[Federal Register Volume 74, Number 74 (Monday, April 20, 2009)]
[Proposed Rules]
[Pages 17914-17925]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-8882]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318

[RIN 3084-AB17]


Health Breach Notification Rule

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: Under the American Recovery and Reinvestment Act of 2009 (the 
``Recovery Act'' or ``the Act''), the Federal Trade Commission 
(``FTC'') or (``Commission'') must issue rules requiring vendors of 
personal health records and related entities to notify individuals when 
the security of their individually identifiable health information is 
breached. Accordingly, the FTC seeks comment on a proposed rule.

DATES: Comments must be received on or before June 1, 2009.

ADDRESSES: Interested parties are invited to submit written comments 
electronically or in paper form. Comments should refer to ``Health 
Breach Notification Rulemaking, Project No. R911002'' to facilitate the 
organization of comments. Please note that your comment--including your 
name and your state--will be placed on the public record of this 
proceeding, including on the publicly accessible FTC website, at 
(http://www.ftc.gov/os/publiccomments.shtm).
    Because comments will be made public, they should not include any 
sensitive personal information, such as an individual's Social Security 
number; date of birth; driver's license number, state identification 
number, or foreign country equivalent; passport number; financial 
account number; or credit or debit card number. Comments also should 
not include any sensitive health information, such as medical records 
or other individually identifiable health information. In addition, 
comments should not include any ``[t]rade secret or any commercial or 
financial information which is obtained from any person and which is 
privileged or confidential * * *,'' as provided in Section 6(f) of the 
FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). 
Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c), 16 CFR 
4.9(c).\1\
---------------------------------------------------------------------------

    \1\ See also FTC Rule 4.2(d), 16 CFR 4.2(d). The comment must be 
accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See FTC Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Because paper mail addressed to the FTC is subject to delay due to 
heightened security screening, please consider submitting your comments 
in electronic form. Comments filed in electronic form should be 
submitted by using the weblink (https://secure.commentworks.com/ftc-healthbreachnotification), and following the instructions on the web-
based form. To ensure that the Commission considers an electronic 
comment, you must file it on the web-based form at the weblink (https://secure.commentworks.com/ftc-healthbreachnotification). If this Notice 
appears at (http://www.regulations.gov/search/index.jsp), you also may 
file an electronic comment through that website. The Commission will 
consider all comments that regulations.gov forwards to it. You also may 
visit the FTC website at http://www.ftc.gov to read the Notice and the 
news release describing it.
    A comment filed in paper form should include the ``Health Breach 
Notification Rulemaking, Project No. R911002'' reference both in the 
text and on the envelope, and should be mailed or delivered to the 
following address: Federal Trade Commission/Office of the Secretary, 
Room H-135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 
20580. The FTC is requesting that any comment filed in paper form be 
sent by courier or overnight service, if possible, because U.S. postal 
mail in the Washington area and at the Commission is subject to delay 
due to heightened security precautions.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. The Commission will consider all timely and responsive 
public comments that it receives, whether filed in paper or electronic 
form. Comments received will be available to the public on the FTC 
website, to the extent practicable, at (http://www.ftc.gov/os/publiccomments.shtm). As a matter of discretion, the Commission makes 
every effort to remove home contact information for individuals from 
the public comments it receives before placing those comments on the 
FTC website. More information, including routine uses permitted by the 
Privacy Act, may be found in the FTC's privacy policy, at (http://www.ftc.gov/ftc/privacy.shtm).
    Comments on any proposed filing, recordkeeping, or disclosure 
requirements that are subject to paperwork burden review under the 
Paperwork Reduction Act should additionally be submitted to: Office of 
Information and Regulatory Affairs, Office of Management and Budget 
(``OMB''), Attention: Desk Officer for Federal Trade Commission. 
Comments should be submitted via facsimile to (202) 395-5167 because 
U.S. postal mail at the OMB is subject to delays due to heightened 
security precautions.

