyber security methods to protect their company data.

 

Ransomware

The other growing threat is ransomware (also often the result of employees clicking on tainted e-mails). Once someone clicks on a link, malware infects the computer system and freezes some or all of its main functions.

After the system is rendered unusable (completely or to some degree), the company will receive a ransom e-mail telling it to pay a certain amount to unlock its computers.

Ransomware attacks more than doubled in 2014 to 8.8 million, from 4.1 million the previous year, according to Symantec. Put another way, there were 24,000 attacks per day, compared with 11,000 in 2013.

But Symantec notes that there is a worse threat in the ransomware category: crypto-ransomware. This threat grew 45 times, from 8,274 incidents in 2013 to 373,342 in 2014.

There are several different crypto-ransomware families, but their method of exploitation is the same. Rather than locking your desktop behind a ransom wall, crypto-ransomware encrypts your personal files and holds the private keys to their decryption for ransom at a remote site. This is a much more vicious attack than traditional ransomware.

Methods of infection vary, but commonly it’s via a malicious e-mail attachment purporting to be an invoice, energy bill, or image. The delivery often forms part of a service actually provided by different criminals from those executing the crypto-ransomware.

 

What you can do

The bigger question for companies is how to reduce the likelihood of infection. You can’t hire robots to open your e-mails, so you have to find ways to bird-dog those malicious e-mails before they reach your employees’ in-boxes.

The general areas that will give you the most bang for your buck are:

  • Better e-mail filtering before messages arrive in user in-boxes.
  • Developing and implementing a thorough security awareness program from the top to the bottom of your organization. That means including training on how to spot suspicious e-mails, quarantining them and resisting the urge to open e-mails from familiar-sounding names of people you don’t know.
  • Improved detection and response capabilities.

 

The preferred method is to take measures to block, filter and alert on phishing e-mails at the gateway.

That said, no technological defense is foolproof, so your people are really your last line of defense.

One of the most effective ways you can minimize the phishing threat is through effective awareness and training.

One idea is to teach all staff to be your scouts and if one of them detects a suspicious e-mail, they can send it to your head of IT or a manager, who can decide to send out a warning to all the staff.

In other words, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.

 

A note about insurance

A cyber insurance policy would cover many of the costs associated with a breach. Call us to learn more!

cyber security man secret

New Rules for Wellness Plans Finally Proposed

New rules for workplace wellness plans have finally been proposed just as more employers are incorporating such programs to help their workers improve their health and reduce their health insurance premiums.

The Equal Employment Opportunity Commission has proposed rules that aim to set guidelines for employer-sponsored wellness plans that prohibit discrimination against individuals who may be unable to meet the goals set out in these programs.

The new rules also designate what would constitute a reasonably designed plan under the Americans with Disabilities Act (ADA) and the Affordable Care Act, as well as how employers treat medical information collected via a wellness plan.

Some employers will offer financial incentives employees that meet certain goals through their wellness plans, such as losing weight, smoking cessation and other health measures. Some programs penalize employees that do not participate in the programs by requiring them to pay a higher percentage of their premium.

The EEOC’s proposed rules, which are undergoing an open comment period now, seek to set guidelines for how wellness plans can operate in a non-discriminatory fashion.

Here’s what you, as an employer, need to know about the proposed regulations:

 

Financial incentives

  • They limit the financial incentives employers can provide to staff who participate in health-contingent-based wellness programs (described later) to 30% of the annual cost of self-only coverage.
  • Financial incentives tied to smoking cessation programs would be limited to 50% of the total annual cost of self-only coverage.

 

Must promote health or prevent disease

  • Wellness plans must have a reasonable chance of improving health or preventing disease in participating employees, must not be unduly burdensome to employees, and must not violate the ADA.
    EXAMPLE: Reasonable design  – A program that collects information from a health risk assessment to provide feedback to employees about their health risks, or that uses aggregate information from health risk assessments to design programs aimed at particular medical conditions, is reasonably designed.
    Not reasonable design  – A program that collects information without providing feedback to employees, or without using the information to design specific health programs, is not reasonably designed.

 

Must be voluntary

  • Employers must not require employees to participate in a wellness program, must not deny health insurance or reduce health benefits if workers do not participate, and must not discipline them for not participating.
  • Employers must not penalize employees by forcing them to take on a larger share of their premium. However, employees can be given the aforementioned financial incentives for participating.

