Health Breach Notification Rulemaking #541358-00131

Submission Number:
541358-00131
Commenter:
Hugo Stephenson
Organization:
iGuard.org
State:
NJ
Initiative Name:
Health Breach Notification Rulemaking

iGuard.org appreciates that the FTC issued this proposed Health Breach Notification Rule for comment. iGuard.org provides registered members with timely, personalized drug safety ratings and alerts only by electronic mail. Accordingly, for this purpose, iGuard.org does not collect name, address and other directly identifiable data from the registrants. In addition to collection of minimal information from registrants, other measures that iGuard.org has implemented to ensure privacy protection include encryption for all identifying information, offline (decoupled) storage of indirect identifiers, staff access only to de-identified data, and an automated e-mail distribution system driven by selection of de-identified data. As per the proposed rule, iGuard.org may be expected to contact all the current registrants, now over 1 million, asking them (1) whether we can send them an e-mail if there is a breach of information security or (2) whether they wish notification by first class mail. Many registrants simply may ignore the e-mail. Others may choose to be notified by first class mail so that they would have to provide their name and address to iGuard.org. This proposed rule is contrary to the Proportionality Principle and would pose a new and greater risk to the consumers personal data and increase the liability for iGuard.org. At proposed 16 CFR section 318.5(a)(1), the Commission states that it does not regard pre-checked boxes or disclosures that are buried in a privacy policy or terms of service agreement to be sufficient to obtain consumers express affirmative consent. However, we assert that it is sensible and consistent with the Proportionality Principle for the registrants to be informed in the Terms and Conditions of the website that they will receive all communications by electronic mail, including health breach notifications. We note that the currently accepted best practice standard for breach reporting is that the entity knows or should have known that a breach has compromised the security or privacy of information. Instead, the proposed rule places the burden of proof on the entity to show that unauthorized access could not have resulted in acquisition. If a third party provider or related entity accesses or uses only indirectly identifiable health information, the identification of individuals for breach notification may be practically impossible. Indeed, such a re-identification process, undertaken solely for the purpose of sending breach notices, would be costly and burdensome and disproportionate with the risk. The proposed rule requires notifications to the consumer regardless of the level of risk involved. This may be confusing to the consumer and cause them to be inured to these notices. For the benefit of both the consumer and those subject to this proposed rule, we urge that the FTC take a practical approach to health breach notification to the extent permitted in the American Recovery and Reinvestment Act. Detailed comments from iGuard.org are attached.