Ho-hum: The FBI arrested 46 doctors and nurses...largest Medicare fraud bust ever.

That is from a headline in a recent CNN story. Seems the thieving doctors and nurses got away with $712 million before getting busted.

Per the story, "In total, 243 people were arrested in 17 cities for allegedly billing Medicare for $712 million worth of patient care that was never given or unnecessary."

Note the word "unnecessary." If there are doctors and nurses doing this to Medicare patients, they are defrauding self-insured benefit plan patients, too.

This has been getting worse and worse every year for 20 or so years. I say "ho-hum" at the beginning of this post because almost no one in the private sector takes stopping this kind of thing seriously. There is a lot of talk and little action.

I urge readers to start taking steps to stop this mess.

Employers should move quickly to review and update as necessary their human resources and employee benefit policies and practices concerning when same-sex partners of employees are treated as the spouses of the employees in light of the U.S. Supreme Court's June 26, 2015, decision in Obergefell v. Hodges.

Employer and employee benefit plan leaders and their consultants are cautioned that the decision requiring states to allow same-sex couples to marry does not eliminate ambiguities or differences in state laws and documentation of marriage. Consequently, policies, practices and programs for administering the employment and employee benefit rights of married employees need to be carefully tailored to identify and require proof of marriage evenhandedly. Administrators must take into account variances and potential biases in state documentation and practices that could create complications or even liabilities for employers and plans if not appropriately considered.

Since the Supreme Court ruled that the Equal Protection Clause of the U.S Constitution entitled same-sex couples to equal treatment with married heterosexual couples under federal law in U.S. v. Windsor, 133 S.Ct. 2675 (2013), employers have faced several challenges understanding and updating their policies and practices with respect to employees involved in same-sex relationships.

The Obama administration's aggressive reinterpretation of federal employment, employee benefit, tax and other laws and regulations placed pressure on employers to update their policies and practices concerning when to recognize employees in same-sex relationships as marriages for employment, employee benefits and other purposes.

As the Windsor decision did not address whether the U.S. Constitution also guaranteed same-sex couples a right to marry under state law, disparities in the treatment of same-sex marriages between the states and rapid changes in the state statutory and judicial rules governing these determinations created significant challenges. Employers had to determine if a same-sex couple could marry in a particular state and the right and duty of the employer in response to such an arrangement.

Today's Obergefell ruling will help to resolve some, but not all, of this uncertainty by answering the question whether states may refuse to allow same-sex partners to marry or refuse to recognize marriages of same-sex partners. The Obergefell decision settles this debate by holding that the U.S. Constitution requires all states to allow same-sex couples to marry on the same terms as apply to heterosexual couples.

Employers still face many challenges. While states must now treat same-sex and opposite-sex couples equally under marriage laws, determining consistently whether two individuals are legally married in any particular state remains anything but simple. Variations in the marriage laws of the states mean the requirements for and proof of marriage can vary significantly.

Care must also be taken to manage potential discrimination risks that might arise from the adoption of policies that treat same-sex vs. opposite-sex partners disparately. There could be administrative complications and compliance risks. There could also be sex discrimination liability exposures under the Civil Rights Act and other laws.

Parties should act promptly and carefully with the advice of counsel to evaluate and update their policies to respond to the new decisions and these other challenges and duties.

In the world of commercial insurance, there exists the very curious role of risk manager. I mean curious in the sense that successful risk managers appear to have superpowers. They are charged with taking the actions necessary to avoid or reduce the consequence of risk across an entire enterprise. Their knowledge must extend deeply into a variety of subjects such as engineering, safety, the subtleties of the business of their employer, insurance (of course), physics, employee motivation and corporate politics and leadership. Their impact can be wide-ranging, from financial (e.g., dollar savings from risk avoidance/mitigation) to personal (the priceless value of the avoidance of employee death or injury).

