Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.
Researcher discovers exposed patient information readily avail be on a public server, he tries to alert the company that the information is exposed, he gets arrested. WTF?
Source: FBI raids dental software researcher who discovered private patient data on public server | The Daily Dot