Rules that should apply • All vendors and associated people who have access to ANY information should be fully responsible for any leak or breach up to a certain value per offence. Also it should be the responsibility of this organization to repair said damages no matter how long it takes with their own organization paying this cost and supplying the support team to do so. This should not be the responsibility of the individual to process, or fund in any way. A dept should be set up to handle any and all breaches within the vendors organization for as long as it takes to complete said protection • All vendors and associated people/organizations should have a password change monthly as well as an optic or finger log in on all computers and that includes laptops. All computers should have a shut off of 5 minutes if not in use. No one should be allowed to bring in any cell phone or photo devise in the office for any reason. Lap tops should not ever be used in public areas unless secure at all times. All vendors and staff should be US citizens and a lie detector test should be random amongst 10% of all staff per year by different vendor picking names and doing lie detector test. all laptops should be encrypted if stolen they can not be used to release data and this should be reported immediately. All breaches of any kind should be public information and can be released to that person within 24 hours by certified mail to known address, with a contact list of available support persons from your organization. Multiple attempts should be made to reach this person as some people could be hospitalized or in care facilities so their immediate family member or holder of their medical information should be informed and have a contact person available to assist in normal business hours funded by the vendor. • All cleaning crew in any location be in office or home should not have access to any computer or computer area, all computers should be logged off and secure in the presence of anyone other than operator. • Problems don’t arise outside the office most breaches are internal and more security needs to implemented if you want to do this kind of work. With all the cyber crime and internal crime companies need to be held responsible for breaches. They need to go above and beyond the call of duty to protect all clients’ information. The company or vendor simply can not close business doors and reopen under another name to be excluded from violations or breaches. A separate fund should be set up per person information they have access to and this fund should be set up such as $10 a person per every account you have on hand and to accumulate funds for this purpose -$ amt just example –should be in a separate account, it may accumulate interest but can never be used for anything other than repairs to this violation (can not be commingled with other organizational funds or be used to show added assets since this is a separate fund set aside for repair costs indefinitely) not to be funded for computer programming or security, this is to be used for breach of violations for individual assistance and fixing the problem for the consumer only. (Like a trust) this should be managed and controlled and accounting records checked quarterly for accuracy. Every company should also investigate any other methods necessary for security before this happens instead of only finding problems after the fact. You have access to the data you are responsible to fix this as long as necessary no matter what the cost is to repair 100%. - all consumers should also have an option of "opting out" of any medical records with any medical office if they wish unless state or federally funded.