Sadly, the tyranny of economics restricts the access that businesses have to continuous, high-quality risk management. Full-time risk managers are prevalent in huge, complex, global companies. These firms often self-insure, or purchase loss-sensitive accounts, and the financial value of a risk management position (or department) is clear. The larger mid-market firms can afford to selectively purchase safety consultant services; their insurance broker might perform some of these tasks (especially at renewal), and their insurers may have loss control professionals working some of these accounts. However, for the majority of small businesses, risk management at the professional level is not affordable.

I have toyed with different ideas about how to automate this function to bring the value of a risk manager to the small commercial business segment. My attempts were always unsatisfying. However at a Front End of Innovation conference in Boston, a presentation by Dr. Rafael J. Grossmann (@ZGJR) crystallized the vision. I can now clearly see how existing technology can be combined to create a risk manager avatar.

Dr. Grossmann is a trauma surgeon who practices in Maine. In addition to the normal challenges of his profession, he is one of only four trauma surgeons servicing a very wide area. Although the area is sparsely populated, the challenge of distance and time complicates the delivery of medical services. Dr. Grossmann presented his vision of a medical avatar, a combination of technologies that will perform 80% or more of the routine medical cases in a consistent, timely and cost-effective manner. Combining the technologies of mobile, voice recognition, virtual reality, artificial intelligence, machine learning and augmented reality forms a new silicon entity - a medical doctor avatar. He also introduced a company, sense.ly, that is working to deliver similar services (video here: http://www.sense.ly/index.php/applications/).

If such systems can deliver medical services, then why not risk management? For example, given permission, a system would monitor the purchases of a small company and identify when the historical pattern changes, e.g., when the company begins to buy new types of materials. Using predictive algorithms, the pattern can be compared against others to evaluate if there is likelihood that the company is now performing new business operations. The avatar could then contact the small business, or could signal human intervention by an underwriter to evaluate the necessity for an endorsement to a policy to cover the new business operation. Eventually, some of these interventions would also be handled through machine-to-machine communication and would allow the endorsement to take place automatically.

Someone will build a risk management avatar. The question is, who will do it first?

This article started as another "Top Ten" list, but I quickly realized that, when looking for potential fraud or compensability issues in a workers' compensation claim, there are many more than 10 red flags - I came up with 66. You can probably think of more. Please add them in the comments.

The following is a loosely organized list of red flags signaling potential fraud or abuse by a workers' compensation claimant. Keep in mind that even if the claim has all of these red flags, this does not necessarily mean the claimant is committing fraud or that you have grounds to deny compensability of a claim. However, the presence of some of these red flags should cause you to investigate further. Also note that I am using the term "fraud" broadly to include general wrongdoing on the part of the claimant and not specifically referring to a legal cause of action.

Here we go:

1. Late reporting - If an employee is really injured on the job, it is unlikely the employee will wait days or weeks to report the injury.
2. The details of the accident are sketchy.
3. The employee has difficulty recalling what happened.
4. The employee changes the description of the accident when inconsistencies are pointed out.
5. The nature of the injury is not consistent with the nature of the work done by the employee.
6. The date, time or location of the accident is unknown or forgotten.
7. The details of the accident are inconsistent with the employee job duties.
8. The accident occurs in an area where the injured employee would not normally be.
9. Fellow workers hear rumors circulating that the accident was not legitimate.
10. The employee gives completely different versions of the accident to the employer, the adjuster and the doctor.
11. The employee keeps modifying the story of what happened.
12. The employee leaves out pertinent information.
13. The details of the accident vary from medical report to medical report.
14. There are no witnesses to the accident, and the employee normally works around other people.
15. There are witnesses, but their version of the accident differs from the employee's.
16. The nature of the injury is unusual for the employee's line of work.
17. The employee's co-workers express doubt that the accident occurred.
18. The employee is disgruntled about some aspect of his job.
19. The employee was demoted or passed over for a promotion.
20. The employee is on the list to be laid off.
21. The employee is on "positive improvement needed" status and is about to be terminated.
22. The employee has had numerous prior employers.
23. The "accident" occurs immediately before a strike, plant closing or the end of seasonal employment.
24. The employee is a new hire.
25. The accident occurs near the end of probationary period.
26. The claimant is a seasonal worker.
27. The employee has an early Monday morning accident before the supervisor or other employees see him on the job (meaning the accident might have occurred off the job over the weekend).
28. The injured employee is not at home during the normal workday.
29. The employee is always sleeping when the adjuster calls or cannot be disturbed.
30. The employee's family member is vague or noncommittal about when you can reach the employee.
31. The employee uses the address of friends or family members and has no definite address or uses a Post Office box as an address.
32. The employee's spouse is not working and is drawing workers' comp indemnity benefits, Social Security disability payments, welfare or unemployment insurance, and the employee wants the same lifestyle.
33. The employee inquires about a settlement early in the claim process.
34. The employee was having financial problems.
35. The employee is nearing retirement age.
36. The employee files for benefits in a state other than where the accident occurred.
37. The employee fails to report other work income while drawing indemnity benefits.
38. The employee took excessive time off just before the injury.
39. The employee is in the middle of a divorce or other family disturbance.
40. The Social Security number used by the employee belongs to someone else.
41. The employee applies for Social Security benefits before the injury occurs.
42. Income from workers' comp, disability or other sources exceeds the employees prior after-tax income.
43. The employee protests about returning to work and never seems to improve.
44. All the injuries are subjective - pain without trauma, soft-tissue, emotional.
45. The employee changes doctors frequently ("doctor shopping") or changes doctors when released to return to work.
46. The employee has excessive treatment for soft-tissue injuries.
47. The medical treatment reported by the employee is different from the medical care stated in the medical reports.
48. The nature of the medical treatment changes from one body part to another after the employee has been treating for a while.
49. The employee misses medical appointments.
50. The employee fails to show up for an independent medical examination.
51. The employee refuses or delays diagnostic testing.
52. There are whiteouts, corrections or erasures on medical forms submitted by the employee.
53. Pain is exaggerated.
54. Invalid or inconsistent effort is reported on the functional capacity evaluation.
55. The employee has a history of multiple workers' comp claims or reporting subjective claims of injury.
56. The injury relates to a preexisting medical condition or health problem.
57. The length of recovery is excessive for the nature of the injury.
58. The employee who has been off work for a while has calluses on hands or grime under the fingernails.
59. The medical reports reflect "muscular," "tanned" or other adjectives that reflect that the employee is in good health.
60. The employee is unable to work because of the injury but is seen painting her house, mowing the lawn, carrying heavy objects, etc.
61. The employee has a high-risk hobby or does other activities involving considerable physical exertion.
62. Surveillance reflects physical activity greater than what is reflected in the medical reports.
63. The employee is unusually pushy to settle the workers' comp claim.
64. The employee has extensive medical knowledge but no training in the medical field, or uses extensive insurance terminology but has no work experience in the insurance field.
65. The employee is a part of a group of employees using the same doctor and the same attorney for their workers' comp injuries.
66. The attorney's letter of representation is the same day of the injury or even dated before the "injury."

Please share your experiences in the comments!

Disclaimer: The information in this article does not constitute legal advice, nor is it intended to create an attorney-client relationship. Every situation is unique, and I encourage you to seek legal advice from a licensed attorney for your particular situation.

Businesses, brace yourself for health plan enforcement! With the Supreme Court's much anticipated June 25, 2015, King v. Burwell decision dashing the hope that the Supreme Court would provide relief for businesses and their group health plans from the Patient Protection and Affordable Care Act (ACA) mandates by striking down ACA, U.S. businesses that offered health coverage in 2014 and those continuing to sponsor health coverage must swiftly act to review and verify the adequacy of their 2014 and current group health plan's compliance with ACA and other federal group health plan mandates. Business must also begin finalizing their group health plan design decisions for the coming year.

Prompt action to assess and verify compliance is particularly critical in light of the much-overlooked "Sox for Health Plans" style rules of Internal Revenue Code (Code) Section 6039D. The rules generally require group health plans that violated various federal group health plan mandates to self-identify and self-report these violations, as well as self-assess and pay the excise taxes of as much as $100 a day per violation triggered by uncorrected violations. While the mandates were applicable prior to 2014 for uncorrected violations of a relatively short list of pre-ACA federal group health mandates, ACA broadened the applicability of Code Section 6039D to include ACA's group health plan mandates beginning in 2014. This means that, in addition to any other liability that the company, its group health plan and its fiduciaries might bear for violating these rules under the Employee Retirement Income Security Act, the code, the Social Security Act or otherwise, the sponsoring business also will incur liability for the Code Section 6039D excise tax for uncorrected violations, as well as late or non-filing penalties and interest that can result from late or non-filing.

Many employers have significant exposure to these Code Section 6039D excise tax liabilities because many plan sponsors or their vendors have delayed reviewing or updating their group health plans for compliance with some or all of ACA's mandates. In many cases, businesses delayed in hopes that the Supreme Court would strike down the law, Congress would amend or repeal it, or both. In other cases, limited or continuing changes to the regulatory guidance about some of ACA's mandates prompted businesses to hold off investing in compliance to minimize compliance costs. Regardless of the past reasons for such delays, however, businesses sponsoring group health plans after 2013 need to recognize and act to address their uncorrected post-2013 ACA violations exposures.

Although many businesses, as well as individual Americans, have held off taking long overdue steps to comply with ACA's mandates pending the Supreme Court's King v. Burwell decision, the three agencies charged with enforcement - the IRS, Department of Labor and Department of Health and Human Service -- have been gearing up to enforce those provisions of ACA already in effect and to finalize implementation of others in the expectation of the ruling in favor of the Obama administration. As a practical matter, ACA opponents need to recognize that the Supreme Court's King decision realistically gives these agencies the go-ahead to move forward with these plans for aggressive implementation and enforcement.

Although technically only addressing a challenge to the Obama administration's interpretation of the individual tax credit ("Individual Subsidy") that ACA created under Code Section 36B, the Supreme Court's decision eliminates any realistic hope that the Supreme Court will provide relief to businesses or their group health plans with any meaningful past or current ACA violations by striking down the law itself. Of all of the currently pending challenges to ACA working their way to through the courts, the King case presented the best chance of a Supreme Court ruling that would wholesale invalidate ACA's insurance reforms, if not the law itself, because of the importance of the Individual Subsidy to the intended workings of those reforms. By upholding the Obama Administration's interpretation of Code Section 36B as allowing otherwise qualifying individuals living in states without a state-run ACA health insurance exchange to claim the Individual Subsidy for buying health care coverage through the federal Healthcare.gov health insurance exchange, the Supreme Court effectively killed the best possibility that the Supreme Court would invalidate the insurance reforms or ACA itself. While various challenges still exist to the law or certain of the Obama administration's interpretations of its provisions, none of these existing challenges present any significant possibility that the Supreme Court will strike down ACA.

While the Republicans in Congress have promised to take congressional action to repeal or reform ACA since retaking control of the Senate in last fall's elections, meaningful legislative reform also looks unlikely because the Republicans do not have the votes to override a presidential veto.

In light of these developments, businesses must prepare both to meet their current and future ACA and other federal health plan compliance obligations and defend potential deficiencies in their previous compliance over the past several years. The importance of these actions takes on particular urgency given the impending deadlines under the largely overlooked "Sox for Health Plans" rules of Code Section 6039D for businesses that sponsored group health plans after 2013.

Under Code Section 6039D, businesses sponsoring group health plans in 2014 must self-assess the adequacy of their group health plan's compliance with a long list of ACA and other federal mandates in 2014. To the extent that there exist uncorrected violations, businesses must self-report these violations and self-assess on IRS Form 8928 and pay the required excise tax penalty of $100 for each day in the noncompliance period with respect to each individual to whom such failure relates. For ACA violations, the reporting and payment deadline generally is the original due date for the business' tax return. Absent further regulatory or legislative relief, businesses providing group health plan coverage in 2014 or thereafter also should expect to face similar obligations and exposures. As a result, businesses that sponsored group health plans in 2014 or thereafter should act quickly to verify the adequacy of their group health plan’s compliance with all ACA and other group health plan mandates covered by the Code Section 6039D reporting requirements. Prompt action to identify and self-correct covered violations may mitigate the penalties a company faces under Code Section 6039D as well as other potential liabilities associated with those violations under the Employee Retirement Income Security Act (ERISA), the Social Security Act or other federal laws. On the other hand, failing to act promptly to identify and deal with these requirements and the potential reporting and excise tax penalty self-assessment and payment requirements imposed by Code Section 6039D can significantly increase the liability the business faces for these violations substantially both by triggering additional interest and late payment and filing penalties, as well as forfeiting the potential opportunities that Code Section 6039D otherwise might offer to qualify to reduce or avoid penalties through good-faith efforts to comply or self-correct.

While current guidance allows businesses the opportunity to extend the deadline for filing of their Form 8928, the payment deadline for the excise taxes cannot be extended. Code Section 6039D provides opportunities for businesses to reduce their excise tax exposure by self-correction or showing good faith efforts to comply with the ACA and other group health plan mandates covered by Code Section 6039D. Businesses need to recognize, however, that delay in identification and correction of any compliance concerns makes them less likely to qualify for this relief. Accordingly, prompt action to audit compliance and address any compliance concerns is advisable to mitigate these risks as well as other exposures.

Businesses preparing to conduct audits also are urged to consider seeking the advice from qualified legal counsel experienced in these and other group health plan matters before initiating their audit, as well as regarding the evaluation of any concerns that might be uncovered. While businesses inevitably will need to involve or coordinate with their accounting, broker and other vendors involved with the plans, businesses generally will want to preserve the ability to claim attorney-client privilege to protect all or parts of their audit investigation and analysis and certain other matters against discovery. Business will also want assistance with proper evaluation of options in light of findings and assistance from counsel to document the investigation and carefully craft any corrective actions for defensibility.

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It's a good product, useful for audit committees and those who advise them -- especially chief audit executives (CAEs), CFOs and general counsel.

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each) and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team's quality.

Given the publicized failures of audit firms to detect serious issues (fortunately few, but still too many - the latest being the FIFA scandal) and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I said there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the corporate controller and the entire financial reporting team. I said that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the treasurer and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice - and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this situation. The partner also gave an unapologetic "yes" in reply.

The chairman then asked the CEO (incidentally, the former CFO, whose policy it had been not to hire CPAs) to have the issue addressed promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why; whether he agreed with my assessment of the issue; why the firm had not identified this as a material weakness or significant deficiency in prior years; or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don't use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management - going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

• Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
• Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
• Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

One of the fascinating aspects of technology consulting is having the opportunity to see how different organizations address the same issues. These days, analytics is a superb example. Even though every organization needs analytics, they are not all coming to the same conclusions about where "Analytics Central" lies within the company's structure. In some carriers, marketing picked up the baton first. In others, actuaries have naturally been involved and still are. In a few cases, data science started in IT, with data managers and analytical types offering their services to the company as an internal partner, modeled after most other IT services.

In several situations that we've seen, there is no Analytics Central at all. A decentralized view of analytics has grown up in the void - so that every area needing analytics fends for itself. There are a host of reasons this becomes impractical, so often we find these organizations seeking assistance in developing an enterprise plan for data and analytics. This plan accounts for more than just technology modernization and nearly always requires some fresh sketches on the org chart.