 

Must not be discriminatory

  • Wellness programs must never be used to discriminate based on disability, and safeguards must be in place to prevent such discrimination.
  • Employers must not interfere with the ADA rights of employees who do not want to participate in wellness programs, and must not coerce, intimidate or threaten employees to get them to participate or achieve certain health outcomes.

 

Medical information confidentiality

  • Medical information obtained through a wellness program must be kept confidential.
  • Generally, employers may only receive medical information in aggregate form that does not disclose, and is not reasonably likely to disclose, the identity of specific employees.
    • Employers must provide employees with a notice that describes what medical information will be collected as part of the wellness program, who will receive it, how the information will be used, and how it will be kept confidential.
    • Medical information collected as a part of a wellness program may be disclosed to employers only in an aggregate form that does not reveal the employees’ identities, and must be kept confidential in accordance with ADA requirements. Best practices for securing confidentiality will be provided.

 

Reasonable accommodation

  • Employers must provide reasonable accommodations that enable employees with disabilities to participate and to earn whatever incentives the employer offers.
    EXAMPLE An employer that offers an incentive for employees to attend a nutrition class must, absent undue hardship, provide a sign language interpreter for a deaf employee who needs one to participate in the class.

 

The proposed rules will be open for public comment until June 19, at which point the EEOC’s board of commissioners will review the comments and make any necessary changes before issuing the final rules.

 

fitnes yai

Prepare Now for New Sick Leave Law

California’s paid sick leave law takes effect July 1 and if you haven’t begun preparing for this change, you should start now.

Did you know that parts of the law have already taken effect? Do you know what they are?

There are actions you should take now to prepare for the law, and you should also have policies in place before the law takes effect. We explain here.

 

What you should be doing now

  • Post the new paid sick leave notice in a place where employees can easily see it.
  • Provide the updated Wage Theft notice to nonexempt employees.
  • Know that anti-discrimination and anti-retaliation provisions already apply, even before employees being accruing benefits on July 1.
  • Check if there’s a local ordinance for paid sick leave that applies to your workers.

 

Before July 1

  • Review your existing policies for sick leave and paid time off.
  • Choose which method you’ll use to provide paid sick leave benefits to employees – accrual, lump sum or existing policy.
  • Ensure your policies cover all eligible employees, and for all permissible uses.
  • Communicate your paid sick leave policy to your staff.
  • Train supervisors and managers about specific paid sick leave rights for employees.
  • Update your payroll systems to track sick leave.

 

On July 1 and after

  • Begin providing paid sick leave benefits on July 1 to employees who have worked in California for more than 30 days within a year from their start date.
  • Allow employees to start using accrued paid sick days on the 90th day of employment, and upon reasonable request.
  • Follow the law’s requirements regarding usage, record-keeping and timely payment.
  • Track paid sick leave and update record-keeping systems as required.
  • Show how many days of paid sick leave an employee has available, either on a pay stub or on a written document issued the same day as the paycheck.

sick from work

Arbitration Agreements Take Hold, Reduce Litigation

More companies are stemming the rising tide of lawsuits by requiring their employees to sign arbitration agreements and barring them from joining class-action complaints.

According to a survey conducted by the employment law firm of Carlton Fields Jorden Burt LLP, the percentage of companies that use arbitration agreements to bar employees from participating in class-action lawsuits jumped to 43% in 2014 from just 16% in 2012.

During the same period, according to a report in the Wall Street Journal, there was a significant decline in lawsuits that accuse companies of wage theft, discrimination and other labor law violations.

While a U.S. Supreme Court decision in 2012 that upheld the use of arbitration agreements is cited as the main cause of the trend, a decision by the California Supreme Court in 2014 is likely to accelerate the use of arbitration agreements in employment matters.

In the 2014 case, a 6–1 majority in California’s highest court affirmed a Court of Appeal decision that class-action waivers in employee arbitration agreements are enforceable because of the U.S. Supreme Court precedent.

Before the Supreme Court’s ruling, most companies didn’t require employees to waive their right to join a class action because lower courts typically threw such agreements out. But the tide has changed.

The percentage of class-action lawsuits that address employment issues fell to 23% in 2014 from 28% in 2011, according to the Carlton Fields survey. Class-action suits from workers cost employers $463 million in 2014, down from $599 million in 2011.

 

Benefits of arbitration agreements (according to the law firm of Drinker Biddle) include:

  • Potential reduction of litigation and the chances of large monetary settlements.
  • Arbitration takes considerably less time than litigation in resolving disputes.
  • Employers win more often in arbitration than litigation. A 2011 Cornell University study found that arbitrations favor employers more often than litigation does, and result in lower awards for employees.
  • Lower insurance premiums.
  • Confidential dispute resolution.
  • Arbitration agreements with class-action waivers can help to eliminate private employment class actions.

 

Potential risk and downsides to arbitration agreements for employers (according to Drinker Biddle) include:

  • Potentially more expensive, because arbitrators may be less likely to grant dispositive relief and arbitrators are often paid by the hour or day.
  • Arbitrators may be more likely to “split the baby” or compromise.
  • Arbitrators may be less likely to accept procedural defenses.
  • Arbitrators may be more likely to allow hearsay and irrelevant witnesses than judges.

 

 

Background cases:

 

  • AT&T Mobility vs. Concepcion – This 2011 Supreme Court decision gave employers confidence that courts would uphold class-action waivers, even though the case did not concern an employment matter. In this case, customers tried to sue AT&T over a sales-tax issue, but the court ruled that they had forfeited the right when they signed their service contract.

Since this decision, lower courts have extended the ruling to employment law cases.

  • D.R. Horton, Inc. vs. NLRB In 2014, California’s Supreme Court affirmed a Court of Appeal decision that class-action waivers in employee arbitration agreements are enforceable because of the U.S. Supreme Court precedent. The court also rejected the National Labor Relations Board’s (NLRB) view that the National Labor Relations Act bars class-action waivers.

 

The NLRB agenda

Despite the fact that numerous courts have upheld the legality of arbitration clauses that preclude class actions, the NLRB continues to claim they contravene the National Labor Relations Act (NLRA).

Although the California Supreme Court has now joined many other courts in rejecting the NLRB’s decision in D.R. Horton that class-action waivers violate the NLRA, the board has continued to prosecute unfair labor practice charges against employers that have class-action waivers in their arbitration agreements.

 

 

Crafting enforceable agreements

If you are considering using arbitration agreements, Drinker Biddle recommends:

  • Choosing a proper arbitral forum and set of procedures. Be mindful to include the following:

– A neutral arbitrator

– No limitation on remedies

– A means for adequate discovery

– Written arbitration awards

– Fees and costs will be born by the employer

  • Specifying applicable rules
  • Ensuring mutuality
  • Excluding non-arbitral claims
  • Including personal attorney general actions or representative claims (for California employers)
  • To avoid accusations of unconscionability, arbitration agreements should not also create carve-outs or exceptions for claims that are likely to be brought only by one side or the other
  • The California standard for arbitration agreements is that the agreement must have “a modicum of bilaterality”

arbitration

Workers’ Comp Rates to Dip Mid-year

The workers’ comp reforms that took effect in 2013 are finally starting to bear fruit in the form of falling claims costs, and the result is what looks like a steep mid-year rate reduction.

The Workers’ Compensation Insurance Rating Bureau (WCIRB) is asking California’s insurance commissioner to reduce benchmark rates by more than 10% for policies incepting on or renewing on July 1. Insurers use these benchmark rates as guideposts for pricing their own policies.

When the Rating Bureau’s governing committee voted to file for the mid-year rate decrease, it noted that the decrease could have been even larger if it were not for increasing claims administration costs, which insurers say are due to them complying with laws and regulations governing claims.

But what is pushing rates down is lower-than-expected medical losses and claim severity (the average cost of claims) in the state.

Average medical costs for California workers’ comp claims fell more than 8.3% in 2013 and 2014 following the passage of state workers’ comp reforms in 2012, the WCIRB said. That’s compared with the 10% increase that the Rating Bureau had expected and priced into earlier rate filings.

Furthermore, it had also predicted that indemnity costs (payments made to workers who miss work due to their workplace injuries), increased 6.9% in 2013 and 2014, but that was less than the 12.3% that the Rating Bureau had predicted.

The Rating Bureau has been closely monitoring the cost of claims since the passage of Senate Bill 863 and it notes that its full effects may yet materialize.

“While it remains premature to adjust a number of a number of the prospective SB 863 estimates based on recently emerging post-SB 863 indications, the WCIRB will continue to actively monitor post-SB 863 cost levels and will adjust future pure premium rate indications as appropriate based on emerging experience,” the Rating Bureau wrote in its recommendation.

The takeaway

The Rating Bureau recommends that the average advisory pure premium rate be set at $2.46 per $100 of payroll as of July 1, compared with the $2.74 per $100 of payroll as of Jan. 1.