FOR FURTHER INFORMATION CONTACT: Cora Tung Han or Maneesha Mithal, 
Attorneys, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580, (202) 326-2252.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Section-by-Section Analysis of the Proposed Rule
III. Paperwork Reduction Act
IV. Regulatory Flexibility Act
V. Proposed Rule

I. Background

    On February 17, 2009, President Obama signed the American Recovery 
and Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act'') into 
law.\2\ The Act includes provisions to advance the use of health 
information technology and, at the same time, strengthen privacy and 
security protections for health information.
---------------------------------------------------------------------------

    \2\ American Recovery & Reinvestment Act of 2009, Pub. L. 111-5, 
---- Stat. ----.
---------------------------------------------------------------------------

    Among other things, the Recovery Act recognizes that there are new 
types of web-based entities that collect consumers' health information. 
These entities include vendors of personal health records and online 
applications that interact with such personal health records. Some of 
these entities are not subject to the privacy and security requirements 
of the Health Insurance Portability and Accountability Act 
(``HIPAA'').\3\ For such entities, the Recovery Act requires the 
Department of Health and Human Services (``HHS'') to

[[Page 17915]]

study, in consultation with the FTC, potential privacy, security, and 
breach notification requirements and submit a report to Congress 
containing recommendations within one year of enactment of the Recovery 
Act. Until Congress enacts new legislation implementing any 
recommendations contained in the HHS/FTC report, the Recovery Act 
contains temporary requirements, to be enforced by the FTC, that such 
entities notify customers in the event of a security breach.\4\ The 
proposed rule implements these requirements.
---------------------------------------------------------------------------

    \3\ Health Insurance Portability & Accountability Act, Pub. L. 
104-191, 110 Stat. 1936 (1996).
    \4\ Section 13407(g)(1) of the Recovery Act requires the FTC to 
promulgate, within 180 days of its enactment, regulations on the 
breach of security notification provisions applicable to its 
regulated entities.
---------------------------------------------------------------------------

    The Recovery Act also directs HHS to promulgate interim final 
regulations requiring (1) HIPAA-covered entities, such as hospitals, 
doctors' offices, and health insurance plans, to notify individuals in 
the event of a security breach and (2) business associates of HIPAA-
covered entities to notify such covered entities in the event of a 
security breach. To the extent that FTC-regulated entities engage in 
activities as business associates of HIPAA-covered entities, such 
entities will be subject only to HHS' rule requirements and not the 
FTC's rule requirements, as explained below. In addition, the 
Commission notes that many of the breach notification requirements 
applicable to FTC-regulated entities are the same as the breach 
notification requirements applicable to HHS-regulated entities. Indeed, 
section 13407 of the Recovery Act states that the statutory 
requirements for timeliness, method, and content of breach 
notifications contained in section 13402 (the section applicable to 
HHS-regulated entities) shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.'' Thus, the FTC is 
consulting with HHS to harmonize its proposed rule with HHS' proposed 
rule.

II. Section-by-Section Analysis of the Proposed Rule

    The Commission proposes to issue the Health Breach Notification 
Rule as a new Part 318 of 16 CFR. The following is a section-by-section 
analysis of the proposed rule.

Proposed Section 318.1: Purpose and Scope

    Proposed section 318.1 serves three purposes. First, it states the 
relevant statutory authority for the proposed rule. Second, it 
identifies the entities to which the proposed rule would apply: vendors 
of personal health records, PHR \5\ related entities, and third party 
service providers. Third, proposed section 318.1 clarifies that the 
proposed rule does not apply to HIPAA-covered entities or to an 
entity's activities as a business associate of a HIPAA-covered entity.
---------------------------------------------------------------------------

    \5\ PHR means personal health record.
---------------------------------------------------------------------------

