| ▲ | mapt 4 hours ago |
| I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations. You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet. My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage? |
|
| ▲ | 201984 an hour ago | parent | next [-] |
| I'll bite. Why is it the fault of the organization that gets broken into, rather than the fault of the attackers breaking into it? Even if the defender takes every reasonable defensive measure, they could still get pwned from some zero day that they had no defense against. Should they be fined into oblivion for something like that? |
|
| ▲ | erikerikson 4 hours ago | parent | prev | next [-] |
| Penalties are $100-$50,000 per violation (i.e. per leak for each person), up to $1.5 million per year[0]. If in the US (I'm assuming given you mention your health insurance) you can report it to your state insurance commissioner which may have already occurred for your incidents. [0] https://www.ama-assn.org/practice-management/hipaa/hipaa-vio... |
| |
| ▲ | panny 3 hours ago | parent [-] | | There's also possible prison sentences. I just love it when someone wants to "get tough on X" when all the laws are already tough on X and just unenforced. That's how you end up with every American committing three felonies a day without knowing it. | | |
| ▲ | erikerikson 3 hours ago | parent [-] | | I'll bite: examples? | | |
| ▲ | Bender 2 hours ago | parent | next [-] | | It's from a topic in a book [1] that is sometimes also discussed on forums. The gist of it is something to the effect of, there are so many laws and so much wiggle room in most of the laws that each person is committing multiple felonies per day without knowing it thus empowering agencies to arrest just about anyone at any given time. The United States of America has the highest incarceration rate of the world is just one small example of that. [1] - https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp... | | |
| ▲ | erikerikson 2 hours ago | parent [-] | | I was aware of the de facto state but not the book, thank you for sharing that. Still, I was hoping for examples. | | |
| ▲ | Bender 2 hours ago | parent [-] | | Oh you meant like case law examples. It's a bit of reading but search for examples of case law where a person was convicted on technicalities but not violating the spirit of the law, sometimes later being over-turned. I don't have any examples and I hate to suggest this but maybe start with whatever LLM you use. |
|
| |
| ▲ | panny 22 minutes ago | parent | prev | next [-] | | Discarding misdirected mail is a felony (18 U.S. Code § 1702). For example, you receive a flyer in the mail addressed to John Smith who previously lived at your address. If it doesn't say "John Smith OR current resident" then discarding that junk mail is a felony. You are supposed to write "Return to sender" on every piece of junk mail or correspondence not addressed to you and put it in the outgoing mail. People discard junk flyers every single day without looking at the address first. Simple things like that. To tie back into the original discussion on HIPAA, I had a collection agency sending mail addressed to a previous resident to my address once. The return address was the clinic of the patient. I was dutifully writing RTS on every letter and putting it back in the mail, but they would not take me off their nastygram list. That was until I wrote "You know, it's a felony HIPAA violation to be leaking this patient's name and clinic to me after you've been notified of the incorrect address." The collection letters immediately stopped after I did that. | |
| ▲ | iamalizard 2 hours ago | parent | prev [-] | | [dead] |
|
|
|
|
| ▲ | thewebguyd 4 hours ago | parent | prev [-] |
| At some point we really should consider a similar system to points on a drivers license for repeat offenders like that. Once, maybe twice come with some serious fines and compensation to victims. 3 times or more? Why are they allowed to continue to be in that business? We can't let repeat offenders be allowed to continue to handle sensitive data. |