The bureau submitted its new rate filing to the state Insurance Department for approval on April 6.The state insurance commissioner will hold a hearing and still has to approve the rate filing, but odds are that he will approve it – or even approve a larger decrease than what the Rating Bureau is calling for.

It should be noted that while overall benchmark rates will fall at mid-year, pricing on individual policies will depend on each employer’s claims experience as well as the industry in which they operate.

percent dropb yai

Five Reasons You Need a Cyber Liability Policy

The hacking threat is growing with each passing year. There are crooks out to steal data from companies, sometimes to turn around and sell personally identifiable information or credit card numbers to identity thieves and scammers.

Other cyber criminals are just out to create mayhem, shutting down websites and creating denial-of-service attacks that grind business operations to a halt.

The problem for your business is that if hackers walk away with your employees’ social security numbers, they can do serious damage to their credit lines – and in some cases even sell their identities.

The likelihood of any of the above scenarios affecting your company is growing year by year.

In any of the above cases, cyber liability insurance would pay for the costs of responding to an attack. And while you might think that insurance that protects you in case of a cyber attack is for only large companies, in recent years hackers have started targeting smaller companies in greater numbers than large ones.

If you haven’t thought about buying a policy, here are some reasons you should:

  1. It’s affordable  – Premiums for most small companies are usually $1,000 to $2,000, depending on your exposure. You can get coverage as high as $30 million and deductibles as low as $10,000, depending on your needs and what you’re willing to pay. Cyber liability insurance is still fairly new, and that means policies will vary from one to the other. In some cases you can even negotiate some parts of the coverage.
  2. Broad coverage – Most policies will pay for business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack. Policies will also cover any penalties you may incur from government agencies. Having such broad coverage will help you weather the storm and keep your business viable.
    Business interruption coverage can be especially important for a small business. That’s because they are typically not as diversified as larger companies and lack the same financial resources.
  3. You likely don’t have a risk manager on staff  – While most big companies have a department dedicated to reducing risks, most small and mid-sized firms don’t have that same luxury.  If you are buying a cyber liability policy, you can sometimes receive assistance like analysis of your firewalls as well as making sure you have social media policies in place to reduce the chances of being hacked.
    Your insurer may be willing to help with these areas because the better protected you are, the less likely you are to have a breach that could result in a claim.
  4. Outsourcing data hosting won’t save you – Even if you don’t host your data yourself, you’re still responsible for that data. So even if you are using a cloud storage solution for your data, you need to read the fine print of your contracts.
    The problem is that you can’t control how a cloud provider handles your data, but an insurance policy can protect you if your cloud provider errs.
  5.  Your business liability policy won’t cover you – Typically, a general liability policy specifically excludes losses incurred via the Internet. In other words, the cyber liability policy gives you protection you won’t have in other policies.

    Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can.
    Finally, we can help. You can work with us to integrate cyber liability with your general policy and employment liability policy. Talk to us and we can help you achieve seamless coverage.

cyberpirate

Most Workers Happy to Let Employers Choose the Right Health Plan

Even though employees have more choices than ever before for their health coverage, most of them still want their employers to choose what is best for them, according to a new survey.

Interestingly, while 19% of employees surveyed by the Employee Benefits Research Institute said they would be happy to receive cash instead of benefits, most said they were not confident in their own ability to pick the plan that is best for them.

Most workers trust their employer to choose their health coverage, and are not as confident in their ability to choose the best available plan if their employers or unions were to stop offering coverage, according to the EBRI.

In other words, while some employees would be happy receiving cash in lieu of benefits, any employer trying this could face a backlash from its workforce and it could make it more difficult to attract talent.

The EBRI found that 70% of employees surveyed reported being satisfied overall with their benefits plan. When asked whether they would give up benefits for cash, the survey found a jump from 2012, when just 10% said they would. This time around, 19% said they’d rather have a fatter wallet than a richer benefits package.

Most workers still prefer employer-sponsored coverage, and most trust their employer to select the health plan that’s best for them, according to the institute. Employees are confident (85% are either “somewhat,” “very” or “extremely” so) that their employer has chosen the “best available” health plan for them.

“Choice of health plans is important to workers, and they would like more choices. But most workers express confidence that their employers or unions have selected the best available health plan – and they are not as confident in their ability to choose the best available plan if their employers or unions did, in fact, stop offering coverage,” the EBRI wrote.

 

The institute also reported that:

  • Most employees said that health insurance was the most important employee benefit. “This finding has remained constant even following enactment of the Patient Protection and Affordable Care Act of 2010, which has raised questions about whether employers will continue to offer health coverage to their workers in the future,” the EBRI wrote in its report.
  • Most employees do not expect employers to be dropping health coverage. In fact, 64% of employees in the latest poll were either “extremely” or “very” confident their employer would continue to offer health benefits. That’s compared with only 55% in 2010, the year the ACA was enacted.
  • Most workers are satisfied with the health benefits they have now and expressed little interest in changing the current mix of benefits and wages offered by their employers.

 

The takeaway

The main point to take away from this latest study is that employees want to be able to pick policy features that are best suited to them and their families. They want options, but also need assistance in picking plans that are best for them.

We can work with you during the next open enrollment to help your employees feel confident that they are getting the plan that is best for them and their dependents.

 

choices signs

 

New Threat Uses Human Contact to Access Vital Data

One of the newest scams to hit businesses is “social engineering” fraud, and many companies are unknowingly being swept up in the web.

Social engineering fraud is the act of influencing others to disclose private company information using various forms of communication, including e-mail, phone, the Internet and even in-person interactions, according to a recent report published by the global insurance company Chubb.

Chubb issued the “Guide to Prevent Social Engineering Fraud” to help businesses train their workers about this new type of fraud, understand how it works and prevent this activity.

According to Check Point Software Technologies, nearly half of global businesses surveyed in 2011 reported being the victim of one or more social engineering attacks that resulted in losses ranging from $25,000 to $100,000 per occurrence.

Social engineering fraud is different than cyber fraud and crime in that it involves a human element. These criminals trick their targets into giving them information via various forms of communication in order to perpetrate their scheme of defrauding and infiltrating companies.

 

Social engineering fraud strategies

Fraudsters use many different social engineering strategies to gather information from their targets, including:

  • Impersonation/pretexting:  The attacker impersonates a person in authority, a fellow employee, IT representative or vendor in order to access confidential or sensitive information.
  • Phishing:  Phishing can take the form of a phone call or e-mail from someone claiming to be in a position of authority who asks for confidential information, such as a password. It can also include sending e-mails that contain malware designed to compromise computer systems or capture private credentials.
  • IVR/phone phishing (aka vishing):  This technical tactic involves using an interactive voice response (IVR) system to replicate a legitimate-sounding message that appears to come from a bank or other financial institution, and directs the recipient to respond in order to “verify” confidential information.
  • Baiting: This typically involves leaving a malware-infected device – a USB drive, CD or DVD – at a location where an employee will come across it, and then out of curiosity will plug or load the infected device into their computer.
  • Tailgating/direct access:  Attackers gain access to your premises by following closely behind an entering employee or by presenting themselves as someone who has business with the company.
  • Diversion theft:  The methodology in this attack involves misdirecting a courier or transport company and arranging for a package or delivery to be taken to another location.

What you can do

Chubb, which has launched a new insurance product to cover costs associated with social engineering fraud, says companies need to train their employees on what constitutes confidential and sensitive information – and how to keep it safe. Let the following be a guide for policies and training:

 

  • Identify which employees have access to what types and levels of sensitive company information.
  • Never release confidential or sensitive information to someone you don’t know or who doesn’t have a valid reason for having it. If a password must be shared, it should never be given out either over the phone or by e-mail.
  • Establish procedures to verify incoming checks and ensure clearance prior to transferring any money by wire.
  • Reduce reliance on e-mail for all financial transactions. If e-mail must be used, establish call-back procedures to clients and vendors for all outgoing fund transfers or implement a customer verification system.
  • Avoid using or exploring “rogue devices” such as unauthenticated thumb/flash drives or software on a computer or network.
  • Be suspicious of unsolicited e-mails and only open ones from trusted sources. Never forward, respond to or access attachments or links in such e-mails; instead, either delete or quarantine them.
  • Avoid responding to any offers made over the phone or via e-mail. If it sounds too good to be true, then it probably is.
  • Be cautious in situations where a party refuses to provide basic contact information, attempts to rush a conversation, uses intimidating language or requests confidential information.
  • Guard against unauthorized physical access by maintaining strict policies on displaying security badges and other credentials and making sure all guests are escorted.
  • Monitor use of social media outlets, open sources and online commercial information to prevent sensitive information from being posted on the Internet.
    phishing-scam-lrg