    The Commission also notes that the proposed rule applies to 
entities beyond the FTC's traditional jurisdiction under Section 5 of 
the FTC Act, since the Recovery Act does not limit the FTC's 
enforcement authority to its enforcement jurisdiction under Section 5. 
Indeed, section 13407 of the Recovery Act expressly applies to 
``vendors of personal health records and other non-HIPAA covered 
entities,'' without regard to whether such entities fall within the 
FTC's enforcement jurisdiction. Thus, the proposed rule would apply to 
entities such as non-profit entities that offer personal health records 
or related products and services, as well as non-profit third party 
service providers.
    With respect to the scope of the proposed rule, the Commission 
seeks comment on (1) the nature of entities to which its proposed rule 
would apply; (2) the particular products and services they offer; (3) 
the extent to which vendors of personal health records, PHR related 
entities, and third party service providers may be HIPAA-covered 
entities or business associates of HIPAA-covered entities; (4) whether 
some vendors of personal health records may have a dual role as a 
business associate of a HIPAA-covered entity and a direct provider of 
personal health records to the public; and (5) circumstances in which 
such a dual role might lead to consumers' receiving multiple breach 
notices or receiving breach notices from an unexpected entity, and 
whether and how the rule should address such circumstances.

Proposed Section 318.2: Definitions

    This section defines terms used in the Health Breach Notification 
Rule.

Breach of Security

    The first sentence of proposed paragraph (a) defines ``breach of 
security'' as the acquisition of unsecured PHR identifiable health 
information of an individual in a personal health record without the 
authorization of the individual. This sentence is identical to the 
definition of ``breach of security'' in section 13407(f)(1) of the 
Recovery Act.
    In some cases, it will be fairly easy to determine whether 
unsecured PHR identifiable health information has been acquired without 
authorization. Examples of such cases include the theft of a laptop 
containing unsecured personal health records; the theft of hard copies 
of such records; the unauthorized downloading or transfer of such 
records by an employee; and the electronic break-in and remote copying 
of such records by a hacker.
    In other cases, there may be unauthorized access to data, but it is 
unclear, without further investigation, whether the data also has been 
acquired. Unauthorized persons may have access to information if it is 
available to them. The term acquisition, however, suggests that the 
information is not only available to unauthorized persons, but in fact 
has been obtained by them.
    For example, if an entity's access log shows that an unauthorized 
employee obtained access to information by opening an online database 
of personal health records, there clearly has been access to the data, 
but it is not clear whether the data also has been acquired. Consider 
the following possible scenarios:
     (1) the employee viewed the records to find health information 
about a particular public figure and sold the information to a national 
gossip magazine;
     (2) the employee viewed the records to obtain information about 
his or her friends;
     (3) the employee inadvertently accessed the database, realized 
that it was not the one he or she intended to view, and logged off 
without reading, using, or disclosing anything.
    In scenario (3), the Commission believes that no acquisition has 
taken place; thus, breach notification is not required. Unauthorized 
acquisition has, however, occurred in scenarios (1) and (2).
    In the types of situations described above, where there has been 
unauthorized access to unsecured PHR identifiable health information, 
the Commission believes that the entity that experienced the breach is 
in the best position to determine whether unauthorized acquisition has 
taken place. Thus, the proposed rule creates a presumption that 
unauthorized persons have acquired information if they have access to 
it, thus creating the obligation to provide breach notification. This 
presumption can be rebutted with reliable evidence showing that the 
information was not or could not reasonably have been acquired. Such 
evidence can be obtained by, among other things, conducting appropriate 
interviews of employees, contractors, or other third parties; reviewing 
access

[[Page 17916]]

logs and sign-in sheets; and/or examining forensic evidence.
    For example, if an entity's employee loses a laptop containing 
unsecured health information in a public place, the information would 
be accessible to unauthorized persons, giving rise to a presumption 
that unauthorized acquisition has occurred. The entity can rebut this 
presumption by showing that the laptop was recovered, and that forensic 
analysis revealed that files were never opened, altered, transferred, 
or otherwise compromised.
    Accordingly, the Commission proposes to add a second sentence to 
the definition of breach of security as follows: ``Unauthorized 
acquisition will be presumed to include unauthorized access to 
unsecured PHR identifiable health information unless the vendor of 
personal health records, PHR related entity, or third party service 
provider that experienced the breach has reliable evidence showing that 
there has not been, or could not reasonably have been, any unauthorized 
acquisition of such information.''

