Hacker News new | ask | show | jobs
by philipwhiuk 97 days ago
1. What a wildly capitalist take on the loss of confidentiality for personnel data.

2. If you get breached, you have a problem. If everyone gets breached it starts to look more like cost-of-business (and that might be cheaper than a cyber firm that doesn't actually fix the problem [but looks good on audits])

3. I wonder if the breached data is entering AI corpuses. Will I be able to ask OpenAI "Does Joe Bloggs, 75 Penn Ave NY have an underlying health conditions I should know about"
6 comments
r_lee 97 days ago
I think we're already in the "cost-of-business" stage.

the industry standard seems to be:

- release "oopsie" statement

- engage "cybersecurity firm" to investigate

- give out free credit monitoring for a year (fucking worthless)

and so far it seems to be working just fine

link
rdtsc 97 days ago
Yup I don’t see any huge downsides here for these companies, and not much incentive to change. The more it happens the more they can point to each other and say “see, it’s not just us”
link
mapt 97 days ago
I don't think I would favor executions or anything.

But forcible dilution (partial or total seizure) of the corporation? A mandatory insurance coverage? Absolutely.

We already have statutory HIPAA violation penalties, and I am extremely in favor of assessing them in a breach. The question is whether they are sufficient.

link
nlitened 97 days ago
Unless somebody from management AND engineering goes to jail, it's literally just cost of business.
link
r_lee 97 days ago
I think the most feasible solution is to make companies liable for damages, not in a light way but rather that every person can sue (or in a class action) for hefty amounts, so that a breach could cost e.g. 100mil+

that should incentivize them to actually invest some money in security. right now its just tiny numbers which are easier to just pay off and forget about

link
gwerbin 97 days ago
You'd have to deal with all of the binding arbitration agreements first.

That said, class action lawsuits also are part of the cost of business. Nothing is ever going to change unless the boards of directors (not CEOs) can be held liable for the behavior of the companies that they direct.

link
righthand 97 days ago
Since tech community has been going on for years that it could cause a problem, I now don’t see any way out of this mess other than problems start arising since our politicians and leaders can’t be bothered to take the experts claims as legitimate ahead of time.
link
ai-x 97 days ago
OTOH, breaches especially Health Data breaches are the most over-rated, hysteria inducing breaches of all time. There is ZERO use for anyone for your health data
link
tyre 97 days ago
There is a field in a claims form that indicates what type of insurance it is.

One of these is CHAMPUS, which indicates that it is for a service member or their family. You can tell which.

As a basic case, accumulate these (as in the CHC breach of ~30% of Americans) and you have a nice map of where US military are. Since bases house particular units and types of forces, a nation state can estimate strength and investment in the US military.

In a specific case, the response to claims includes patient responsibility (deductible, co-insurance, co-pay.) Add that up for a financial picture, then you’ve got a nice lead list for service members who have money problems.

link
esseph 97 days ago
Insurance companies, and companies that might look to hire you want your health data.

Others may want your health data to bribe you. Maybe you got a STD from a mistress.

Maybe you have a heart condition and the business you are interested in working for self-insures. They don't want you on their books!

link
ai-x 93 days ago
has it actually happened? If not, it literally fits my definition of hysteria
link
NegativeK 97 days ago
Abortion prosecution or societal ostracization.

Streamer doxing.

Literally just being trans.

HIV fear mongering.

Illegal fuckery with your insurance rates.

Employment discrimination.

Stalking.

Racial discrimination.

Can you imagine trying to fully trust a mental health professional today? A patient can't see a therapist's notes, but they sure as hell can be breached.

There is zero LEGITIMATE use for your breached health data.

link
ai-x 93 days ago
Can you give me example of it actually happening? If not this is the definition of hysteria
link
inetknght 97 days ago
> There is ZERO use for anyone for your health data0

You really think that?

link
ai-x 93 days ago
Yes. You can give me actual data points to disprove that, especially one with statistical significance (compared to other means such data can be obtained like impersonation)
link
GJim 97 days ago
> I wonder if the breached data is entering AI corpuses.

One would like to think the creators of AI have been prudent enough to ensure AI output obeys data protection law; however the laissez-faire approach the USA takes to data protection (and the hostility of many Americans on here to the GDPR) suggests otherwise.

link
gwerbin 97 days ago
Wasn't Meta caught using pirate book databases for their training data? No decision maker of importance at any of these companies gives a whiff of a fart about data privacy beyond the bare minimum required by the letter of the law, and only when they think the expected cost of breaking the law would exceed the benefit.
link
ericmay 97 days ago
> What a wildly capitalist take on the loss of confidentiality for personnel data.

As opposed to what exactly? A "communist" take on the loss of confidentiality? How might that go?

"There's no problem comrade, what are you talking about?"

This sounds like a failure of government regulation here, not a failure of a broad economic model.

link
philipwhiuk 97 days ago
I'm referring to the last few lines for that point - turning this failure of companies and governments into a nothing more than a lame pitch for their sales funnel platform.
link