[mapt]

I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations.

You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet.

My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?

[erikerikson]

Penalties are $100-$50,000 per violation (i.e. per leak for each person), up to $1.5 million per year[0]. If in the US (I'm assuming given you mention your health insurance) you can report it to your state insurance commissioner which may have already occurred for your incidents.

[0] https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...

[mapt]

"Strict Liability" is how we deal with a subset of crimes and torts - intent is not required to be proven to establish legal culpability/liability.

You're describing willful leaks by an employee, I'm condemning insufficiently competent / insufficiently conservative data security. A data security breach should incur significant penalties to the corporate entity, and those penalties should be multiplied by the number of records compromised.

These penalties should be high enough to minimize the number of records actually retained outside of cold storage, among other things.

When Equifax's breach leaks their entire database, massive social losses are occurring. We should have collectively seized that company from its shareholders for spying on us and leaking all our shit, not settled for "a year of free credit monitoring".

So when I get a letter telling me that an old insurer has had all of their patient data, names, DOB, SSN, health conditions, leaked to the darknet... and then I look it up and see it's the second time in a couple years? This is data that is in theory heavily protected. I'm out for blood.

[erikerikson]

Actually, I summarized the whole bunch which included your case. Note, for example, that the range starts with $100.

I completely agree that the offers of credit monitoring are completely insufficient. Mixing that with feelings about the credit system muddles things a bit but I'm no fan of the incompetence of that system either even though there is some social good in the underlying provision.

I'm not telling you not to be angry. You have every right to be. I would suggest noting that at some level you can end up maximizing the damage it does to you.

[panny]

There's also possible prison sentences. I just love it when someone wants to "get tough on X" when all the laws are already tough on X and just unenforced. That's how you end up with every American committing three felonies a day without knowing it.

[erikerikson]

I'll bite: examples?

[panny]

Discarding misdirected mail is a felony (18 U.S. Code § 1702). For example, you receive a flyer in the mail addressed to John Smith who previously lived at your address. If it doesn't say "John Smith OR current resident" then discarding that junk mail is a felony. You are supposed to write "Return to sender" on every piece of junk mail or correspondence not addressed to you and put it in the outgoing mail. People discard junk flyers every single day without looking at the address first. Simple things like that.

To tie back into the original discussion on HIPAA, I had a collection agency sending mail addressed to a previous resident to my address once. The return address was the clinic of the patient. I was dutifully writing RTS on every letter and putting it back in the mail, but they would not take me off their nastygram list. That was until I wrote "You know, it's a felony HIPAA violation to be leaking this patient's name and clinic to me after you've been notified of the incorrect address." The collection letters immediately stopped after I did that.

[erikerikson]

Good example. I believe the correct behavior is to write "Not at this address" rather than "Return to sender" these days

[Bender]

It's from a topic in a book [1] that is sometimes also discussed on forums. The gist of it is something to the effect of, there are so many laws and so much wiggle room in most of the laws that each person is committing multiple felonies per day without knowing it thus empowering agencies to arrest just about anyone at any given time. The United States of America has the highest incarceration rate of the world is just one small example of that.

[1] - https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp...

[erikerikson]

I was aware of the de facto state but not the book, thank you for sharing that.

Still, I was hoping for examples.

[Bender]

Oh you meant like case law examples. It's a bit of reading but search for examples of case law where a person was convicted on technicalities but not violating the spirit of the law, sometimes later being over-turned. I don't have any examples and I hate to suggest this but maybe start with whatever LLM you use.

[thewebguyd]

At some point we really should consider a similar system to points on a drivers license for repeat offenders like that. Once, maybe twice come with some serious fines and compensation to victims. 3 times or more? Why are they allowed to continue to be in that business? We can't let repeat offenders be allowed to continue to handle sensitive data.

[201984]

I'll bite. Why is it the fault of the organization that gets broken into, rather than the fault of the attackers breaking into it? Even if the defender takes every reasonable defensive measure, they could still get pwned from some zero day that they had no defense against. Should they be fined into oblivion for something like that?

[ndsipa_pomu]

The question is whether the defender takes reasonable defensive measures or not.

The problem is that without having some kind of enforcement, businesses will decide that it is cheaper to not worry at all about security and thus their customers will have their data leaked/shared etc.

There's a world of difference between a company that puts effort into security and one that doesn't.

[mapt]

What is my incentive, as a shareholder in a medical company, to demand functional, bulletproof security, and to hold on to no more data than I need, and to encrypt everything? I'm never going to suffer as a result of breaches. Nor are any of my staff. so long as evidence doesn't show that they did it deliberately.

A cryptocurrency business or a diamond business, by contrast, has very strict security protocols, because if they don't, all the value gets wiped out very quickly. The rules basically absolve the healthcare company of fiscal responsibility.

This update OP is posting about may require jumping through certain hoops, but it does not require functionality of those measures.