Business Associate

    Proposed paragraph (b) defines ``business associate'' to mean a 
business associate under HIPAA, as defined in 45 CFR 160.103. That 
regulation, in relevant part, defines a business associate as an entity 
that (1) provides certain functions or activities on behalf of a HIPAA-
covered entity or (2) provides ``legal, actuarial, accounting, 
consulting, data aggregation, management, administrative, 
accreditation, or financial services to or for'' a HIPAA-covered 
entity.

HIPAA-Covered Entity

    Proposed paragraph (c) defines ``HIPAA-covered entity'' to mean a 
covered entity under HIPAA, as defined in 45 CFR 160.103. That 
regulation provides that a HIPAA-covered entity is a health care 
provider that conducts certain transactions in electronic form, a 
health care clearinghouse (which provides certain data processing 
services for health information), or a health plan.

Personal Health Record

    Proposed paragraph (d) defines a ``personal health record'' as an 
``electronic record of PHR identifiable health information on an 
individual that can be drawn from multiple sources and that is managed, 
shared, and controlled by or primarily for the individual.'' This 
language is substantively identical to the definition of personal 
health record in section 13400(11) of the Recovery Act.\6\
---------------------------------------------------------------------------

    \6\ Where this Notice characterizes an element of the proposed 
rule as ``substantively identical'' to a corresponding provision in 
the Recovery Act, the difference between the two texts is minor and 
not substantive, and the relevant text of both the rule and statute 
is intended to have the same meaning. For example, the Recovery 
Act's definition of ``personal health record'' states that it is an 
``electronic record of PHR identifiable health information (as 
defined in section 13407(f)(2)). . .'' The proposed rule definition 
drops the cross-reference, but is identical in all other respects. 
In other places, the rule may change a plural to a singular or vice 
versa; substitute terminology such as ``HIPAA-covered entity'' for 
``covered entity''; spell out a shorthand notation in the statute; 
or make similar non-substantive changes.
---------------------------------------------------------------------------

PHR Identifiable Health Information

    Proposed paragraph (e) defines ``PHR identifiable health 
information'' as ``individually identifiable health information, as 
defined in section 1171(6) of the Social Security Act (42 U.S.C. 
1320d(6)),\7\ and with respect to an individual, information (1) that 
is provided by or on behalf of the individual; and (2) that identifies 
the individual or with respect to which there is a reasonable basis to 
believe that the information can be used to identify the individual.'' 
This definition is substantively identical to section 13407(f)(2) of 
the Recovery Act.
---------------------------------------------------------------------------

    \7\ This provision defines ``individually identifiable health 
information'' as information that ``(1) is created or received by a 
health care provider, health plan, employer, or health care 
clearinghouse; and (2) relates to the past, present, or future 
physical or mental health or condition of an individual, the 
provision of health care to an individual, or the past, present, or 
future payment for the provision of health care to an individual.''
---------------------------------------------------------------------------