Whichever situation may represent the analytics picture in your company, it's important to note that no matter where analytics begins or where it currently resides, that location isn't always where it is going to end up.

Ten years ago, if you had asked any senior executive where data analytics would reside within the organization, he or she would likely have said, "actuarial." Actuaries are, after all, the original insurance analytics experts and providers. Operational reporting, statistical modeling, mortality on the life side and pricing and loss development on the P&C side - all of these functions are the lifeblood that keep insurers profitable with the proper level of risk and the correct assumptions for new business. Why wouldn’t actuaries also be the ones to carry the new data analytics forward with the right assumptions and the proper use of data?

Yet, when I was invited to speak at a big data and analytics conference with more than 100 insurance executives and interested parties recently, there was not one actuary in attendance. I don't know why -- maybe because it was quarter-end -- but I can only assume that, even though actuaries may want to be involved, their day jobs get in the way. Quarterly reserve reviews, important loss development analysis and price adequacy studies can already consume more time than actuaries have. In many organizations, the actuarial teams are stretched so thin they simply don't have the bandwidth to participate in modeling efforts with unclear benefits.

Then there is marketing. One could argue that marketing has the most to gain from housing the new corps of data scientists. If one looks at analytics from an organizational/financial perspective, marketing ROI could be the fuel for funding the new tools and resources that will grow top-line premium. Marketing also makes sense from a cultural perspective. It is the one area of the insurance organization that is already used to blending the creative with the analytical, understanding the value of testing methods and messages and even the ancillary need to provide feedback visually.

The list of possibilities can go on and on. One could make a case for placing analytics in the business, keeping it under IT, employing an out-of-house partner solution, etc. There are many good reasons for all of these, but I suspect that most analytics functions will end up in a structure all their own. That's where we’ll begin "Where is the Real Home for Analytics, Part II" in two weeks.

The National Institute for Occupational Safety and Health (NIOSH) and the Occupational Safety and Health Administration (OSHA) just released their Hospital Respiratory Protection Toolkit. This toolkit provides a much-needed comprehensive resource for healthcare employers to use to protect their staff from respiratory hazards like airborne infectious diseases, chemicals and certain drugs that, when inhaled, cause illness, infection or other physical harm to healthcare workers.

We know that national public health preparedness has increased because of the Ebola virus cases in Dallas last year, but the nation may not know that federal agencies like NIOSH and OSHA are always working to prepare healthcare and other workplaces from exposures to dangerous organisms and chemicals that cause infection, illness and other harm. This new toolkit is evidence of that effort. According to the International Safety Center and its EPINet data, current compliance with the use of personal protective equipment (PPE) like respirators, and even lesser protection like surgical masks, is so low (less than 20%!) that this effort can only help to improve compliance.

The OSHA Respiratory Protection Standard has long required that healthcare employers have a respiratory protection program to protect workers exposed to respiratory hazards, but the standard is as complex as are the hazards and the circumstances surrounding patient care in hospitals. This toolkit helps healthcare and program administrators sort through the standard, overcome what they may see as daunting tasks and tackle their respiratory protection programs one step at a time.

The toolkit is long -- 96 pages long -- but fear not. It provides great pull-out, grab-and-go tools like the "Respiratory Protection Program evaluation checklist" and a "Respiratory Protection Program template" that can be used in healthcare facilities to create, adapt or modernize programs. Not all respiratory protection program administrators are seasoned at putting programs in place that are effective, and this resource will surely assist even the novice pull together a safe program.

Hats off to NIOSH and OSHA! You remind us that keeping our patients as safe as possible is only possible when we keep our workers as safe as possible.

Your comments about the utility of this resource would be appreciated by NIOSH, as it will help inform the development of future companion resources. You can kindly email your feedback directly to Debra Novak's email: ian5@cdc.gov.

