QOTD - Liston on HHS Harm Threshold Loophole

Tom Liston, senior security consultant & malware analyst for Inguardians, comments on a recently announced loophole that allows HIPAA-covered entities to dispense with breach notification if the harm threshold is not met. The harm threshold is met if the breach poses "significant risk of financial, reputational or other harm to [an] individual."
Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison...
Src: SANS NewsBites Vol 11 Num 74

No comments: