Health Breach Notification Rule, 17914-17925 [E9-8882]

Download as PDF 17914 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules Issued in Fort Worth, TX, on April 6, 2009. Anthony D. Roetzel, Manager, Operations Support Group, ATO Central Service Center. [FR Doc. E9–9050 Filed 4–17–09; 8:45 am] BILLING CODE 4901–13–P FEDERAL TRADE COMMISSION 16 CFR Part 318 [RIN 3084–AB17] Health Breach Notification Rule AGENCY: Federal Trade Commission (FTC). rmajette on PRODPC74 with PROPOSALS ACTION: Notice of proposed rulemaking; request for public comment. SUMMARY: Under the American Recovery and Reinvestment Act of 2009 (the ‘‘Recovery Act’’ or ‘‘the Act’’), the Federal Trade Commission (‘‘FTC’’) or (‘‘Commission’’) must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. Accordingly, the FTC seeks comment on a proposed rule. DATES: Comments must be received on or before June 1, 2009. ADDRESSES: Interested parties are invited to submit written comments electronically or in paper form. Comments should refer to ‘‘Health Breach Notification Rulemaking, Project No. R911002’’ to facilitate the organization of comments. Please note that your comment—including your name and your state—will be placed on the public record of this proceeding, including on the publicly accessible FTC website, at (http://www.ftc.gov/os/ publiccomments.shtm). Because comments will be made public, they should not include any sensitive personal information, such as an individual’s Social Security number; date of birth; driver’s license number, state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, comments should not include any ‘‘[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential * * *,’’ as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for VerDate Nov<24>2008 17:45 Apr 17, 2009 Jkt 217001 which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c).1 Because paper mail addressed to the FTC is subject to delay due to heightened security screening, please consider submitting your comments in electronic form. Comments filed in electronic form should be submitted by using the weblink (https:// secure.commentworks.com/ftchealthbreachnotification), and following the instructions on the web-based form. To ensure that the Commission considers an electronic comment, you must file it on the web-based form at the weblink (https:// secure.commentworks.com/ftchealthbreachnotification). If this Notice appears at (http://www.regulations.gov/ search/index.jsp), you also may file an electronic comment through that website. The Commission will consider all comments that regulations.gov forwards to it. You also may visit the FTC website at http://www.ftc.gov to read the Notice and the news release describing it. A comment filed in paper form should include the ‘‘Health Breach Notification Rulemaking, Project No. R911002’’ reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission/Office of the Secretary, Room H–135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 20580. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives, whether filed in paper or electronic form. Comments received will be available to the public on the FTC website, to the extent practicable, at (http://www.ftc.gov/os/ publiccomments.shtm). As a matter of 1 See also FTC Rule 4.2(d), 16 CFR 4.2(d). The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission’s General Counsel, consistent with applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR 4.9(c). PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 discretion, the Commission makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC website. More information, including routine uses permitted by the Privacy Act, may be found in the FTC’s privacy policy, at (http://www.ftc.gov/ftc/ privacy.shtm). Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Information and Regulatory Affairs, Office of Management and Budget (‘‘OMB’’), Attention: Desk Officer for Federal Trade Commission. Comments should be submitted via facsimile to (202) 395–5167 because U.S. postal mail at the OMB is subject to delays due to heightened security precautions. FOR FURTHER INFORMATION CONTACT: Cora Tung Han or Maneesha Mithal, Attorneys, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580, (202) 326–2252. SUPPLEMENTARY INFORMATION: Table of Contents I. Background II. Section-by-Section Analysis of the Proposed Rule III. Paperwork Reduction Act IV. Regulatory Flexibility Act V. Proposed Rule I. Background On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (the ‘‘Recovery Act’’ or ‘‘the Act’’) into law.2 The Act includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of web-based entities that collect consumers’ health information. These entities include vendors of personal health records and online applications that interact with such personal health records. Some of these entities are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).3 For such entities, the Recovery Act requires the Department of Health and Human Services (‘‘HHS’’) to 2 American Recovery & Reinvestment Act of 2009, Pub. L. 111–5, __ Stat. __. 3 Health Insurance Portability & Accountability Act, Pub. L. 104–191, 110 Stat. 1936 (1996). E:\FR\FM\20APP1.SGM 20APP1 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules study, in consultation with the FTC, potential privacy, security, and breach notification requirements and submit a report to Congress containing recommendations within one year of enactment of the Recovery Act. Until Congress enacts new legislation implementing any recommendations contained in the HHS/FTC report, the Recovery Act contains temporary requirements, to be enforced by the FTC, that such entities notify customers in the event of a security breach.4 The proposed rule implements these requirements. The Recovery Act also directs HHS to promulgate interim final regulations requiring (1) HIPAA-covered entities, such as hospitals, doctors’ offices, and health insurance plans, to notify individuals in the event of a security breach and (2) business associates of HIPAA-covered entities to notify such covered entities in the event of a security breach. To the extent that FTCregulated entities engage in activities as business associates of HIPAA-covered entities, such entities will be subject only to HHS’ rule requirements and not the FTC’s rule requirements, as explained below. In addition, the Commission notes that many of the breach notification requirements applicable to FTC-regulated entities are the same as the breach notification requirements applicable to HHSregulated entities. Indeed, section 13407 of the Recovery Act states that the statutory requirements for timeliness, method, and content of breach notifications contained in section 13402 (the section applicable to HHS-regulated entities) shall apply to FTC-regulated entities ‘‘in a manner specified by the Federal Trade Commission.’’ Thus, the FTC is consulting with HHS to harmonize its proposed rule with HHS’ proposed rule. rmajette on PRODPC74 with PROPOSALS II. Section-by-Section Analysis of the Proposed Rule The Commission proposes to issue the Health Breach Notification Rule as a new Part 318 of 16 CFR. The following is a section-by-section analysis of the proposed rule. Proposed Section 318.1: Purpose and Scope Proposed section 318.1 serves three purposes. First, it states the relevant statutory authority for the proposed rule. Second, it identifies the entities to which the proposed rule would apply: 4 Section 13407(g)(1) of the Recovery Act requires the FTC to promulgate, within 180 days of its enactment, regulations on the breach of security notification provisions applicable to its regulated entities. VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 vendors of personal health records, PHR 5 related entities, and third party service providers. Third, proposed section 318.1 clarifies that the proposed rule does not apply to HIPAA-covered entities or to an entity’s activities as a business associate of a HIPAA-covered entity. The Commission also notes that the proposed rule applies to entities beyond the FTC’s traditional jurisdiction under Section 5 of the FTC Act, since the Recovery Act does not limit the FTC’s enforcement authority to its enforcement jurisdiction under Section 5. Indeed, section 13407 of the Recovery Act expressly applies to ‘‘vendors of personal health records and other nonHIPAA covered entities,’’ without regard to whether such entities fall within the FTC’s enforcement jurisdiction. Thus, the proposed rule would apply to entities such as nonprofit entities that offer personal health records or related products and services, as well as non-profit third party service providers. With respect to the scope of the proposed rule, the Commission seeks comment on (1) the nature of entities to which its proposed rule would apply; (2) the particular products and services they offer; (3) the extent to which vendors of personal health records, PHR related entities, and third party service providers may be HIPAA-covered entities or business associates of HIPAA-covered entities; (4) whether some vendors of personal health records may have a dual role as a business associate of a HIPAA-covered entity and a direct provider of personal health records to the public; and (5) circumstances in which such a dual role might lead to consumers’ receiving multiple breach notices or receiving breach notices from an unexpected entity, and whether and how the rule should address such circumstances. Proposed Section 318.2: Definitions This section defines terms used in the Health Breach Notification Rule. Breach of Security The first sentence of proposed paragraph (a) defines ‘‘breach of security’’ as the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual. This sentence is identical to the definition of ‘‘breach of security’’ in section 13407(f)(1) of the Recovery Act. In some cases, it will be fairly easy to determine whether unsecured PHR 5 PO 00000 PHR means personal health record. Frm 00007 Fmt 4702 Sfmt 4702 17915 identifiable health information has been acquired without authorization. Examples of such cases include the theft of a laptop containing unsecured personal health records; the theft of hard copies of such records; the unauthorized downloading or transfer of such records by an employee; and the electronic break-in and remote copying of such records by a hacker. In other cases, there may be unauthorized access to data, but it is unclear, without further investigation, whether the data also has been acquired. Unauthorized persons may have access to information if it is available to them. The term acquisition, however, suggests that the information is not only available to unauthorized persons, but in fact has been obtained by them. For example, if an entity’s access log shows that an unauthorized employee obtained access to information by opening an online database of personal health records, there clearly has been access to the data, but it is not clear whether the data also has been acquired. Consider the following possible scenarios: (1) the employee viewed the records to find health information about a particular public figure and sold the information to a national gossip magazine; (2) the employee viewed the records to obtain information about his or her friends; (3) the employee inadvertently accessed the database, realized that it was not the one he or she intended to view, and logged off without reading, using, or disclosing anything. In scenario (3), the Commission believes that no acquisition has taken place; thus, breach notification is not required. Unauthorized acquisition has, however, occurred in scenarios (1) and (2). In the types of situations described above, where there has been unauthorized access to unsecured PHR identifiable health information, the Commission believes that the entity that experienced the breach is in the best position to determine whether unauthorized acquisition has taken place. Thus, the proposed rule creates a presumption that unauthorized persons have acquired information if they have access to it, thus creating the obligation to provide breach notification. This presumption can be rebutted with reliable evidence showing that the information was not or could not reasonably have been acquired. Such evidence can be obtained by, among other things, conducting appropriate interviews of employees, contractors, or other third parties; reviewing access E:\FR\FM\20APP1.SGM 20APP1 17916 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules logs and sign-in sheets; and/or examining forensic evidence. For example, if an entity’s employee loses a laptop containing unsecured health information in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised. Accordingly, the Commission proposes to add a second sentence to the definition of breach of security as follows: ‘‘Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information.’’ Business Associate Proposed paragraph (b) defines ‘‘business associate’’ to mean a business associate under HIPAA, as defined in 45 CFR 160.103. That regulation, in relevant part, defines a business associate as an entity that (1) provides certain functions or activities on behalf of a HIPAA-covered entity or (2) provides ‘‘legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for’’ a HIPAA-covered entity. HIPAA-Covered Entity Proposed paragraph (c) defines ‘‘HIPAA-covered entity’’ to mean a covered entity under HIPAA, as defined in 45 CFR 160.103. That regulation provides that a HIPAA-covered entity is a health care provider that conducts certain transactions in electronic form, a health care clearinghouse (which provides certain data processing services for health information), or a health plan. rmajette on PRODPC74 with PROPOSALS Personal Health Record Proposed paragraph (d) defines a ‘‘personal health record’’ as an ‘‘electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.’’ This language is substantively identical to the definition of personal health record VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 in section 13400(11) of the Recovery Act.6 PHR Identifiable Health Information Proposed paragraph (e) defines ‘‘PHR identifiable health information’’ as ‘‘individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)),7 and with respect to an individual, information (1) that is provided by or on behalf of the individual; and (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.’’ This definition is substantively identical to section 13407(f)(2) of the Recovery Act. The Commission notes three points with respect to this definition. First, because the definition of ‘‘PHR identifiable health information’’ includes information that relates to the ‘‘past, present, or future payment for the provision of health care to an individual,’’ the proposed rule covers breaches of such information. Thus, for example, the proposed rule would cover a security breach of a database containing names and credit card information, even if no other information was included. Second, because the definition includes information that relates to ‘‘the health or condition’’ of the individual, it would include the fact of having an account with a vendor of personal health records or related entity, where the products or services offered by such vendor or related entity relate to particular health conditions. For example, the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require a breach 6 Where this Notice characterizes an element of the proposed rule as ‘‘substantively identical’’ to a corresponding provision in the Recovery Act, the difference between the two texts is minor and not substantive, and the relevant text of both the rule and statute is intended to have the same meaning. For example, the Recovery Act’s definition of ‘‘personal health record’’ states that it is an ‘‘electronic record of PHR identifiable health information (as defined in section 13407(f)(2)). . .’’ The proposed rule definition drops the crossreference, but is identical in all other respects. In other places, the rule may change a plural to a singular or vice versa; substitute terminology such as ‘‘HIPAA-covered entity’’ for ‘‘covered entity’’; spell out a shorthand notation in the statute; or make similar non-substantive changes. 7 This provision defines ‘‘individually identifiable health information’’ as information that ‘‘(1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.’’ PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 notification, even if no specific health information is contained in that list. Third, if there is no reasonable basis to believe that information can be used to identify an individual, the information is not ‘‘PHR identifiable health information,’’ and a breach notification need not be provided. For example, if a breach involves information that has been ‘‘deidentified’’ under HHS rules implementing HIPAA, the Commission will deem that information to fall outside the scope of ‘‘PHR identifiable health information’’ and therefore not covered by the proposed rule. The HHS rules specify two ways to de-identify information: (1) If there has been a formal determination by a qualified statistician that information has been de-identified; or (2) if specific identifiers about the individual, the individual’s relatives, household members, and employers are removed, and the covered entity has no actual knowledge that the remaining information could be used to identify the individual.8 There may be additional instances where, even though the standard for de-identification under 45 CFR 164.514(b) is not met, there is no reasonable basis to believe that information is individually identifiable. The Commission requests examples of such instances. PHR Related Entity Proposed paragraph (f) defines the term ‘‘PHR related entity’’ to cover the three types of entities set forth in clauses (ii), (iii), and (iv) of section 13424(b)(1)(A) of the Recovery Act.9 First, the definition includes entities that are not HIPAA-covered entities and that offer products or services through the website of a vendor of personal health records. This definition is substantively identical to the statutory language but also clarifies that HIPAAcovered entities are excluded. This clarification is consistent with the coverage of section 13424, which requires a study and report on the ‘‘Application of Privacy and Security Requirements to Non-HIPAA Covered Entities.’’ Examples of entities that could fall within this category include a webbased application that helps consumers manage medications; a website offering 8 45 CFR 164.514(b); see also U.S. Department of Health and Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy Rule, (www.hhs.gov/ocr/privacy/hipaa/understanding/ summary/privacysummary.pdf). 9 At the outset, proposed paragraph (f) clarifies that the term excludes HIPAA-covered entities, as well as other entities to the extent that they engage in activities as a business associate of a HIPAAcovered entity. E:\FR\FM\20APP1.SGM 20APP1 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules an online personalized health checklist; and a brick-and-mortar company advertising dietary supplements online. Consumers interact with entities in this category by clicking on the appropriate link on the website of a vendor of personal health records. Second, PHR related entities include entities that are not HIPAA-covered entities and that offer products or services through the websites of HIPAAcovered entities that offer individuals personal health records. This language is substantively identical to section 13424(b)(1)(A)(iii) of the Recovery Act. This category differs from the first category in that it covers entities whose applications are offered through the websites of HIPAA-covered entities, as opposed to non-HIPAA covered entities. Entities may fall in both categories if they offer their applications through both HIPAA-covered websites and nonHIPAA covered websites. Third, PHR related entities include non-HIPAA covered entities ‘‘that access information in a personal health record or send information to a personal health record.’’ This language is substantively identical to section 13424(b)(1)(A)(iv) of the Recovery Act. This category could include online applications through which individuals, for example, connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records. It could also include an online medication or weight tracking program that pulls information from a personal health record. Unsecured Proposed paragraph (h) defines the term ‘‘unsecured’’ as ‘‘not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Recovery and Reinvestment Act of 2009.’’ If such guidance is not issued by the date specified in such section (i.e., by 60 days after enactment of the Act and annually thereafter), the term unsecured means ‘‘not secured by a technology standard that renders PHR identifiable information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.’’ The proposed definition is substantively identical to the definition of ‘‘unsecured PHR identifiable health information’’ in the Recovery Act. Vendor of Personal Health Records Proposed paragraph (i) defines the term ‘‘vendor of personal health records’’ to mean ‘‘an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.’’ This proposed definition is substantively identical to the statutory definition contained in section 13400(18) of the Recovery Act, but also clarifies that a vendor of personal health records does not include entities’ activities as a business associate of a HIPAA-covered entity. rmajette on PRODPC74 with PROPOSALS Third Party Service Provider Proposed Section 318.3: Breach Notification Requirement Proposed paragraph (g) defines the term ‘‘third party service provider’’ as ‘‘an entity that (1) provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity, and (2) accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.’’ Because the term third party service provider is not defined in the Recovery Act, the Commission based its proposed definition on the description of third party service providers in section 13407(b) of the Act. Third party service providers include, for example, entities that provide billing or data storage services to vendors of personal health records or PHR related entities. Proposed paragraph 318.3(a) requires vendors of personal health records and PHR related entities, upon discovery of a breach of security, to notify U.S. citizens and residents whose information was acquired in the breach and to notify the FTC. This provision is substantively identical to section 13407(a) of the Recovery Act. Proposed paragraph 318.3(b) requires third party service providers to both vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach. The purpose of this requirement is to ensure that the vendor or entity receiving the breach notification is aware of the breach, so that it can in turn provide its customers with a breach notice. To further this purpose, proposed paragraph 318.3(b) requires that the third party service provider’s VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 17917 notification shall include ‘‘the identification of each individual’’ whose information ‘‘has been, or is reasonably believed to have been acquired during such breach.’’ The proposed paragraph is substantively identical to section 13407(b) of the Recovery Act,10 but adds language requiring entities to provide notice to a senior official of the vendor or PHR related entity and to obtain acknowledgment from such official that he or she has received the notice. The purpose of this requirement is to avoid the situation in which lower-level employees of two entities might have discussions about a breach that never reach senior management. It is also designed to avoid the problem of lost emails or voicemails. Finally, proposed section 318.3(c) provides that a breach ‘‘shall be treated as discovered as of the first day on which such breach is known to a vendor of personal health records, PHR related entity, or third party service provider, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such vendor of personal health records, PHR related entity, or third party service provider, respectively) or should reasonably have been known to such vendor of personal health records, PHR related entity, or third party service provider (or person) to have occurred.’’ This proposed paragraph is substantively identical to section 13402(c) of the Recovery Act.11 Regarding the ‘‘reasonably should have been known’’ standard, the Commission expects entities that collect and store unsecured PHR identifiable health information to maintain reasonable security measures, including breach detection measures, which should assist them in discovering breaches in a timely manner. If an entity fails to maintain such measures, and 10 As noted above, although the Recovery Act does not define the term ‘‘third party service provider,’’ the proposed rule sets forth a definition based on the language in section 13407(b) describing such entities. Thus, it is not necessary to repeat the descriptive language in this section of the proposed rule. In addition, the proposed rule requires notification to individuals whose information was ‘‘acquired,’’ while the Recovery Act uses the terms ‘‘accessed, acquired, or disclosed.’’ This change is intended to harmonize the proposed rule with the other provisions of the Act making clear that the standard for FTC-regulated entities, including third party service providers, is ‘‘acquired.’’ Indeed, the statute requires third party service providers to notify individuals upon a ‘‘breach of security,’’ which is defined only as unauthorized acquisition. 11 Section 13407(c) of the Recovery Act states that the standard for when breaches are discovered for HIPAA-covered entities also shall apply to FTCregulated entities ‘‘in a manner specified by the Federal Trade Commission.’’ E:\FR\FM\20APP1.SGM 20APP1 17918 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules thus fails to discover a breach, such failure could constitute a violation of the proposed rule because the entity ‘‘reasonably’’ should have known about the breach. The Commission recognizes, however, that certain breaches may be very difficult to detect, and that an entity with strong breach detection measures may nevertheless fail to discover a breach. In such circumstances, the failure to discover the breach would not constitute a violation of the proposed rule.12 rmajette on PRODPC74 with PROPOSALS Proposed Section 318.4: Timeliness of Notification 13 Proposed section 318.4(a) requires breach notifications to individuals and the media to be made ‘‘without unreasonable delay’’ and in no case later than 60 calendar days after discovery of the breach. This language is substantively identical to section 13402(d)(1) of the Recovery Act, except that the Commission has clarified that the timing requirement for notice to consumers is different from the requirement for notice to the FTC. Proposed section 318.4(b) states that vendors of personal health records, PHR related entities, and third party service providers have the burden of proving that they provided the appropriate breach notifications. Finally, proposed section 318.4(c) allows breach notification to be delayed upon appropriate request of a law enforcement official. The proposed burden of proof and law enforcement provisions are substantively identical to sections 13402(d)(2) and 13402(g) of the Recovery Act.14 The Commission notes that the standard for timely notification is ‘‘without unreasonable delay,’’ with the 60-day period serving as an outer limit. Thus, in some cases, it may be an ‘‘unreasonable delay’’ to wait until the 60th day to provide notification. For 12 The Commission enforces a variety of laws requiring entities to provide reasonable and appropriate security for the data that they collect from consumers. See, e.g., Federal Trade Commission Act, 5 U.S.C. 45; Fair Credit Reporting Act, 15 U.S.C. 1681–1681x; Gramm-Leach-Bliley Act, 15 U.S.C. 6801(b), and Standards for Safeguarding Customer Information, 16 CFR Part 314 (‘‘Safeguards Rule’’), available at (http:// www.ftc.gov/os/2002/05/67fr36585.pdf.) The Commission has also disseminated educational materials encouraging companies to provide security for consumer data and providing guidance regarding practical ways to do so. 13 Section 13407(c) of the Recovery Act states that the requirements for timeliness of notification applicable to HIPAA-covered entities also shall apply to FTC-regulated entities ‘‘in a manner specified by the Federal Trade Commission.’’ 14 Section 13402(d)(1) of the Recovery Act sets forth the standard for timeliness of notification, but notes that this standard is subject to the exception for law enforcement set forth in section 13402(g). VerDate Nov<24>2008 17:45 Apr 17, 2009 Jkt 217001 example, if a vendor of personal health records or PHR related entity learns of a breach, gathers all necessary information, and has systems in place to provide notification within 30 days, it would be unreasonable to wait until the 60th day to send the notice. There may also be circumstances where a vendor of personal health records or PHR related entity discovers that its third party service provider has suffered a breach (e.g., through a customer or whistleblower) before the service provider notifies the vendor or entity that the breach has occurred. In such circumstances, the vendor or entity should treat this breach as ‘‘discovered’’ for purposes of providing timely notification, and should not wait until receiving notice from the service provider to begin taking steps to address the breach. Proposed Section 318.5: Methods of Notice 15 Proposed section 318.5 addresses the methods of notice to individuals, the Commission, and the media in the event of a breach of security of unsecured PHR identifiable health information. The goal of this proposed section is to ensure prompt and effective notice. Individual Notice Proposed paragraph (a) addresses notice to individuals. It contains four main requirements. First, proposed paragraph (a)(1) states that individuals must be given notice by first-class mail or, if the individual provides express affirmative consent, by e-mail. This language is identical to section 13402(e)(1)(A) of the Recovery Act, except that it interprets the statutory phrase ‘‘specified as a preference by the individual’’ to mean that the individual must provide ‘‘express affirmative consent’’ to receive breach notices by email. Entities may obtain such consent by asking individuals, when they create an account, whether they would prefer to receive important notices about privacy by first-class mail or e-mail.16 The Commission recognizes that the relationship between a vendor of personal health records or PHR related entity and the individual takes place online. Thus, e-mail notice may be particularly well-suited to the relationship. In addition, vendors of 15 Section 13407(c) of the Recovery Act states that the requirements for methods of breach notification applicable to HIPAA-covered entities also shall apply to FTC-regulated entities ‘‘in a manner specified by the Federal Trade Commission.’’ 16 The Commission does not regard pre-checked boxes or disclosures that are buried in a privacy policy or terms of service agreement to be sufficient to obtain consumers’ ‘‘express affirmative consent.’’ PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 personal health records and PHR related entities may not want to collect mailing addresses from consumers, and consumers may not want to provide them. Under the proposed rule, these entities need not collect such mailing addresses, as long as they obtain consumers’ express affirmative consent to receive notices by e-mail. The Commission recognizes that some email notifications may be screened by consumers’ spam filters and requests comment on how to address this issue. Second, as provided in section 13402(e)(1)(C) of the Recovery Act, proposed paragraph (a)(2) allows a vendor of personal health records or PHR related entity to provide notice by telephone or other appropriate means, in addition to the notice provided in paragraph (a)(1), if there is possible imminent misuse of unsecured PHR identifiable health information. Third, proposed paragraph (a)(3) states that if, after making reasonable efforts to contact an individual through his or her preferred method of communication, the vendor of personal health records or PHR related entity learns that such method is insufficient or out-of-date, the vendor or related entity shall attempt to provide the individual with a substitute form of actual notice, which may include written notice through the individual’s less-preferred method, a telephone call, or other appropriate means. This provision gives effect to section 13402(e)(1)(B) of the Recovery Act, which requires a substitute form of notice in the case of insufficient or outof-date contact information, but adds clarifying language requiring reasonable efforts to provide the preferred form of notice before substitute notice can be used. Examples of reasonable efforts include: (1) where e-mail is the consumer’s preferred method, attempting to e-mail the notice and receiving a return message stating that the e-mail could not be delivered; (2) where first class mail is the consumer’s preferred method, attempting to mail such notice and having it returned as undeliverable; (3) in the case of incomplete contact information, searching internal records and, if needed, undertaking additional reasonable efforts to obtain complete and accurate contact information from other sources. The proposed rule also adds language stating that methods of substitute notice may include written notice by the consumer’s less preferred method or telephone. Finally, the proposed rule states that if ten or more individuals cannot be reached, the vendor of personal health records or PHR related entity must E:\FR\FM\20APP1.SGM 20APP1 rmajette on PRODPC74 with PROPOSALS Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules provide substitute notice in one of two forms. First, it can provide notice through the home page of its website. Second, it can provide notice in major print or broadcast media. The language in the proposed rule is substantively identical to section 13402(e)(1)(B) of the Recovery Act, but adds certain clarifying language, as noted below. As to the first method of substitute notice, the Recovery Act states that the posting should appear for a period determined by the Commission and be ‘‘conspicuous.’’ The Commission believes that six months is an appropriate time period for posting of the notice and has so specified in the proposed rule. Requiring a six month posting will ensure that individuals who intermittently check their accounts obtain notice, without being unduly burdensome for businesses. To ensure conspicuousness, if an entity intends to use a hyperlink on the home page to convey the breach notice, the hyperlink should be (1) prominent so that it is noticeable to consumers, given the size, color and graphic treatment of the hyperlink in relation to other parts of the page; and (2) worded to convey the nature and importance of the information to which it leads. For example, ‘‘click here’’ would not be an appropriate hyperlink; a prominent ‘‘click here for an important notice about a security breach that may affect you’’ would be.17 Regarding the requirement that the notice be posted on the home page, the Commission notes that individuals who already have accounts with vendors of personal health records may be directed to a first or ‘‘landing’’ page that is different from the home page to which non-account holders are directed. The Commission thus construes ‘‘home page’’ to include both the home page for new visitors and the landing page for existing account holders. In general, the Commission anticipates that, because PHRs generally involve an online relationship, web posting would be a particularly well-suited method of substitute notice to individuals. The alternative form of substitute notice described in this paragraph is media notice ‘‘in major print or broadcast media, including major media in geographic areas where individuals affected by the breach likely reside, which shall be reasonably calculated to reach individuals affected by the breach.’’ This language is substantively identical to section 13402(e)(1)(B) of the Recovery Act, but also adds a clause 17 See ‘‘Dot Com Disclosures: Information about Online Advertising,’’ (http://www.ftc.gov/bcp/edu/ pubs/business/ecommerce/bus41.pdf). VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 17919 requiring that such notice ‘‘be reasonably calculated to reach the individuals affected.’’ Indeed, because this notice is intended to serve as a substitute for notice to particular individuals, it should be reasonably calculated to reach those individuals. The appropriate scope of substitute media notice will depend on several factors, including the number of individuals for whom no contact information can be obtained, the location of those individuals, and the reach of the particular media used. For example, if a vendor of personal health records experiences a breach in which a hacker obtains the health records of millions of individuals nationwide, and the vendor has no contact information for these individuals, the notice should run multiple times in national print publications and on national network and cable television. In contrast, if an online weight management application loses a customer list and can reach all but 20 individuals in a particular city, it could run a more limited number of advertisements in appropriate local media. Further, a notice can only be ‘‘reasonably calculated to reach the individuals affected’’ if it is clear and conspicuous. Thus, the notices should be stated in plain language, be prominent, and run multiple times. The Commission requests further comment on the standards that should apply to substitute media notice. As set forth in section 13402(e)(1)(B) of the Recovery Act, the proposed rule also provides that notice under paragraph (3), whether on the home page of the website or by media notice, must include a toll-free phone number where an individual can learn whether his or her unsecured PHR identifiable health information may be included in the breach. As to this requirement, the Commission notes that entities should have reasonable procedures in place to verify that they are providing the requested information only to the individual and not to an unauthorized person. For example, entities could provide the requested information pertaining to the consumer pursuant to the ‘‘preferred method’’ designated in paragraph (a)(1). the state or jurisdiction.18 This media notice differs from the substitute media notice described in paragraph 318.5 in that it is directed ‘‘to’’ the media and is intended to supplement, but not substitute for, individual notice. The proposed paragraph is substantively identical to section 13402(e)(2) of the Recovery Act, but adds a requirement that the notice include the information set forth in proposed section 318.6. This media notice should, at a minimum, include the dissemination of a press release to media outlets in the area(s) affected by the breach. For example, if a breach affects consumers from a particular state or locality, the press release could be sent to the relevant division or department (e.g., health, technology, or business) of a number of state or local print publications, network and cable new shows, and radio stations. The Commission requests further comment on the standards and criteria that should apply in determining the adequacy of media notice. Notice to Media 18 Although section 13402(e)(2) of the Recovery Act requires notice to media for breaches involving ‘‘more than 500’’ residents, section 13402(e)(3) requires notice to the government for breaches with respect to ‘‘500 or more’’ individuals. For consistency, the proposed rule uses ‘‘500 or more’’ for both kinds of notice. 19 The Commission recognizes that the breached entity may not learn all relevant information about Proposed paragraph (b) requires media notice ‘‘to prominent media outlets serving a State or jurisdiction’’ if there has been a breach of security of unsecured PHR identifiable health information of 500 or more residents of PO 00000 Frm 00011 Fmt 4702 Sfmt 4702 Notice to the Commission Proposed paragraph (c) addresses notice to the Commission. Under the proposed paragraph, vendors of personal health records and PHR related entities must provide notice to the Commission as soon as possible and in no case later than five business days if the breach involves the unsecured PHR identifiable health information of 500 or more individuals. If the breach involves the unsecured PHR identifiable health information of fewer than 500 individuals, vendors of personal health records and PHR related entities may, in lieu of immediate notice, maintain a breach log and submit such a log annually to the Commission. The proposed paragraph is substantively identical to section 13402(e)(3) of the Recovery Act, but clarifies the Act’s requirements as follows. First, the paragraph interprets the term ‘‘immediately’’ to mean ‘‘as soon as possible, and in no case later than five business days.’’ The Commission believes that this period of time satisfies the requirement for immediacy, while still being sufficient for the breached entity to learn enough about the breach to provide meaningful notice to the Commission.19 E:\FR\FM\20APP1.SGM Continued 20APP1 17920 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules Second, the paragraph states that the ‘‘annual log’’ to be submitted to the Commission for breaches involving fewer than 500 individuals shall be due one year from the date of the entity’s first breach.20 The Commission believes that specifying a date for submitting the log will assist entities in complying with the proposed rule. Third, the paragraph references a form that the Commission plans to develop, to be posted on the Commission’s website, www.ftc.gov, and to be used by entities to provide both the immediate and the annual required notice to the Commission under the proposed rule.21 Among other things, the form will request information similar to that required to be included in a notice to individuals under section 318.6. rmajette on PRODPC74 with PROPOSALS Proposed Section 318.6: Content of Notice 22 Proposed section 318.6 addresses the content of the notice to individuals. It requires that the notice include a description of how the breach occurred; a description of the types of unsecured PHR identifiable health information that were involved in the breach; the steps individuals should take to protect themselves from potential harm; a description of what the vendor of personal health records or PHR related entity involved is doing to investigate the breach, to mitigate any losses, and to protect against any further breaches; and contact procedures for individuals to ask questions or learn additional information. The language in the proposed rule is substantively identical to the language of section 13402(f) of the Recovery Act. The Commission notes two points with respect to this section. First, to ensure that notices do not raise concerns about phishing, those sending notices should not include any requests for personal or financial information.23 Second, the proposed rule requires that the notice identify steps individuals the breach within five business days, such as number of consumers affected or extent of the information breached. Nonetheless, the entity should tell the Commission all that it knows and should provide additional information as it becomes available. 20 No annual log needs to be provided for years in which no breaches occur. 21 The Commission also will provide notice of breaches to the Secretary of HHS, as required by section 13407(d) of the Recovery Act. 22 Section 13407(c) of the Recovery Act states that the requirements for contents of breach notification applicable to HIPAA-covered entities also shall apply to FTC-regulated entities ‘‘in a manner specified by the Federal Trade Commission.’’ 23 Phishing is the act of sending an electronic message under false pretenses to induce unsuspecting victims to reveal personal and financial information. VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 should take to protect themselves from potential harm. The Commission recognizes that these steps will differ depending on the circumstances of the breach and the type of PHR identifiable health information involved. In some instances—for example, if health insurance account information is compromised—there is a possibility that data will be misused. In such cases, the entity could suggest steps including, but not limited to, requesting and reviewing copies of medical files for potential errors; monitoring explanation of benefit forms for potential errors; contacting insurers to notify them of possible medical identity theft; following up with providers if medical bills do not arrive on time to ensure that an identity thief has not changed the billing address; and, in appropriate cases, trying to change health insurance account numbers. If the breach also involves Social Security numbers, the entity should suggest additional steps such as placing a fraud alert on credit reports; obtaining and reviewing copies of credit reports for signs of identity theft; calling the local police or sheriff’s office in the event suspicious activity is detected; and if appropriate, obtaining a credit freeze.24 In the case of a breach involving financial account numbers, the entity also should direct consumers to monitor their accounts for suspicious activity and contact their financial institution about closing any compromised accounts. In appropriate cases, the entity also could refer consumers to the FTC’s identity theft website, www.ftc.gov/idtheft. In other instances, the likely harm will be personal embarrassment. In such cases, any steps that an individual may choose to take will likely be personal to that individual, and the entity may not be in a position to advise the consumer. Proposed Sections 318.7, 318.8, and 318.9 Proposed sections 318.7, 318.8, and 318.9 are substantively identical to the statutory provisions on enforcement, effective date, and sunset. Proposed section 318.9 clarifies that the sunsetting of the rule is triggered when Congress enacts new legislation affecting entities subject to the FTC rule. III. Communications by Outside Parties to Commissioners or Their Advisors Written communications and summaries or transcripts of oral 24 In general, once a consumer initiates a credit freeze with a consumer reporting agency, the freeze prevents the agency from releasing a credit report about that consumer unless the consumer removes the freeze. PO 00000 Frm 00012 Fmt 4702 Sfmt 4702 communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner’s advisor will be placed on the public record. See 16 CFR 1.26(b)(5). IV. Paperwork Reduction Act The Commission is submitting this proposed rule and a Supporting Statement to the Office of Management and Budget for review under the Paperwork Reduction Act (‘‘PRA’’) (44 U.S.C. 3501–3521). The breach notification requirements discussed above constitute ‘‘collections of information’’ for purposes of the PRA. See 5 CFR 1320.3(c). Accordingly, staff has estimated the paperwork burden for these requirements as set forth below. In the event of a data breach, the proposed rule would require covered firms to investigate and, if certain conditions are met, notify consumers and the Commission. The paperwork burden of these requirements will depend on a variety of factors, including the number of covered firms; the percentage of such firms that will experience a breach requiring further investigation and, if necessary, the sending of breach notices; and the number of consumers notified. Based on input from industry sources, staff estimates that approximately 200 vendors of personal health records and 500 PHR related entities will be covered by the Commission’s proposed rule. Thus, a total of 700 entities may be required to notify consumers and the Commission in the event that they experience a breach. Approximately 200 third party service providers also will be subject to the rule, and thus required to notify vendors of personal health records or PHR related entities in the event of a breach. Thus, a total of approximately 900 entities will be subject to the proposed rule’s breach notification requirements. Staff estimates that these entities, cumulatively, will experience 11 breaches per year for which notification may be required. Because there is insufficient data at this time about the number and incidence of breaches in the PHR industry, staff used available data relating to breaches incurred by private sector businesses in order to calculate a breach incidence rate. Staff then applied this rate to the estimated total number of entities that will be subject to the proposed rule. According to one recent research paper, private sector businesses across multiple industries experienced a total of approximately 50 breaches per year E:\FR\FM\20APP1.SGM 20APP1 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules rmajette on PRODPC74 with PROPOSALS during the years 2002 through 2007.25 Dividing 50 breaches by the estimated number of firms that would be subject to a breach (4,187) 26 yields an estimated breach incidence rate of 1.2% per year. Applying this incidence rate to the estimated 900 vendors of personal health records, PHR related entities, and third party service providers yields an estimate of 11 breaches per year that may require notification of consumers and the Commission. To determine the annual paperwork burden, staff has developed estimates for three categories of potential costs: (1) The costs of determining what information has been breached, identifying the affected customers, preparing the breach notice, and making the required report to the Commission; (2) the cost of notifying consumers; and (3) the cost of setting up a toll-free number, if needed. First, in order to determine what information has been breached, identify the affected customers, prepare the breach notice, and make the required report to the Commission, staff estimates that covered firms will require per breach, on average, 100 hours of employee labor at a cost of $4,652,27 and the services of a forensic expert at an 25 Sasha Romanosky, Rahul Telang & Alessandro Acquisti, ‘‘Do Data Breach Disclosure Laws Reduce Identity Theft?’’ Seventh Workshop on the Economics of Information Security, June 2008. The authors tallied the breaches reported to the website Attrition.org during the time period 2002 to 2007 and counted a total of 773 breaches for a range of entities, including businesses, governments, health providers, and educational institutions. Staff used the volume of breaches reported for businesses (246 over a 5 year period, or approximately 50 per year) because that class of data is most compatible with other data staff used to calculate the incidence of breaches. 26 Staff focused on firms that routinely collect information on a sizeable number of consumers, thereby rendering them attractive targets for data thieves. To do so, staff focused first on retail businesses and eliminated retailers with annual revenue under $1,000,000. The 2002 Economic Census reports that, in that year, there were 418,713 retailers with revenue of $1,000,000 or more. To apply 50 breaches to such a large population, however, would yield a very small incidence rate. In an abundance of caution, to estimate more conservatively the incidence of breach, staff then assumed that only one percent of these firms had security vulnerabilities that would render them breach targets, thus yielding the total of 4,187. 27 Hourly wages throughout this notice are based on http://www.bls.gov/ncs/ncswage2007.htm (National Compensation Survey: Occupational Earnings in the United States 2007, U.S. Department of Labor released August 2008, Bulletin 2704, Table 3 (‘‘Full-time civilian workers,’’ mean and median hourly wages). The breakdown of labor hours and costs is as follows: 50 hours of computer and information systems managerial time at $52.56 per hour; 12 hours of marketing managerial time at $53.00 per hour; 33 hours of computer programmer time at $33.77 per hour; and 5 hours of legal staff time at 54.69 per hour. VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 estimated cost of $2,930.28 Thus, the cost estimate for each breach will be $7,582. This estimate does not include the cost of equipment or other tangible assets of the breached firms, because they likely will use the equipment and other assets they have for ordinary business purposes. Based on the estimate that there will be 11 breaches per year, the annual cost burden for affected entities to perform these tasks will be $83,402 (11 breaches × $7,582 each). Second, the cost of breach notifications will depend on the number of consumers contacted. Based on a recent survey, 11.6 percent of adults reported receiving a breach notification during a one-year period.29 Staff estimates that for the prospective 3-year PRA clearance, the average customer base of all vendors of personal health records and PHR related entities will be approximately two million per year. Accordingly, staff estimates that an average of 232,000 consumers per year will receive a breach notification. Given the online relationship between consumers and vendors of personal health records and PHR related entities, most notifications will be made by email and the cost of such notifications will be de minimis.30 In some cases, however, vendors of personal health records and PHR related entities will need to notify individuals by postal mail, either because these individuals have asked for such notification, or because the email addresses of these individuals are not current or not working. Staff estimates that the cost of notifying an individual by postal mail is approximately $2.30 per letter.31 Assuming that vendors of personal health records and PHR related entities will need to notify by postal mail 10 percent of their customers whose information is breached, the 28 Staff estimates that breached entities will use 30 hours of a forensic expert’s time. Staff applied the wages of a network systems and data communications analyst ($32.56), tripled it to reflect profits and overhead for an outside consultant ($97.68), and multiplied it by 30 hours to yield $2,930. 29 Ponemon Institute, ‘‘National Survey on Data Security Breach Notification,’’ 2005. Staff believes that this estimate is likely high given the importance of data security to the PHR industry and the likelihood that data encryption will be a strong selling point to consumers. 30 See National Do Not Email Registry, A Report to Congress, June 2004 n.93, available at www.ftc.gov/reports/dneregistry/report.pdf. 31 Robin Sidel and Mitchell Pacelle, ‘‘Credit-Card Breach Tests Banking Industry’s Defenses,’’ Wall Street Journal, June 21, 2005, p.C1. Sidel and Pacelle reported that industry sources estimated the cost per letter to be about $2.00 in 2005. Allowing for inflation, staff estimates the cost to average about $2.30 per letter over the next three years of prospective PRA clearance sought from OMB. PO 00000 Frm 00013 Fmt 4702 Sfmt 4702 17921 estimated cost of this notification will be $53,360 per year. In addition, vendors of personal health records and PHR related entities sometimes may need to notify consumers by posting a message on their home page, or by providing media notice. Based on a recent study on data breach costs, staff estimates the cost of providing notice via website posting to be 6 cents per breached record, and the cost of providing notice via published media to be 3 cents per breached record.32 Applied to the above-stated estimate of 232,000 consumers per year receiving breach notification, the estimated total annual cost of website notice will be $13,920, and the estimated total annual cost of media notice will be $6,960, yielding an estimated total annual cost for all forms of notice to consumers of $74,240. Finally, the cost of a toll-free number will depend on the cost associated with T1 lines sufficient to handle the projected call volume, the cost of obtaining a toll-free telephone number and queue messaging (a service that provides rudimentary call routing), the cost of processing each call, and the telecommunication charges associated with each call. Because the proposed rule may require entities to notify consumers by posting a message on their homepage for a period of six months, staff estimated the cost of a tollfree line for a six-month period. Based on industry research, staff projects that in order to accommodate a sufficient number of incoming calls for that period, affected entities may need two T1 lines at a cost of $18,000.33 Staff further estimates that the cost of obtaining a dedicated toll-free line and queue messaging will be $3,017,34 and that processing an estimated 5,000 calls for the first month per breach will require an average of 1,917 hours of employee labor at a cost of $27,468.35 Staff estimates that affected entities will need to offer the toll-free number for an additional five months, during which time staff projects that entities will 32 Ponemon Institute, 2006 Annual Study: Cost of a Data Breach, Understanding Financial Impact, Customer Turnover, and Preventative Solutions, Table 2. 33 According to industry research, the cost of a single T1 line is $1,500 per month. 34 Staff estimates that installation of a toll-free number and queue messaging will require 40 hours of a technician’s time. Staff applied the wages of a telecommunications technician ($25.14), tripled it to reflect profits and overhead of a telecommunications firm ($75.42), and multiplied it by 40 hours to yield $3,017. 35 The breakdown of labor hours and costs is as follows: 667 hours of telephone operator time (8 minutes per call × 5,000 calls) at $14.87 per hour and 1,250 hours of information processor time (15 minutes per call × 5,000 calls) at $14.04 per hour. E:\FR\FM\20APP1.SGM 20APP1 17922 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules receive an additional 5,000 calls per breach,36 yielding an estimated total processing cost of $54,936. In addition, according to industry research, the telecommunication charges associated with the toll-free line will be approximately $2,500.37 Adding these costs together, staff estimates that the cost per breach for the toll-free line will be $78,453. Based on the above rate of 11 breaches per year, the annual cost burden for affected entities will be $862,983 (11 x $78,453). In sum, the estimated annual cost burden associated with the breach notification requirements is $1,020,625: $83,402 (costs associated with investigating breaches, drafting notifications of breaches, and notifying the Commission) + $74,240 (costs associated with notifying consumers) + $862,983 (costs associated with establishing toll-free numbers). Staff notes that this estimate likely overstates the costs imposed by the proposed rule because: (1) it assumes that all breaches will require notification, whereas many breaches (e.g., those involving data that is ‘‘not unsecured’’) will not require notification; (2) it assumes that all covered entities will be required to take all of the steps required above; and (3) staff made conservative assumptions in developing many of the underlying estimates. The Commission invites comments on: (1) whether the proposed collection of information is necessary for the proper performance of the functions of the FTC, including whether the information will have practical utility; (2) the accuracy of the FTC’s estimate of the burden of the proposed collection of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of collecting information on those who respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses. rmajette on PRODPC74 with PROPOSALS V. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), 5 U.S.C. 604(a), requires an agency either to provide an Initial Regulatory Flexibility Analysis with a proposed rule, or certify that the proposed rule 36 Staff anticipates that the greatest influx of calls will be in the first month, and that it will be equivalent to the volume of calls over the remaining five months. 37 Staff estimates a cost per call of 25¢ (5¢ per minute/per call × 5 minutes per call). Assuming 10,000 calls for each breach, the total estimated telecommunications charges are $2,500. VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 will not have a significant economic impact on a substantial number of small entities. The FTC does not expect that this rule, if adopted, would have a significant economic impact on a substantial number of small entities. First, most of the burdens flow from the mandates of the Act, not from the specific provisions of the proposed rule. Second, the rule will apply to entities that, in many instances, already have obligations to provide notification of data breaches under certain state laws covering medical breaches. Third, once a notice is created, the costs of sending it should be minimal because the Commission anticipates that most consumers will elect to receive notification by e-mail. Nevertheless, to obtain more information about the impact of the proposed rule on small entities, the Commission has decided to publish the following initial regulatory flexibility analysis pursuant to the Regulatory Flexibility Act, 5 U.S.C. 601612, as amended, and request public comment on the impact on small businesses of its proposed rule. A. Description of the Reasons That Action by the Agency Is Being Considered Section 13407 of the American Recovery and Reinvestment Act requires the Commission to promulgate this rule not later than six months after the date of enactment of the Act, or August 18, 2009. B. Statement of the Objectives of, and Legal Basis for, the Proposed Rule To implement the requirement that certain entities that handle health information provide notice to individuals whose individually identifiable health information has been breached. The legal basis for the proposed rule is Section 13407 of the American Recovery and Reinvestment Act. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rule Will Apply The proposed rule will apply to vendors of personal health records, PHR related entities, and third party service providers. As discussed in the section on Paperwork Reduction Act above, FTC staff estimates that the proposed rule will apply to approximately 900 entities. Determining a precise estimate of which of these entities are small entities, or describing those entities further, is not readily feasible. The Commission invites comment and information on this issue. PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 D. Projected Reporting, Recordkeeping and Other Compliance Requirements The Recovery Act and proposed rule impose certain reporting requirements within the meaning of the Paperwork Reduction Act. The Commission is seeking clearance from the Office of Management & Budget (OMB) for these requirements, and the Commission’s Supporting Statement submitted as part of that process is being made available on the public record of this rulemaking. Specifically, the Act and proposed rule require vendors of personal health records and PHR related entities to provide notice to consumers and the Commission in the event of a breach of unsecured PHR identifiable health information. The Act and proposed rule also require third party service providers to provide notice to vendors of personal health records and PHR related entities in the event of such a breach. If a breach occurs, each entity covered by Act and proposed rule will expend costs to determine the extent of the breach and the individuals affected. If the entity is a vendor of personal health records or PHR related entity, additional costs will include the costs of preparing a breach notice, notifying the Commission, compiling a list of consumers to whom a breach notice must be sent, and sending a breach notice. Such entities may incur additional costs in locating consumers who cannot be reached, and in certain cases, posting a breach notice on a website, notifying consumers through media advertisements, or sending breach notices through press releases to media outlets. In-house costs may include technical costs to determine the extent of breaches; investigative costs of conducting interviews and gathering information; administrative costs of compiling address lists; professional/ legal costs of drafting the notice; and potentially, costs for postage, web posting, and/or advertising. Costs may also include the purchase of services of a forensic expert. As noted in the Paperwork Reduction Act analysis above, the estimated annual cost burden for all entities subject to the proposed rule will be approximately $1,020,625. The Commission seeks further comment on the costs and burdens of small entities in complying with the requirements of the proposed rule. E. Other Duplicative, Overlapping, or Conflicting Federal Rules The FTC has not identified any other federal statutes, rules, or policies E:\FR\FM\20APP1.SGM 20APP1 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules currently in effect that would conflict with the proposed rule. As noted above, there is a potential for overlap with forthcoming HHS rules governing breach notification for HIPAA-covered entities. The Commission is consulting with HHS on this potential overlap. The Commission invites comment and information on this overlap, along with any other potentially duplicative, overlapping, or conflicting federal statutes, rules, or policies. F. Description of Any Significant Alternatives to the Proposed Rule In drafting the proposed rule, the Commission has made every effort to avoid unduly burdensome requirements for entities. In particular, the Commission believes that the alternative of providing notice to consumers electronically will assist small entities by significantly reducing the costs of sending breach notices. The Commission is not aware of alternative methods of compliance that will reduce the impact of the proposed rule on small entities, while also comporting with the Recovery Act. The statutory requirements are specific as to the timing, method, and content of notice, as well as the effective date of the final rule that results from this Notice of Proposed Rulemaking. Accordingly, the Commission seeks comment and information on ways in which the rule could be modified to reduce any costs or burdens for small entities consistent with the Recovery Act’s mandated requirements. VI. Proposed Rule List of Subjects in 16 CFR Part 318 Consumer protection, Data protection, Health records, Privacy, Trade practices. Accordingly, for the reasons set forth in the preamble, the Commission proposes to add a new Part 318 of title 16 to the Code of Federal Regulations to read as follows: rmajette on PRODPC74 with PROPOSALS PART 318—HEALTH BREACH NOTIFICATION RULE Sec. 318.1 318.2 318.3 318.4 318.5 318.6 318.7 318.8 318.9 Purpose and scope. Definitions. Breach notification requirement. Timeliness of notification. Method of notice. Content of notice. Enforcement. Effective date. Sunset. Authority: Pub. L. 111–5. § 318.1 Purpose and scope. This part, which shall be called the ‘‘Health Breach Notification Rule,’’ implements Section 13407 of the VerDate Nov<24>2008 17:45 Apr 17, 2009 Jkt 217001 American Recovery and Reinvestment Act of 2009. It applies to vendors of personal health records, PHR related entities, and third party service providers. It does not apply to HIPAAcovered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAAcovered entity. § 318.2 Definitions. (a) Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, any unauthorized acquisition of such information. (b) Business associate means a business associate under the Health Insurance Portability and Accountability Act, Pub. L. 104–191, 110 Stat. 1936, as defined in 45 CFR 160.103. (c) HIPAA-covered entity means a covered entity under the Health Insurance Portability and Accountability Act, Pub. L. 104–191, 110 Stat. 1936, as defined in 45 CFR 160.103. (d) Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. (e) PHR identifiable health information means ‘‘individually identifiable health information,’’ as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) That is provided by or on behalf of the individual; and (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. (f) PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: (1) Offers products or services through the website of a vendor of personal health records; PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 17923 (2) Offers products or services through the websites of HIPAA-covered entities that offer individuals personal health records; or (3) Accesses information in a personal health record or sends information to a personal health record. (g) Third party service provider means an entity that: (1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services. (h) Unsecured means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009. If such guidance is not issued by the date specified in section 13402(h)(2), the term ‘‘unsecured’’ shall mean not secured by a technology standard that renders PHR identifiable health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. (i) Vendor of personal health records means an entity, other than a HIPAAcovered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record. § 318.3 Breach notification requirement. (a) In general. In accordance with §§ 318.4, 318.5, and 318.6, each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall— (1) Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and (2) Notify the Federal Trade Commission. E:\FR\FM\20APP1.SGM 20APP1 17924 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules (b) Third party service providers. A third party service provider shall, following the discovery of a breach of security, provide notice of the breach to a senior official at the vendor of personal health records or PHR related entity to which it provides services, and obtain acknowledgment from such official that such notice was received. Such notification shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, acquired during such breach. (c) Breaches treated as discovered. A breach of security shall be treated as discovered as of the first day on which such breach is known to a vendor of personal health records, PHR related entity, or third party service provider, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such vendor of personal health records, PHR related entity, or third party service provider, respectively) or should reasonably have been known to such vendor of personal health records, PHR related entity, or third party service provider (or person) to have occurred. rmajette on PRODPC74 with PROPOSALS § 318.4 Timeliness of notification. (a) In general. Except as provided in paragraph (c) of this section and § 318.5(c), all notifications required under §§ 318.3(a) and 318.3(b) shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. (b) Burden of proof. The vendor of personal health records, PHR related entity, and third party service provider involved shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay. (c) Law enforcement exception. If a law enforcement official determines that a notification, notice, or posting required under this part would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This paragraph shall be implemented in the same manner as provided under § 164.528(a)(2) of title 45, Code of Federal Regulations, in the case of a disclosure covered under such section. § 318.5 Method of notice. (a) Individual notice. A vendor of personal health records or PHR related entity that experiences a breach of security shall provide notice of such VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 breach to an individual promptly, as described in § 318.4, and in the following form: (1) Written notice by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if the individual provides express affirmative consent, by electronic mail. The notice may be provided in one or more mailings as information is available. (2) In any case deemed by the vendor of personal health records or PHR related entity to require urgency because of possible imminent misuse of unsecured PHR identifiable health information, that entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (a)(1) of this section. (3) If, after making reasonable efforts to contact the individual through his or her preferred form of communication under paragraph (a)(1) of this section, the vendor of personal health records or PHR related entity finds that such preferred form of communication is insufficient or out-of-date, the vendor of personal health records or PHR related entity shall attempt to provide the individual with a substitute form of actual notice, which may include written notice by the consumer’s less preferred method or telephone. (4)(i) If ten or more individuals cannot be reached by the methods specified in paragraphs (a)(1)through (3) of this section, the vendor of personal health records or PHR related entity involved shall provide notice: (A) Through a conspicuous posting for a period of six months on the home page of its website; or (B) In major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside, which shall be reasonably calculated to reach the individuals affected by the breach. (ii) Such a notice in media or web posting shall include a toll-free phone number where an individual can learn whether or not the individual’s unsecured PHR identifiable health information may be included in the breach. (b) Notice to media. A vendor of personal health records or PHR related entity shall provide notice to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of security, if the unsecured PHR identifiable health information of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 breach. Such notice shall include, at a minimum, the information contained in § 318.6. (c) Notice to FTC. Vendors of personal health records and PHR related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than five business days following the date of discovery of the breach. If the breach involved the unsecured PHR identifiable health information of fewer than 500 individuals, the vendor of personal health records or PHR related entity may maintain a log of any such breach occurring over the ensuing twelve months and submit the log to the Federal Trade Commission documenting breaches from the preceding year. All notices pursuant to this paragraph shall be provided according to instructions at the Federal Trade Commission’s website. § 318.6 Content of notice. Regardless of the method by which notice is provided to individuals under section 318.5, notice of a breach of security shall include, to the extent possible, the following: (a) A brief description of how the breach occurred, including the date of the breach and the date of the discovery of the breach, if known; (b) A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code); (c) Steps individuals should take to protect themselves from potential harm resulting from the breach; (d) A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and (e) Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an e-mail address, website, or postal address. § 318.7 Enforcement. A violation of § 318.3 of this part shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. E:\FR\FM\20APP1.SGM 20APP1 Federal Register / Vol. 74, No. 74 / Monday, April 20, 2009 / Proposed Rules § 318.8 Effective date. This part shall apply to breaches of security that are discovered on or after September 18, 2009. § 318.9 Sunset. If new legislation is enacted establishing requirements for notification in the case of a breach of security that apply to entities covered by this part, the provisions of this part shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. E9–8882 Filed 4–17–09: 8:45 am] [BILLING CODE 6750–01–S SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 248 [Release Nos. 34–59769, IA–2866, IC–28697; File No. S7–09–07] RIN 3235–AJO6 Interagency Proposal for Model Privacy Form Under the Gramm-LeachBliley Act AGENCY: Securities and Exchange Commission. ACTION: Proposed rule; reopening of comment period. SUMMARY: The Securities and Exchange Commission (‘‘Commission’’) is reopening the period for public comment on proposed amendments to Regulation S–P, which implements the privacy provisions of the Gramm-LeachBliley Act (‘‘GLB Act’’), originally published in the Federal Register on March 29, 2007. The proposed amendments would, if adopted, create a safe harbor for a model form that financial institutions may use to provide disclosures in initial and annual privacy notices required under Regulation S–P. DATES: Comments should be received on or before May 20, 2009. ADDRESSES: Comments may be submitted by any of the following methods: rmajette on PRODPC74 with PROPOSALS Electronic Comments • Use the Commission’s Internet comment form (http://www.sec.gov/ rules/proposed.shtml); or • Send an e-mail to rulecomments@sec.gov. Please include File Number S7–09–07 on the subject line; or VerDate Nov<24>2008 15:23 Apr 17, 2009 Jkt 217001 • Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the instructions for submitting comments. Paper Comments • Send paper comments in triplicate to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549–1090. All submissions should refer to File Number S7–09–07. This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s Internet Web site (http://www.sec.gov/rules/ proposed.shtml). Comments are also available for public inspection and copying in the Commission’s Public Reference Room, 100 F Street, NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. FOR FURTHER INFORMATION CONTACT: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special Counsel, Office of Chief Counsel, Division of Trading and Markets, (202) 551–5550; or Penelope Saltzman, Assistant Director, or Thoreau Bartmann, Senior Counsel, Office of Regulatory Policy, Division of Investment Management, (202) 551– 6792, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549. SUPPLEMENTARY INFORMATION: The Commission is reopening the period for public comment on proposed rule amendments,1 which were proposed pursuant to the Financial Services Regulatory Relief Act of 2006 (the ‘‘Act’’), enacted on October 13, 2006.2 The proposal was published on March 29, 2007, and the comment period closed on May 29, 2007. Section 728 of the Act added subsection (e) to section 503 of the GLB Act, which directs the Commission, together with seven other federal agencies 3 (collectively the 1 See Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 55497, Investment Company Act Release No. 27755 (Mar. 20, 2007) [72 FR 14940 (Mar. 29, 2007)] (‘‘Interagency Proposal’’) and [72 FR 16875 (Apr. 5, 2007)] (correction notice). 2 Public Law 109–351 (Oct. 13, 2006), 120 Stat. 1966. 3 The seven other agencies are the: Commodity Futures Trading Commission (‘‘CFTC’’), Federal Deposit Insurance Corporation (‘‘FDIC’’), Board of PO 00000 Frm 00017 Fmt 4702 Sfmt 4702 17925 ‘‘Agencies’’) responsible for implementing Title V, Subtitle A of the GLB Act, to ‘‘jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under this section.’’ 4 The proposed amendments would, if adopted, create a safe harbor for a model privacy notice form that financial institutions may use to provide disclosures required under the privacy rules 5 adopted by the Agencies pursuant to section 504 of the GLB Act.6 In connection with the development of the model form, an outside consultant, Macro International (‘‘Macro’’) was retained to conduct quantitative testing to evaluate the effectiveness of four different types of privacy notices, including a slightly revised version of the proposed model privacy notice form.7 Macro tested the notices on approximately 1,000 consumers at five retail shopping mall locations around the country. Each of the four notices used for testing was printed in a double-sided format, using the front and back sides of an 81⁄2 x 11inch piece of white paper. We have placed in the comment file for the proposed rule (available at http:// www.sec.gov/comments/s7-09-07/ s70907.shtml and at http://www.ftc.gov/ privacy/privacyinitiatives/ financial_rule_inrp.html) the following documents from the testing: (i) The test data collected and provided by Macro together with the codebook that relates to the data; (ii) the report provided by Macro, which includes a summary of the methodology used in collecting the data, the interview protocol, and the four test notices; and (iii) a report describing the results of the test data prepared by Dr. Alan Levy and Dr. Manoj Hastak.8 We are reopening the comment period before final action is taken on the proposal in order to provide all persons who are interested in this matter an opportunity to comment on these Governors of the Federal Reserve System (‘‘Board’’), Federal Trade Commission (‘‘FTC’’), National Credit Union Administration (‘‘NCUA’’), Office of the Comptroller of the Currency (‘‘OCC’’), and Office of Thrift Supervision (‘‘OTS’’). 4 See supra note 2, adding 15 U.S.C. 6803(e). The Act stipulates that the model form shall be a safe harbor for financial institutions that elect to use it. 5 For the Agencies’ privacy rules see 12 CFR Part 40 (OCC); 12 CFR Part 216 (Board); 12 CFR Part 332 (FDIC); 12 CFR Part 573 (OTS); 12 CFR Part 716 (NCUA); 16 CFR Part 313 (FTC); 17 CFR part 160 (CFTC); 17 CFR Part 248 (Commission). 6 Codified at 15 U.S.C. 6804. 7 As described in the Interagency Proposal, the consumer research project on privacy notices was launched in 2004. Interagency Proposal supra note 1, at Section I.B. 8 Dr. Levy and Dr. Hastak are consultants to the model privacy notice research project. E:\FR\FM\20APP1.SGM 20APP1

Agencies

[Federal Register Volume 74, Number 74 (Monday, April 20, 2009)]
[Proposed Rules]
[Pages 17914-17925]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-8882]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318

[RIN 3084-AB17]


Health Breach Notification Rule

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: Under the American Recovery and Reinvestment Act of 2009 (the 
``Recovery Act'' or ``the Act''), the Federal Trade Commission 
(``FTC'') or (``Commission'') must issue rules requiring vendors of 
personal health records and related entities to notify individuals when 
the security of their individually identifiable health information is 
breached. Accordingly, the FTC seeks comment on a proposed rule.

DATES: Comments must be received on or before June 1, 2009.

ADDRESSES: Interested parties are invited to submit written comments 
electronically or in paper form. Comments should refer to ``Health 
Breach Notification Rulemaking, Project No. R911002'' to facilitate the 
organization of comments. Please note that your comment--including your 
name and your state--will be placed on the public record of this 
proceeding, including on the publicly accessible FTC website, at 
(http://www.ftc.gov/os/publiccomments.shtm).
    Because comments will be made public, they should not include any 
sensitive personal information, such as an individual's Social Security 
number; date of birth; driver's license number, state identification 
number, or foreign country equivalent; passport number; financial 
account number; or credit or debit card number. Comments also should 
not include any sensitive health information, such as medical records 
or other individually identifiable health information. In addition, 
comments should not include any ``[t]rade secret or any commercial or 
financial information which is obtained from any person and which is 
privileged or confidential * * *,'' as provided in Section 6(f) of the 
FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). 
Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c), 16 CFR 
4.9(c).\1\
---------------------------------------------------------------------------

    \1\ See also FTC Rule 4.2(d), 16 CFR 4.2(d). The comment must be 
accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See FTC Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Because paper mail addressed to the FTC is subject to delay due to 
heightened security screening, please consider submitting your comments 
in electronic form. Comments filed in electronic form should be 
submitted by using the weblink (https://secure.commentworks.com/ftc-healthbreachnotification), and following the instructions on the web-
based form. To ensure that the Commission considers an electronic 
comment, you must file it on the web-based form at the weblink (https://secure.commentworks.com/ftc-healthbreachnotification). If this Notice 
appears at (http://www.regulations.gov/search/index.jsp), you also may 
file an electronic comment through that website. The Commission will 
consider all comments that regulations.gov forwards to it. You also may 
visit the FTC website at http://www.ftc.gov to read the Notice and the 
news release describing it.
    A comment filed in paper form should include the ``Health Breach 
Notification Rulemaking, Project No. R911002'' reference both in the 
text and on the envelope, and should be mailed or delivered to the 
following address: Federal Trade Commission/Office of the Secretary, 
Room H-135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 
20580. The FTC is requesting that any comment filed in paper form be 
sent by courier or overnight service, if possible, because U.S. postal 
mail in the Washington area and at the Commission is subject to delay 
due to heightened security precautions.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. The Commission will consider all timely and responsive 
public comments that it receives, whether filed in paper or electronic 
form. Comments received will be available to the public on the FTC 
website, to the extent practicable, at (http://www.ftc.gov/os/publiccomments.shtm). As a matter of discretion, the Commission makes 
every effort to remove home contact information for individuals from 
the public comments it receives before placing those comments on the 
FTC website. More information, including routine uses permitted by the 
Privacy Act, may be found in the FTC's privacy policy, at (http://www.ftc.gov/ftc/privacy.shtm).
    Comments on any proposed filing, recordkeeping, or disclosure 
requirements that are subject to paperwork burden review under the 
Paperwork Reduction Act should additionally be submitted to: Office of 
Information and Regulatory Affairs, Office of Management and Budget 
(``OMB''), Attention: Desk Officer for Federal Trade Commission. 
Comments should be submitted via facsimile to (202) 395-5167 because 
U.S. postal mail at the OMB is subject to delays due to heightened 
security precautions.

FOR FURTHER INFORMATION CONTACT: Cora Tung Han or Maneesha Mithal, 
Attorneys, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580, (202) 326-2252.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Section-by-Section Analysis of the Proposed Rule
III. Paperwork Reduction Act
IV. Regulatory Flexibility Act
V. Proposed Rule

I. Background

    On February 17, 2009, President Obama signed the American Recovery 
and Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act'') into 
law.\2\ The Act includes provisions to advance the use of health 
information technology and, at the same time, strengthen privacy and 
security protections for health information.
---------------------------------------------------------------------------

    \2\ American Recovery & Reinvestment Act of 2009, Pub. L. 111-5, 
---- Stat. ----.
---------------------------------------------------------------------------

    Among other things, the Recovery Act recognizes that there are new 
types of web-based entities that collect consumers' health information. 
These entities include vendors of personal health records and online 
applications that interact with such personal health records. Some of 
these entities are not subject to the privacy and security requirements 
of the Health Insurance Portability and Accountability Act 
(``HIPAA'').\3\ For such entities, the Recovery Act requires the 
Department of Health and Human Services (``HHS'') to

[[Page 17915]]

study, in consultation with the FTC, potential privacy, security, and 
breach notification requirements and submit a report to Congress 
containing recommendations within one year of enactment of the Recovery 
Act. Until Congress enacts new legislation implementing any 
recommendations contained in the HHS/FTC report, the Recovery Act 
contains temporary requirements, to be enforced by the FTC, that such 
entities notify customers in the event of a security breach.\4\ The 
proposed rule implements these requirements.
---------------------------------------------------------------------------

    \3\ Health Insurance Portability & Accountability Act, Pub. L. 
104-191, 110 Stat. 1936 (1996).
    \4\ Section 13407(g)(1) of the Recovery Act requires the FTC to 
promulgate, within 180 days of its enactment, regulations on the 
breach of security notification provisions applicable to its 
regulated entities.
---------------------------------------------------------------------------

    The Recovery Act also directs HHS to promulgate interim final 
regulations requiring (1) HIPAA-covered entities, such as hospitals, 
doctors' offices, and health insurance plans, to notify individuals in 
the event of a security breach and (2) business associates of HIPAA-
covered entities to notify such covered entities in the event of a 
security breach. To the extent that FTC-regulated entities engage in 
activities as business associates of HIPAA-covered entities, such 
entities will be subject only to HHS' rule requirements and not the 
FTC's rule requirements, as explained below. In addition, the 
Commission notes that many of the breach notification requirements 
applicable to FTC-regulated entities are the same as the breach 
notification requirements applicable to HHS-regulated entities. Indeed, 
section 13407 of the Recovery Act states that the statutory 
requirements for timeliness, method, and content of breach 
notifications contained in section 13402 (the section applicable to 
HHS-regulated entities) shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.'' Thus, the FTC is 
consulting with HHS to harmonize its proposed rule with HHS' proposed 
rule.

II. Section-by-Section Analysis of the Proposed Rule

    The Commission proposes to issue the Health Breach Notification 
Rule as a new Part 318 of 16 CFR. The following is a section-by-section 
analysis of the proposed rule.

Proposed Section 318.1: Purpose and Scope

    Proposed section 318.1 serves three purposes. First, it states the 
relevant statutory authority for the proposed rule. Second, it 
identifies the entities to which the proposed rule would apply: vendors 
of personal health records, PHR \5\ related entities, and third party 
service providers. Third, proposed section 318.1 clarifies that the 
proposed rule does not apply to HIPAA-covered entities or to an 
entity's activities as a business associate of a HIPAA-covered entity.
---------------------------------------------------------------------------

    \5\ PHR means personal health record.
---------------------------------------------------------------------------

    The Commission also notes that the proposed rule applies to 
entities beyond the FTC's traditional jurisdiction under Section 5 of 
the FTC Act, since the Recovery Act does not limit the FTC's 
enforcement authority to its enforcement jurisdiction under Section 5. 
Indeed, section 13407 of the Recovery Act expressly applies to 
``vendors of personal health records and other non-HIPAA covered 
entities,'' without regard to whether such entities fall within the 
FTC's enforcement jurisdiction. Thus, the proposed rule would apply to 
entities such as non-profit entities that offer personal health records 
or related products and services, as well as non-profit third party 
service providers.
    With respect to the scope of the proposed rule, the Commission 
seeks comment on (1) the nature of entities to which its proposed rule 
would apply; (2) the particular products and services they offer; (3) 
the extent to which vendors of personal health records, PHR related 
entities, and third party service providers may be HIPAA-covered 
entities or business associates of HIPAA-covered entities; (4) whether 
some vendors of personal health records may have a dual role as a 
business associate of a HIPAA-covered entity and a direct provider of 
personal health records to the public; and (5) circumstances in which 
such a dual role might lead to consumers' receiving multiple breach 
notices or receiving breach notices from an unexpected entity, and 
whether and how the rule should address such circumstances.

Proposed Section 318.2: Definitions

    This section defines terms used in the Health Breach Notification 
Rule.

Breach of Security

    The first sentence of proposed paragraph (a) defines ``breach of 
security'' as the acquisition of unsecured PHR identifiable health 
information of an individual in a personal health record without the 
authorization of the individual. This sentence is identical to the 
definition of ``breach of security'' in section 13407(f)(1) of the 
Recovery Act.
    In some cases, it will be fairly easy to determine whether 
unsecured PHR identifiable health information has been acquired without 
authorization. Examples of such cases include the theft of a laptop 
containing unsecured personal health records; the theft of hard copies 
of such records; the unauthorized downloading or transfer of such 
records by an employee; and the electronic break-in and remote copying 
of such records by a hacker.
    In other cases, there may be unauthorized access to data, but it is 
unclear, without further investigation, whether the data also has been 
acquired. Unauthorized persons may have access to information if it is 
available to them. The term acquisition, however, suggests that the 
information is not only available to unauthorized persons, but in fact 
has been obtained by them.
    For example, if an entity's access log shows that an unauthorized 
employee obtained access to information by opening an online database 
of personal health records, there clearly has been access to the data, 
but it is not clear whether the data also has been acquired. Consider 
the following possible scenarios:
     (1) the employee viewed the records to find health information 
about a particular public figure and sold the information to a national 
gossip magazine;
     (2) the employee viewed the records to obtain information about 
his or her friends;
     (3) the employee inadvertently accessed the database, realized 
that it was not the one he or she intended to view, and logged off 
without reading, using, or disclosing anything.
    In scenario (3), the Commission believes that no acquisition has 
taken place; thus, breach notification is not required. Unauthorized 
acquisition has, however, occurred in scenarios (1) and (2).
    In the types of situations described above, where there has been 
unauthorized access to unsecured PHR identifiable health information, 
the Commission believes that the entity that experienced the breach is 
in the best position to determine whether unauthorized acquisition has 
taken place. Thus, the proposed rule creates a presumption that 
unauthorized persons have acquired information if they have access to 
it, thus creating the obligation to provide breach notification. This 
presumption can be rebutted with reliable evidence showing that the 
information was not or could not reasonably have been acquired. Such 
evidence can be obtained by, among other things, conducting appropriate 
interviews of employees, contractors, or other third parties; reviewing 
access

[[Page 17916]]

logs and sign-in sheets; and/or examining forensic evidence.
    For example, if an entity's employee loses a laptop containing 
unsecured health information in a public place, the information would 
be accessible to unauthorized persons, giving rise to a presumption 
that unauthorized acquisition has occurred. The entity can rebut this 
presumption by showing that the laptop was recovered, and that forensic 
analysis revealed that files were never opened, altered, transferred, 
or otherwise compromised.
    Accordingly, the Commission proposes to add a second sentence to 
the definition of breach of security as follows: ``Unauthorized 
acquisition will be presumed to include unauthorized access to 
unsecured PHR identifiable health information unless the vendor of 
personal health records, PHR related entity, or third party service 
provider that experienced the breach has reliable evidence showing that 
there has not been, or could not reasonably have been, any unauthorized 
acquisition of such information.''

Business Associate

    Proposed paragraph (b) defines ``business associate'' to mean a 
business associate under HIPAA, as defined in 45 CFR 160.103. That 
regulation, in relevant part, defines a business associate as an entity 
that (1) provides certain functions or activities on behalf of a HIPAA-
covered entity or (2) provides ``legal, actuarial, accounting, 
consulting, data aggregation, management, administrative, 
accreditation, or financial services to or for'' a HIPAA-covered 
entity.

HIPAA-Covered Entity

    Proposed paragraph (c) defines ``HIPAA-covered entity'' to mean a 
covered entity under HIPAA, as defined in 45 CFR 160.103. That 
regulation provides that a HIPAA-covered entity is a health care 
provider that conducts certain transactions in electronic form, a 
health care clearinghouse (which provides certain data processing 
services for health information), or a health plan.

Personal Health Record

    Proposed paragraph (d) defines a ``personal health record'' as an 
``electronic record of PHR identifiable health information on an 
individual that can be drawn from multiple sources and that is managed, 
shared, and controlled by or primarily for the individual.'' This 
language is substantively identical to the definition of personal 
health record in section 13400(11) of the Recovery Act.\6\
---------------------------------------------------------------------------

    \6\ Where this Notice characterizes an element of the proposed 
rule as ``substantively identical'' to a corresponding provision in 
the Recovery Act, the difference between the two texts is minor and 
not substantive, and the relevant text of both the rule and statute 
is intended to have the same meaning. For example, the Recovery 
Act's definition of ``personal health record'' states that it is an 
``electronic record of PHR identifiable health information (as 
defined in section 13407(f)(2)). . .'' The proposed rule definition 
drops the cross-reference, but is identical in all other respects. 
In other places, the rule may change a plural to a singular or vice 
versa; substitute terminology such as ``HIPAA-covered entity'' for 
``covered entity''; spell out a shorthand notation in the statute; 
or make similar non-substantive changes.
---------------------------------------------------------------------------

PHR Identifiable Health Information

    Proposed paragraph (e) defines ``PHR identifiable health 
information'' as ``individually identifiable health information, as 
defined in section 1171(6) of the Social Security Act (42 U.S.C. 
1320d(6)),\7\ and with respect to an individual, information (1) that 
is provided by or on behalf of the individual; and (2) that identifies 
the individual or with respect to which there is a reasonable basis to 
believe that the information can be used to identify the individual.'' 
This definition is substantively identical to section 13407(f)(2) of 
the Recovery Act.
---------------------------------------------------------------------------

    \7\ This provision defines ``individually identifiable health 
information'' as information that ``(1) is created or received by a 
health care provider, health plan, employer, or health care 
clearinghouse; and (2) relates to the past, present, or future 
physical or mental health or condition of an individual, the 
provision of health care to an individual, or the past, present, or 
future payment for the provision of health care to an individual.''
---------------------------------------------------------------------------

    The Commission notes three points with respect to this definition. 
First, because the definition of ``PHR identifiable health 
information'' includes information that relates to the ``past, present, 
or future payment for the provision of health care to an individual,'' 
the proposed rule covers breaches of such information. Thus, for 
example, the proposed rule would cover a security breach of a database 
containing names and credit card information, even if no other 
information was included.
    Second, because the definition includes information that relates to 
``the health or condition'' of the individual, it would include the 
fact of having an account with a vendor of personal health records or 
related entity, where the products or services offered by such vendor 
or related entity relate to particular health conditions. For example, 
the theft of an unsecured customer list of a vendor of personal health 
records or related entity directed to AIDS patients or people with 
mental illness would require a breach notification, even if no specific 
health information is contained in that list.
    Third, if there is no reasonable basis to believe that information 
can be used to identify an individual, the information is not ``PHR 
identifiable health information,'' and a breach notification need not 
be provided. For example, if a breach involves information that has 
been ``de-identified'' under HHS rules implementing HIPAA, the 
Commission will deem that information to fall outside the scope of 
``PHR identifiable health information'' and therefore not covered by 
the proposed rule. The HHS rules specify two ways to de-identify 
information: (1) If there has been a formal determination by a 
qualified statistician that information has been de-identified; or (2) 
if specific identifiers about the individual, the individual's 
relatives, household members, and employers are removed, and the 
covered entity has no actual knowledge that the remaining information 
could be used to identify the individual.\8\ There may be additional 
instances where, even though the standard for de-identification under 
45 CFR 164.514(b) is not met, there is no reasonable basis to believe 
that information is individually identifiable. The Commission requests 
examples of such instances.
---------------------------------------------------------------------------

    \8\ 45 CFR 164.514(b); see also U.S. Department of Health and 
Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy 
Rule, (www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf).
---------------------------------------------------------------------------

PHR Related Entity

    Proposed paragraph (f) defines the term ``PHR related entity'' to 
cover the three types of entities set forth in clauses (ii), (iii), and 
(iv) of section 13424(b)(1)(A) of the Recovery Act.\9\ First, the 
definition includes entities that are not HIPAA-covered entities and 
that offer products or services through the website of a vendor of 
personal health records. This definition is substantively identical to 
the statutory language but also clarifies that HIPAA-covered entities 
are excluded. This clarification is consistent with the coverage of 
section 13424, which requires a study and report on the ``Application 
of Privacy and Security Requirements to Non-HIPAA Covered Entities.''
---------------------------------------------------------------------------

    \9\ At the outset, proposed paragraph (f) clarifies that the 
term excludes HIPAA-covered entities, as well as other entities to 
the extent that they engage in activities as a business associate of 
a HIPAA-covered entity.
---------------------------------------------------------------------------

    Examples of entities that could fall within this category include a 
web-based application that helps consumers manage medications; a 
website offering

[[Page 17917]]

an online personalized health checklist; and a brick-and-mortar company 
advertising dietary supplements online. Consumers interact with 
entities in this category by clicking on the appropriate link on the 
website of a vendor of personal health records.
    Second, PHR related entities include entities that are not HIPAA-
covered entities and that offer products or services through the 
websites of HIPAA-covered entities that offer individuals personal 
health records. This language is substantively identical to section 
13424(b)(1)(A)(iii) of the Recovery Act. This category differs from the 
first category in that it covers entities whose applications are 
offered through the websites of HIPAA-covered entities, as opposed to 
non-HIPAA covered entities. Entities may fall in both categories if 
they offer their applications through both HIPAA-covered websites and 
non-HIPAA covered websites.
    Third, PHR related entities include non-HIPAA covered entities 
``that access information in a personal health record or send 
information to a personal health record.'' This language is 
substantively identical to section 13424(b)(1)(A)(iv) of the Recovery 
Act. This category could include online applications through which 
individuals, for example, connect their blood pressure cuffs, blood 
glucose monitors, or other devices so that the results could be tracked 
through their personal health records. It could also include an online 
medication or weight tracking program that pulls information from a 
personal health record.

Third Party Service Provider

    Proposed paragraph (g) defines the term ``third party service 
provider'' as ``an entity that (1) provides services to a vendor of 
personal health records in connection with the offering or maintenance 
of a personal health record or to a PHR related entity in connection 
with a product or service offered by that entity, and (2) accesses, 
maintains, retains, modifies, records, stores, destroys, or otherwise 
holds, uses, or discloses unsecured PHR identifiable health information 
as a result of such services.'' Because the term third party service 
provider is not defined in the Recovery Act, the Commission based its 
proposed definition on the description of third party service providers 
in section 13407(b) of the Act. Third party service providers include, 
for example, entities that provide billing or data storage services to 
vendors of personal health records or PHR related entities.

Unsecured

    Proposed paragraph (h) defines the term ``unsecured'' as ``not 
protected through the use of a technology or methodology specified by 
the Secretary of Health and Human Services in the guidance issued under 
section 13402(h)(2) of the American Recovery and Reinvestment Act of 
2009.'' If such guidance is not issued by the date specified in such 
section (i.e., by 60 days after enactment of the Act and annually 
thereafter), the term unsecured means ``not secured by a technology 
standard that renders PHR identifiable information unusable, 
unreadable, or indecipherable to unauthorized individuals and that is 
developed or endorsed by a standards developing organization that is 
accredited by the American National Standards Institute.'' The proposed 
definition is substantively identical to the definition of ``unsecured 
PHR identifiable health information'' in the Recovery Act.

Vendor of Personal Health Records

    Proposed paragraph (i) defines the term ``vendor of personal health 
records'' to mean ``an entity, other than a HIPAA-covered entity or an 
entity to the extent that it engages in activities as a business 
associate of a HIPAA-covered entity, that offers or maintains a 
personal health record.'' This proposed definition is substantively 
identical to the statutory definition contained in section 13400(18) of 
the Recovery Act, but also clarifies that a vendor of personal health 
records does not include entities' activities as a business associate 
of a HIPAA-covered entity.

Proposed Section 318.3: Breach Notification Requirement

    Proposed paragraph 318.3(a) requires vendors of personal health 
records and PHR related entities, upon discovery of a breach of 
security, to notify U.S. citizens and residents whose information was 
acquired in the breach and to notify the FTC. This provision is 
substantively identical to section 13407(a) of the Recovery Act.
    Proposed paragraph 318.3(b) requires third party service providers 
to both vendors of personal health records and PHR related entities to 
provide notification to such vendors and entities following the 
discovery of a breach. The purpose of this requirement is to ensure 
that the vendor or entity receiving the breach notification is aware of 
the breach, so that it can in turn provide its customers with a breach 
notice. To further this purpose, proposed paragraph 318.3(b) requires 
that the third party service provider's notification shall include 
``the identification of each individual'' whose information ``has been, 
or is reasonably believed to have been acquired during such breach.''
    The proposed paragraph is substantively identical to section 
13407(b) of the Recovery Act,\10\ but adds language requiring entities 
to provide notice to a senior official of the vendor or PHR related 
entity and to obtain acknowledgment from such official that he or she 
has received the notice. The purpose of this requirement is to avoid 
the situation in which lower-level employees of two entities might have 
discussions about a breach that never reach senior management. It is 
also designed to avoid the problem of lost e-mails or voicemails.
---------------------------------------------------------------------------

    \10\ As noted above, although the Recovery Act does not define 
the term ``third party service provider,'' the proposed rule sets 
forth a definition based on the language in section 13407(b) 
describing such entities. Thus, it is not necessary to repeat the 
descriptive language in this section of the proposed rule.
    In addition, the proposed rule requires notification to 
individuals whose information was ``acquired,'' while the Recovery 
Act uses the terms ``accessed, acquired, or disclosed.'' This change 
is intended to harmonize the proposed rule with the other provisions 
of the Act making clear that the standard for FTC-regulated 
entities, including third party service providers, is ``acquired.'' 
Indeed, the statute requires third party service providers to notify 
individuals upon a ``breach of security,'' which is defined only as 
unauthorized acquisition.
---------------------------------------------------------------------------

    Finally, proposed section 318.3(c) provides that a breach ``shall 
be treated as discovered as of the first day on which such breach is 
known to a vendor of personal health records, PHR related entity, or 
third party service provider, respectively, (including any person, 
other than the individual committing the breach, that is an employee, 
officer, or other agent of such vendor of personal health records, PHR 
related entity, or third party service provider, respectively) or 
should reasonably have been known to such vendor of personal health 
records, PHR related entity, or third party service provider (or 
person) to have occurred.'' This proposed paragraph is substantively 
identical to section 13402(c) of the Recovery Act.\11\
---------------------------------------------------------------------------

    \11\ Section 13407(c) of the Recovery Act states that the 
standard for when breaches are discovered for HIPAA-covered entities 
also shall apply to FTC-regulated entities ``in a manner specified 
by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Regarding the ``reasonably should have been known'' standard, the 
Commission expects entities that collect and store unsecured PHR 
identifiable health information to maintain reasonable security 
measures, including breach detection measures, which should assist them 
in discovering breaches in a timely manner. If an entity fails to 
maintain such measures, and

[[Page 17918]]

thus fails to discover a breach, such failure could constitute a 
violation of the proposed rule because the entity ``reasonably'' should 
have known about the breach. The Commission recognizes, however, that 
certain breaches may be very difficult to detect, and that an entity 
with strong breach detection measures may nevertheless fail to discover 
a breach. In such circumstances, the failure to discover the breach 
would not constitute a violation of the proposed rule.\12\
---------------------------------------------------------------------------

    \12\ The Commission enforces a variety of laws requiring 
entities to provide reasonable and appropriate security for the data 
that they collect from consumers. See, e.g., Federal Trade 
Commission Act, 5 U.S.C. 45; Fair Credit Reporting Act, 15 U.S.C. 
1681-1681x; Gramm-Leach-Bliley Act, 15 U.S.C. 6801(b), and Standards 
for Safeguarding Customer Information, 16 CFR Part 314 (``Safeguards 
Rule''), available at (http://www.ftc.gov/os/2002/05/67fr36585.pdf.) 
The Commission has also disseminated educational materials 
encouraging companies to provide security for consumer data and 
providing guidance regarding practical ways to do so.
---------------------------------------------------------------------------

Proposed Section 318.4: Timeliness of Notification 13
---------------------------------------------------------------------------

    \13\ Section 13407(c) of the Recovery Act states that the 
requirements for timeliness of notification applicable to HIPAA-
covered entities also shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.4(a) requires breach notifications to 
individuals and the media to be made ``without unreasonable delay'' and 
in no case later than 60 calendar days after discovery of the breach. 
This language is substantively identical to section 13402(d)(1) of the 
Recovery Act, except that the Commission has clarified that the timing 
requirement for notice to consumers is different from the requirement 
for notice to the FTC. Proposed section 318.4(b) states that vendors of 
personal health records, PHR related entities, and third party service 
providers have the burden of proving that they provided the appropriate 
breach notifications. Finally, proposed section 318.4(c) allows breach 
notification to be delayed upon appropriate request of a law 
enforcement official. The proposed burden of proof and law enforcement 
provisions are substantively identical to sections 13402(d)(2) and 
13402(g) of the Recovery Act.\14\
---------------------------------------------------------------------------

    \14\ Section 13402(d)(1) of the Recovery Act sets forth the 
standard for timeliness of notification, but notes that this 
standard is subject to the exception for law enforcement set forth 
in section 13402(g).
---------------------------------------------------------------------------

    The Commission notes that the standard for timely notification is 
``without unreasonable delay,'' with the 60-day period serving as an 
outer limit. Thus, in some cases, it may be an ``unreasonable delay'' 
to wait until the 60\th\ day to provide notification. For example, if a 
vendor of personal health records or PHR related entity learns of a 
breach, gathers all necessary information, and has systems in place to 
provide notification within 30 days, it would be unreasonable to wait 
until the 60\th\ day to send the notice. There may also be 
circumstances where a vendor of personal health records or PHR related 
entity discovers that its third party service provider has suffered a 
breach (e.g., through a customer or whistleblower) before the service 
provider notifies the vendor or entity that the breach has occurred. In 
such circumstances, the vendor or entity should treat this breach as 
``discovered'' for purposes of providing timely notification, and 
should not wait until receiving notice from the service provider to 
begin taking steps to address the breach.

Proposed Section 318.5: Methods of Notice 15
---------------------------------------------------------------------------

    \15\ Section 13407(c) of the Recovery Act states that the 
requirements for methods of breach notification applicable to HIPAA-
covered entities also shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.5 addresses the methods of notice to 
individuals, the Commission, and the media in the event of a breach of 
security of unsecured PHR identifiable health information. The goal of 
this proposed section is to ensure prompt and effective notice.

Individual Notice

    Proposed paragraph (a) addresses notice to individuals. It contains 
four main requirements. First, proposed paragraph (a)(1) states that 
individuals must be given notice by first-class mail or, if the 
individual provides express affirmative consent, by e-mail. This 
language is identical to section 13402(e)(1)(A) of the Recovery Act, 
except that it interprets the statutory phrase ``specified as a 
preference by the individual'' to mean that the individual must provide 
``express affirmative consent'' to receive breach notices by e-mail. 
Entities may obtain such consent by asking individuals, when they 
create an account, whether they would prefer to receive important 
notices about privacy by first-class mail or e-mail.\16\
---------------------------------------------------------------------------

    \16\ The Commission does not regard pre-checked boxes or 
disclosures that are buried in a privacy policy or terms of service 
agreement to be sufficient to obtain consumers' ``express 
affirmative consent.''
---------------------------------------------------------------------------

    The Commission recognizes that the relationship between a vendor of 
personal health records or PHR related entity and the individual takes 
place online. Thus, e-mail notice may be particularly well-suited to 
the relationship. In addition, vendors of personal health records and 
PHR related entities may not want to collect mailing addresses from 
consumers, and consumers may not want to provide them. Under the 
proposed rule, these entities need not collect such mailing addresses, 
as long as they obtain consumers' express affirmative consent to 
receive notices by e-mail. The Commission recognizes that some e-mail 
notifications may be screened by consumers' spam filters and requests 
comment on how to address this issue.
    Second, as provided in section 13402(e)(1)(C) of the Recovery Act, 
proposed paragraph (a)(2) allows a vendor of personal health records or 
PHR related entity to provide notice by telephone or other appropriate 
means, in addition to the notice provided in paragraph (a)(1), if there 
is possible imminent misuse of unsecured PHR identifiable health 
information.
    Third, proposed paragraph (a)(3) states that if, after making 
reasonable efforts to contact an individual through his or her 
preferred method of communication, the vendor of personal health 
records or PHR related entity learns that such method is insufficient 
or out-of-date, the vendor or related entity shall attempt to provide 
the individual with a substitute form of actual notice, which may 
include written notice through the individual's less-preferred method, 
a telephone call, or other appropriate means. This provision gives 
effect to section 13402(e)(1)(B) of the Recovery Act, which requires a 
substitute form of notice in the case of insufficient or out-of-date 
contact information, but adds clarifying language requiring reasonable 
efforts to provide the preferred form of notice before substitute 
notice can be used. Examples of reasonable efforts include: (1) where 
e-mail is the consumer's preferred method, attempting to e-mail the 
notice and receiving a return message stating that the e-mail could not 
be delivered; (2) where first class mail is the consumer's preferred 
method, attempting to mail such notice and having it returned as 
undeliverable; (3) in the case of incomplete contact information, 
searching internal records and, if needed, undertaking additional 
reasonable efforts to obtain complete and accurate contact information 
from other sources. The proposed rule also adds language stating that 
methods of substitute notice may include written notice by the 
consumer's less preferred method or telephone.
    Finally, the proposed rule states that if ten or more individuals 
cannot be reached, the vendor of personal health records or PHR related 
entity must

[[Page 17919]]

provide substitute notice in one of two forms. First, it can provide 
notice through the home page of its website. Second, it can provide 
notice in major print or broadcast media. The language in the proposed 
rule is substantively identical to section 13402(e)(1)(B) of the 
Recovery Act, but adds certain clarifying language, as noted below.
    As to the first method of substitute notice, the Recovery Act 
states that the posting should appear for a period determined by the 
Commission and be ``conspicuous.'' The Commission believes that six 
months is an appropriate time period for posting of the notice and has 
so specified in the proposed rule. Requiring a six month posting will 
ensure that individuals who intermittently check their accounts obtain 
notice, without being unduly burdensome for businesses.
    To ensure conspicuousness, if an entity intends to use a hyperlink 
on the home page to convey the breach notice, the hyperlink should be 
(1) prominent so that it is noticeable to consumers, given the size, 
color and graphic treatment of the hyperlink in relation to other parts 
of the page; and (2) worded to convey the nature and importance of the 
information to which it leads. For example, ``click here'' would not be 
an appropriate hyperlink; a prominent ``click here for an important 
notice about a security breach that may affect you'' would be.\17\
---------------------------------------------------------------------------

    \17\ See ``Dot Com Disclosures: Information about Online 
Advertising,'' (http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus41.pdf).
---------------------------------------------------------------------------

    Regarding the requirement that the notice be posted on the home 
page, the Commission notes that individuals who already have accounts 
with vendors of personal health records may be directed to a first or 
``landing'' page that is different from the home page to which non-
account holders are directed. The Commission thus construes ``home 
page'' to include both the home page for new visitors and the landing 
page for existing account holders. In general, the Commission 
anticipates that, because PHRs generally involve an online 
relationship, web posting would be a particularly well-suited method of 
substitute notice to individuals.
    The alternative form of substitute notice described in this 
paragraph is media notice ``in major print or broadcast media, 
including major media in geographic areas where individuals affected by 
the breach likely reside, which shall be reasonably calculated to reach 
individuals affected by the breach.'' This language is substantively 
identical to section 13402(e)(1)(B) of the Recovery Act, but also adds 
a clause requiring that such notice ``be reasonably calculated to reach 
the individuals affected.'' Indeed, because this notice is intended to 
serve as a substitute for notice to particular individuals, it should 
be reasonably calculated to reach those individuals.
    The appropriate scope of substitute media notice will depend on 
several factors, including the number of individuals for whom no 
contact information can be obtained, the location of those individuals, 
and the reach of the particular media used. For example, if a vendor of 
personal health records experiences a breach in which a hacker obtains 
the health records of millions of individuals nationwide, and the 
vendor has no contact information for these individuals, the notice 
should run multiple times in national print publications and on 
national network and cable television. In contrast, if an online weight 
management application loses a customer list and can reach all but 20 
individuals in a particular city, it could run a more limited number of 
advertisements in appropriate local media.
    Further, a notice can only be ``reasonably calculated to reach the 
individuals affected'' if it is clear and conspicuous. Thus, the 
notices should be stated in plain language, be prominent, and run 
multiple times. The Commission requests further comment on the 
standards that should apply to substitute media notice.
    As set forth in section 13402(e)(1)(B) of the Recovery Act, the 
proposed rule also provides that notice under paragraph (3), whether on 
the home page of the website or by media notice, must include a toll-
free phone number where an individual can learn whether his or her 
unsecured PHR identifiable health information may be included in the 
breach. As to this requirement, the Commission notes that entities 
should have reasonable procedures in place to verify that they are 
providing the requested information only to the individual and not to 
an unauthorized person. For example, entities could provide the 
requested information pertaining to the consumer pursuant to the 
``preferred method'' designated in paragraph (a)(1).

Notice to Media

    Proposed paragraph (b) requires media notice ``to prominent media 
outlets serving a State or jurisdiction'' if there has been a breach of 
security of unsecured PHR identifiable health information of 500 or 
more residents of the state or jurisdiction.\18\ This media notice 
differs from the substitute media notice described in paragraph 318.5 
in that it is directed ``to'' the media and is intended to supplement, 
but not substitute for, individual notice. The proposed paragraph is 
substantively identical to section 13402(e)(2) of the Recovery Act, but 
adds a requirement that the notice include the information set forth in 
proposed section 318.6.
---------------------------------------------------------------------------

    \18\ Although section 13402(e)(2) of the Recovery Act requires 
notice to media for breaches involving ``more than 500'' residents, 
section 13402(e)(3) requires notice to the government for breaches 
with respect to ``500 or more'' individuals. For consistency, the 
proposed rule uses ``500 or more'' for both kinds of notice.
---------------------------------------------------------------------------

    This media notice should, at a minimum, include the dissemination 
of a press release to media outlets in the area(s) affected by the 
breach. For example, if a breach affects consumers from a particular 
state or locality, the press release could be sent to the relevant 
division or department (e.g., health, technology, or business) of a 
number of state or local print publications, network and cable new 
shows, and radio stations. The Commission requests further comment on 
the standards and criteria that should apply in determining the 
adequacy of media notice.

Notice to the Commission

    Proposed paragraph (c) addresses notice to the Commission. Under 
the proposed paragraph, vendors of personal health records and PHR 
related entities must provide notice to the Commission as soon as 
possible and in no case later than five business days if the breach 
involves the unsecured PHR identifiable health information of 500 or 
more individuals. If the breach involves the unsecured PHR identifiable 
health information of fewer than 500 individuals, vendors of personal 
health records and PHR related entities may, in lieu of immediate 
notice, maintain a breach log and submit such a log annually to the 
Commission. The proposed paragraph is substantively identical to 
section 13402(e)(3) of the Recovery Act, but clarifies the Act's 
requirements as follows.
    First, the paragraph interprets the term ``immediately'' to mean 
``as soon as possible, and in no case later than five business days.'' 
The Commission believes that this period of time satisfies the 
requirement for immediacy, while still being sufficient for the 
breached entity to learn enough about the breach to provide meaningful 
notice to the Commission.\19\
---------------------------------------------------------------------------

    \19\ The Commission recognizes that the breached entity may not 
learn all relevant information about the breach within five business 
days, such as number of consumers affected or extent of the 
information breached. Nonetheless, the entity should tell the 
Commission all that it knows and should provide additional 
information as it becomes available.

---------------------------------------------------------------------------

[[Page 17920]]

    Second, the paragraph states that the ``annual log'' to be 
submitted to the Commission for breaches involving fewer than 500 
individuals shall be due one year from the date of the entity's first 
breach.\20\ The Commission believes that specifying a date for 
submitting the log will assist entities in complying with the proposed 
rule.
---------------------------------------------------------------------------

    \20\ No annual log needs to be provided for years in which no 
breaches occur.
---------------------------------------------------------------------------

    Third, the paragraph references a form that the Commission plans to 
develop, to be posted on the Commission's website, www.ftc.gov, and to 
be used by entities to provide both the immediate and the annual 
required notice to the Commission under the proposed rule.\21\ Among 
other things, the form will request information similar to that 
required to be included in a notice to individuals under section 318.6.
---------------------------------------------------------------------------

    \21\ The Commission also will provide notice of breaches to the 
Secretary of HHS, as required by section 13407(d) of the Recovery 
Act.
---------------------------------------------------------------------------

Proposed Section 318.6: Content of Notice 22
---------------------------------------------------------------------------

    \22\ Section 13407(c) of the Recovery Act states that the 
requirements for contents of breach notification applicable to 
HIPAA-covered entities also shall apply to FTC-regulated entities 
``in a manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.6 addresses the content of the notice to 
individuals. It requires that the notice include a description of how 
the breach occurred; a description of the types of unsecured PHR 
identifiable health information that were involved in the breach; the 
steps individuals should take to protect themselves from potential 
harm; a description of what the vendor of personal health records or 
PHR related entity involved is doing to investigate the breach, to 
mitigate any losses, and to protect against any further breaches; and 
contact procedures for individuals to ask questions or learn additional 
information. The language in the proposed rule is substantively 
identical to the language of section 13402(f) of the Recovery Act. The 
Commission notes two points with respect to this section.
    First, to ensure that notices do not raise concerns about phishing, 
those sending notices should not include any requests for personal or 
financial information.\23\
---------------------------------------------------------------------------

    \23\ Phishing is the act of sending an electronic message under 
false pretenses to induce unsuspecting victims to reveal personal 
and financial information.
---------------------------------------------------------------------------

    Second, the proposed rule requires that the notice identify steps 
individuals should take to protect themselves from potential harm. The 
Commission recognizes that these steps will differ depending on the 
circumstances of the breach and the type of PHR identifiable health 
information involved. In some instances--for example, if health 
insurance account information is compromised--there is a possibility 
that data will be misused. In such cases, the entity could suggest 
steps including, but not limited to, requesting and reviewing copies of 
medical files for potential errors; monitoring explanation of benefit 
forms for potential errors; contacting insurers to notify them of 
possible medical identity theft; following up with providers if medical 
bills do not arrive on time to ensure that an identity thief has not 
changed the billing address; and, in appropriate cases, trying to 
change health insurance account numbers.
    If the breach also involves Social Security numbers, the entity 
should suggest additional steps such as placing a fraud alert on credit 
reports; obtaining and reviewing copies of credit reports for signs of 
identity theft; calling the local police or sheriff's office in the 
event suspicious activity is detected; and if appropriate, obtaining a 
credit freeze.\24\ In the case of a breach involving financial account 
numbers, the entity also should direct consumers to monitor their 
accounts for suspicious activity and contact their financial 
institution about closing any compromised accounts. In appropriate 
cases, the entity also could refer consumers to the FTC's identity 
theft website, www.ftc.gov/idtheft.
---------------------------------------------------------------------------

    \24\ In general, once a consumer initiates a credit freeze with 
a consumer reporting agency, the freeze prevents the agency from 
releasing a credit report about that consumer unless the consumer 
removes the freeze.
---------------------------------------------------------------------------

    In other instances, the likely harm will be personal embarrassment. 
In such cases, any steps that an individual may choose to take will 
likely be personal to that individual, and the entity may not be in a 
position to advise the consumer.

Proposed Sections 318.7, 318.8, and 318.9

    Proposed sections 318.7, 318.8, and 318.9 are substantively 
identical to the statutory provisions on enforcement, effective date, 
and sunset. Proposed section 318.9 clarifies that the sunsetting of the 
rule is triggered when Congress enacts new legislation affecting 
entities subject to the FTC rule.

III. Communications by Outside Parties to Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding from any 
outside party to any Commissioner or Commissioner's advisor will be 
placed on the public record. See 16 CFR 1.26(b)(5).

IV. Paperwork Reduction Act

    The Commission is submitting this proposed rule and a Supporting 
Statement to the Office of Management and Budget for review under the 
Paperwork Reduction Act (``PRA'') (44 U.S.C. 3501-3521). The breach 
notification requirements discussed above constitute ``collections of 
information'' for purposes of the PRA. See 5 CFR 1320.3(c). 
Accordingly, staff has estimated the paperwork burden for these 
requirements as set forth below.
    In the event of a data breach, the proposed rule would require 
covered firms to investigate and, if certain conditions are met, notify 
consumers and the Commission. The paperwork burden of these 
requirements will depend on a variety of factors, including the number 
of covered firms; the percentage of such firms that will experience a 
breach requiring further investigation and, if necessary, the sending 
of breach notices; and the number of consumers notified.
    Based on input from industry sources, staff estimates that 
approximately 200 vendors of personal health records and 500 PHR 
related entities will be covered by the Commission's proposed rule. 
Thus, a total of 700 entities may be required to notify consumers and 
the Commission in the event that they experience a breach. 
Approximately 200 third party service providers also will be subject to 
the rule, and thus required to notify vendors of personal health 
records or PHR related entities in the event of a breach. Thus, a total 
of approximately 900 entities will be subject to the proposed rule's 
breach notification requirements.
    Staff estimates that these entities, cumulatively, will experience 
11 breaches per year for which notification may be required. Because 
there is insufficient data at this time about the number and incidence 
of breaches in the PHR industry, staff used available data relating to 
breaches incurred by private sector businesses in order to calculate a 
breach incidence rate. Staff then applied this rate to the estimated 
total number of entities that will be subject to the proposed rule. 
According to one recent research paper, private sector businesses 
across multiple industries experienced a total of approximately 50 
breaches per year

[[Page 17921]]

during the years 2002 through 2007.\25\ Dividing 50 breaches by the 
estimated number of firms that would be subject to a breach (4,187) 
\26\ yields an estimated breach incidence rate of 1.2% per year. 
Applying this incidence rate to the estimated 900 vendors of personal 
health records, PHR related entities, and third party service providers 
yields an estimate of 11 breaches per year that may require 
notification of consumers and the Commission.
---------------------------------------------------------------------------

    \25\ Sasha Romanosky, Rahul Telang & Alessandro Acquisti, ``Do 
Data Breach Disclosure Laws Reduce Identity Theft?'' Seventh 
Workshop on the Economics of Information Security, June 2008. The 
authors tallied the breaches reported to the website Attrition.org 
during the time period 2002 to 2007 and counted a total of 773 
breaches for a range of entities, including businesses, governments, 
health providers, and educational institutions. Staff used the 
volume of breaches reported for businesses (246 over a 5 year 
period, or approximately 50 per year) because that class of data is 
most compatible with other data staff used to calculate the 
incidence of breaches.
    \26\ Staff focused on firms that routinely collect information 
on a sizeable number of consumers, thereby rendering them attractive 
targets for data thieves. To do so, staff focused first on retail 
businesses and eliminated retailers with annual revenue under 
$1,000,000. The 2002 Economic Census reports that, in that year, 
there were 418,713 retailers with revenue of $1,000,000 or more. To 
apply 50 breaches to such a large population, however, would yield a 
very small incidence rate. In an abundance of caution, to estimate 
more conservatively the incidence of breach, staff then assumed that 
only one percent of these firms had security vulnerabilities that 
would render them breach targets, thus yielding the total of 4,187.
---------------------------------------------------------------------------

    To determine the annual paperwork burden, staff has developed 
estimates for three categories of potential costs: (1) The costs of 
determining what information has been breached, identifying the 
affected customers, preparing the breach notice, and making the 
required report to the Commission; (2) the cost of notifying consumers; 
and (3) the cost of setting up a toll-free number, if needed.
    First, in order to determine what information has been breached, 
identify the affected customers, prepare the breach notice, and make 
the required report to the Commission, staff estimates that covered 
firms will require per breach, on average, 100 hours of employee labor 
at a cost of $4,652,\27\ and the services of a forensic expert at an 
estimated cost of $2,930.\28\ Thus, the cost estimate for each breach 
will be $7,582. This estimate does not include the cost of equipment or 
other tangible assets of the breached firms, because they likely will 
use the equipment and other assets they have for ordinary business 
purposes. Based on the estimate that there will be 11 breaches per 
year, the annual cost burden for affected entities to perform these 
tasks will be $83,402 (11 breaches x $7,582 each).
---------------------------------------------------------------------------

    \27\ Hourly wages throughout this notice are based on http://www.bls.gov/ncs/ncswage2007.htm (National Compensation Survey: 
Occupational Earnings in the United States 2007, U.S. Department of 
Labor released August 2008, Bulletin 2704, Table 3 (``Full-time 
civilian workers,'' mean and median hourly wages).
    The breakdown of labor hours and costs is as follows: 50 hours 
of computer and information systems managerial time at $52.56 per 
hour; 12 hours of marketing managerial time at $53.00 per hour; 33 
hours of computer programmer time at $33.77 per hour; and 5 hours of 
legal staff time at 54.69 per hour.
    \28\ Staff estimates that breached entities will use 30 hours of 
a forensic expert's time. Staff applied the wages of a network 
systems and data communications analyst ($32.56), tripled it to 
reflect profits and overhead for an outside consultant ($97.68), and 
multiplied it by 30 hours to yield $2,930.
---------------------------------------------------------------------------

    Second, the cost of breach notifications will depend on the number 
of consumers contacted. Based on a recent survey, 11.6 percent of 
adults reported receiving a breach notification during a one-year 
period.\29\ Staff estimates that for the prospective 3-year PRA 
clearance, the average customer base of all vendors of personal health 
records and PHR related entities will be approximately two million per 
year. Accordingly, staff estimates that an average of 232,000 consumers 
per year will receive a breach notification.
---------------------------------------------------------------------------

    \29\ Ponemon Institute, ``National Survey on Data Security 
Breach Notification,'' 2005. Staff believes that this estimate is 
likely high given the importance of data security to the PHR 
industry and the likelihood that data encryption will be a strong 
selling point to consumers.
---------------------------------------------------------------------------

    Given the online relationship between consumers and vendors of 
personal health records and PHR related entities, most notifications 
will be made by email and the cost of such notifications will be de 
minimis.\30\
---------------------------------------------------------------------------

    \30\ See National Do Not Email Registry, A Report to Congress, 
June 2004 n.93, available at www.ftc.gov/reports/dneregistry/report.pdf.
---------------------------------------------------------------------------

    In some cases, however, vendors of personal health records and PHR 
related entities will need to notify individuals by postal mail, either 
because these individuals have asked for such notification, or because 
the email addresses of these individuals are not current or not 
working. Staff estimates that the cost of notifying an individual by 
postal mail is approximately $2.30 per letter.\31\ Assuming that 
vendors of personal health records and PHR related entities will need 
to notify by postal mail 10 percent of their customers whose 
information is breached, the estimated cost of this notification will 
be $53,360 per year.
---------------------------------------------------------------------------

    \31\ Robin Sidel and Mitchell Pacelle, ``Credit-Card Breach 
Tests Banking Industry's Defenses,'' Wall Street Journal, June 21, 
2005, p.C1. Sidel and Pacelle reported that industry sources 
estimated the cost per letter to be about $2.00 in 2005. Allowing 
for inflation, staff estimates the cost to average about $2.30 per 
letter over the next thr