In the past two years have revealed anything, it's that every conceivable mode of communication comes with its share of serious privacy and security issues. Email can be hijacked, mail servers can be breached and malware can turn your smartphone into a peepshow. Wikileaks revealed that even our phone conversations are at risk.

That said, don't panic! It's highly unlikely anyone is listening to your phone calls. (OK, it's possible, but you'd have to be incredibly sloppy or unlucky enough to download call-intercepting malware, or targeted by folks who can handle a price tag that hovers north of the $1 million mark.) The more relevant point here is that the big data mills at the NSA that may or may not be crunching your calls don't care if you're negotiating the sale of Ford to General Motors, much less if you've been naughty or nice - unless you're a world leader or someone perceived as a threat to America.

So what about the other, more likely ways you may be exposed? There are man-in-the-middle attacks that are fairly affordable for a hacker. There's malware from friend (hard to spot) and foe (you can't be alert to every danger every second of the day). It almost seems like the only way to be completely safe from intrusion is to have nothing you wouldn't want broadcast or skywritten on your smartphone, nothing you wouldn't want the world to know about in your browser history, not a single text message you want to keep private and no phone calls made or received that you don't want to share with Dr. Phil and his audience.

Recent news has been nothing less than terrifying. JPMorgan Chase and Home Depot joined the ever-growing list of mega-breach victims. Sony Pictures was gutted, with career-killing emails sent hither and yon, servers erased and trade secrets and intellectual property joyously tossed like flower petals from a float in the Rose Bowl parade. The hack initially stopped the release of "The Interview," costing the studio millions, and that's not taking into account future losses associated with class-action lawsuits brought by current and former employees whose personally identifiable information was stolen and published for the world to see, or enforcement actions by various and sundry state and federal regulators. It's major stuff. And then there were all those other cybercrimes. It all makes for a really uneasy feeling at the workplace.

The trend here is simply too clear: Nothing is sacrosanct, and nothing is beyond reach. And while there may be no way to keep prying eyes out of our email, there is a way to keep the most sensitive information pertaining to your business out of reach. With that thought foremost in my mind, it is, indeed, time to make some serious changes.

Call me old-fashioned, but I think I'd rather take my chances with the government listening to my phone calls. How about you? When I say, "phone call," I mean literally, like, on the phone-and I say this because, of all the ways we communicate, a landline affords the better shot at privacy and a more secure mode of communication.

The act of getting out of a chair and walking down the corridor to talk to a colleague helps to burn off holiday excesses, builds inter-office rapport and can't be hacked. Email and text have supplanted the collegial walk-by. There are those who will say that it's not efficient to pick up the phone. I'm not sure I buy that. Email and text streamline workflow only in theory. Each is just a swipe or click away from the major time-sucks provided by social media. And the interaction that happens without the interference of keystrokes or thumbing a screen provides sparks that just don't happen in the dynamic-free zone of tit-for-tat correspondence. And again, a face-to-face or headset-to-headset conversation is probably the most secure mode of communication in the post-Sony hack world.

I'm sure it will take some getting used to, but if anyone at my office needs a fast answer from me, I'm going to ask that whenever possible they tap my doorframe or give me a call. Beyond the security considerations, the truth is that I actually like talking to people, and I ultimately learn more about whatever it is we're talking about. For all their convenience, emails and texts are far from perfect modes of communication. Much meaning is lost when communicating by keystroke. Anyone who's emailed a sarcastic quip that was taken literally will confirm this.

There are other options. Sony Pictures had to revert to communication via fax during the days following the hack, but faxes leave too much to chance because you never know who's waiting on the other end of your transmission, and there's the added possibility that you might dial a wrong number.

If smoke signals weren't so easy to spot, I'd suggest that route. And while it's true that you never know when a fake cell tower's going to roll into your neighborhood, using the phone and having more face-to-face discussions at the office are perhaps the better ways to engage in team building through a group commitment to data security.