Comment by Swizec
8 hours ago
> big companies need to self police and if a child can reach their service they have to pay the child like lets say GBP 10k per instance?
HIPAA has been super effective this way. As we all know, American companies don’t give two shits about user privacy or even security. But wave the HIPAA flag and everyone starts caring real hard and taking extremely cumbersome steps to comply with patient privacy.
Very simple: Each HIPAA violation comes with a financial penalty for the business and personal penalty for every person involved in the leak. Very effective.
I agree the threat is there but I've never seen anyone actually punished for HIPAA violations and my data have been involved in several hospital and insurance breaches.
There's not even a test for HIPAA compliance, so you can't legally prove you were ever compliant in the first place, other than you did what you thought was right. People love to use the term "HIPAA-compliant" but it's technically not a thing.
From my understanding, HIPAA mostly just says that you need to have policies in place for various things, such as rotating passwords or encrypting data, but it doesn't go into explicit detail about what all must be IN those policies, or how you enforce them.