There are rules on how the information has to be indexed and cross referenced; while you might be able to design a system of electronic-beside-hardcopy records that you could make a plausible argument for meeting all of the requirements, it's straightforward to do it if your data and media are in the same electronic system.
Considering that getting it wrong is a federal felony, the incentive set by the law is clear even if, arguably, unintended.
> Considering that getting it wrong is a federal felony, the incentive set by the law is clear even if, arguably, unintended.
I don’t think you’re wrong, but I would argue that if getting it wrong is a felony, not properly protecting the data should be a felony as well. I realize it isn’t, but incidents like this showcase just how poorly the laws around this type of thing are written. If you can’t properly protect the data, you shouldn’t be in this type of business.
Of course, in this case, this is a site registered in Andorra. So who even know what those laws required in the first place.
> I don’t think you’re wrong, but I would argue that if getting it wrong is a felony, not properly protecting the data should be a felony as well.
It probably should be; I suspect that it's not because making involvement in porn risky for adult participants (and thereby discouraging it), while not the central focus of the law, isn't actually undesirable to lawmakers.
> Of course, in this case, this is a site registered in Andorra. So who even know what those laws required in the first place.
My understanding is that the US applies it's rules to anything of an adult nature sold into or among the US states, regardless of origin, though in practice applying it to foreign entities with little US exposure is difficult; but certainly it wouldn't be the only law that applies, to the extent it might apply.
Eh, maybe it's irresponsible but I don't think that it needs to be a felony or that those people shouldn't be in business. People just shouldn't expect every shady website to have perfect data practices.
You shouldn’t need to ask if your employer is shady — and even then because it isn’t shady, not because someone tells you afterwards that it should’ve been obvious to you that it was bad before you started.
Not being a legal scholar, I won’t make a distinction between felony and misdemeanor.
What I will say is that just as computers are a force-multipler for getting important stuff done, they are also a force-multiplier for causing harm. As the old saying goes: “to er is human, to really foul up requires a computer”.
This leak did not endanger just one or two people, which would be bad enough, but 4000. Even if the remedy is limited to a fine sufficient for each affected person to change their names and address, it is still a more serious harm than almost anything normal intuition will help with because of how many were involved.
I wish that being in the sex industry was socially neutral for men and women and that nobody would be assaulted or insulted for it. I don’t know why that isn’t the case already, but I do recognise that it isn’t — and given that it isn’t, this leak is still extremely likely to result in someone getting hurt.
Also not being a legal scholar, the distinction being that a felony is a much more serious crime and lands people in jail for long periods of time. Which is why I think this could be an over reaction when a data leak may possibly be a mistake or ignorance. I understand that the nature of the data may be sensitive, but I don't think it makes sense to ham handedly punish people for something they aren't directly responsible for. Like someone being hypothetically hurt by someone else because of a data leak they may not even have known about.
I strongly disagree. I’d expect the shadiest of shady websites to have the best security, but as demonstrated, the people that scooped up tonnes of my financial history without my permission, then charge me for access, and sell that data to other financial institutions that use that data to determine my access to credit, not only have terrible security, but aren’t really punished for it either.
Anytime human labour that is required is ignored that makes the startup more deceptively attractive to VC - and may end up bordering on fraud if done with intent.
