b'Common Situations:What Should I Do: Hack attack: Youre enjoying your morning cup of coffee whenGood: Provide job-specific training for all employees concerning GigaBytefromyourITDepartmentinformsyouthattherethe protection of SPI. Develop and disseminate company-wide was a serious security breach overnight. Based upon an initialpoliciesandproceduresforsafeguardingSPI.Immediately analysis, it appears that a hacker based overseas gained accessrevoke network and data access for any terminated employees.to every payroll document maintained in the systemmany of which include first and last names, social security numbers, andBetter: Utilize firewalls and protective programs to ensure that banking information, and none of which are encrypted. It turnsinternal access to SPI is limited to select company administrators. out one of your most tenured HR professionals, Yen Compliance,Take inventory of stored SPI and conduct a quarterly purge of was the recipient of a Trojan horse email. Believing he hadSPI that you are no longer required to keep. To minimize risk, finally won a trip on the Jenny Craig cruise of his mild-manneredregularly evaluate what SPI you are collecting and storing and dreams, Yen clicked on a malware attachment and inadvertentlywhether it truly meets or continues to meet a business need. gave the hacker access to the company intranet.Do you have to disclose, since the breach impacted employee rather thanBest: Encrypt all SPI. Secure vulnerable applications, including customer SPI? Yes, the rules for notifying victims of a potentialweb-basedandlegacyapplications,collectingorstoring SPI loss includes employees. Written notice or electronic noticeSPI. Annually audit data protection programs and have clear will suffice. Depending on the number of employees affectedprotocols in place in the event that a security breach occurs. and their residency, additional notification may be necessary.Offer identity protection as an employee benefit.Doc doxxed: Feel Good, Inc., a healthcare provider, collects health data about its employees for the purpose of providing health insurance plans. After a particularly bad day at the office, Phil Worse takes a handful of personnel files he found in the copyroomandbeginspostingthecontentson5chan.The name, mental health, and disability information of one of Feel Good, Inc.s employees, Petey Attric, MD, quickly spread across the internet. Even though it is a covered entity, Feel Good, Inc. did not violate HIPAA by collecting this information about Petey because it did so in its capacity as an employer. However, it must notify Petey and other affected employees as this constitutes a security breach of SPI under Texas law. Additionally, Feel Good, Inc. violated the ADA by failing to maintain a confidential file for Peteys disability information separate from his personnel file.96'