    The Commission notes three points with respect to this definition. 
First, because the definition of ``PHR identifiable health 
information'' includes information that relates to the ``past, present, 
or future payment for the provision of health care to an individual,'' 
the proposed rule covers breaches of such information. Thus, for 
example, the proposed rule would cover a security breach of a database 
containing names and credit card information, even if no other 
information was included.
    Second, because the definition includes information that relates to 
``the health or condition'' of the individual, it would include the 
fact of having an account with a vendor of personal health records or 
related entity, where the products or services offered by such vendor 
or related entity relate to particular health conditions. For example, 
the theft of an unsecured customer list of a vendor of personal health 
records or related entity directed to AIDS patients or people with 
mental illness would require a breach notification, even if no specific 
health information is contained in that list.
    Third, if there is no reasonable basis to believe that information 
can be used to identify an individual, the information is not ``PHR 
identifiable health information,'' and a breach notification need not 
be provided. For example, if a breach involves information that has 
been ``de-identified'' under HHS rules implementing HIPAA, the 
Commission will deem that information to fall outside the scope of 
``PHR identifiable health information'' and therefore not covered by 
the proposed rule. The HHS rules specify two ways to de-identify 
information: (1) If there has been a formal determination by a 
qualified statistician that information has been de-identified; or (2) 
if specific identifiers about the individual, the individual's 
relatives, household members, and employers are removed, and the 
covered entity has no actual knowledge that the remaining information 
could be used to identify the individual.\8\ There may be additional 
instances where, even though the standard for de-identification under 
45 CFR 164.514(b) is not met, there is no reasonable basis to believe 
that information is individually identifiable. The Commission requests 
examples of such instances.
---------------------------------------------------------------------------

    \8\ 45 CFR 164.514(b); see also U.S. Department of Health and 
Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy 
Rule, (www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf).
---------------------------------------------------------------------------

PHR Related Entity

    Proposed paragraph (f) defines the term ``PHR related entity'' to 
cover the three types of entities set forth in clauses (ii), (iii), and 
(iv) of section 13424(b)(1)(A) of the Recovery Act.\9\ First, the 
definition includes entities that are not HIPAA-covered entities and 
that offer products or services through the website of a vendor of 
personal health records. This definition is substantively identical to 
the statutory language but also clarifies that HIPAA-covered entities 
are excluded. This clarification is consistent with the coverage of 
section 13424, which requires a study and report on the ``Application 
of Privacy and Security Requirements to Non-HIPAA Covered Entities.''
---------------------------------------------------------------------------

    \9\ At the outset, proposed paragraph (f) clarifies that the 
term excludes HIPAA-covered entities, as well as other entities to 
the extent that they engage in activities as a business associate of 
a HIPAA-covered entity.
---------------------------------------------------------------------------

    Examples of entities that could fall within this category include a 
web-based application that helps consumers manage medications; a 
website offering

[[Page 17917]]

an online personalized health checklist; and a brick-and-mortar company 
advertising dietary supplements online. Consumers interact with 
entities in this category by clicking on the appropriate link on the 
website of a vendor of personal health records.
    Second, PHR related entities include entities that are not HIPAA-
covered entities and that offer products or services through the 
websites of HIPAA-covered entities that offer individuals personal 
health records. This language is substantively identical to section 
13424(b)(1)(A)(iii) of the Recovery Act. This category differs from the 
first category in that it covers entities whose applications are 
offered through the websites of HIPAA-covered entities, as opposed to 
non-HIPAA covered entities. Entities may fall in both categories if 
they offer their applications through both HIPAA-covered websites and 
non-HIPAA covered websites.
    Third, PHR related entities include non-HIPAA covered entities 
``that access information in a personal health record or send 
information to a personal health record.'' This language is 
substantively identical to section 13424(b)(1)(A)(iv) of the Recovery 
Act. This category could include online applications through which 
individuals, for example, connect their blood pressure cuffs, blood 
glucose monitors, or other devices so that the results could be tracked 
through their personal health records. It could also include an online 
medication or weight tracking program that pulls information from a 
personal health record.

Third Party Service Provider

    Proposed paragraph (g) defines the term ``third party service 
provider'' as ``an entity that (1) provides services to a vendor of 
personal health records in connection with the offering or maintenance 
of a personal health record or to a PHR related entity in connection 
with a product or service offered by that entity, and (2) accesses, 
maintains, retains, modifies, records, stores, destroys, or otherwise 
holds, uses, or discloses unsecured PHR identifiable health information 
as a result of such services.'' Because the term third party service 
provider is not defined in the Recovery Act, the Commission based its 
proposed definition on the description of third party service providers 
in section 13407(b) of the Act. Third party service providers include, 
for example, entities that provide billing or data storage services to 
vendors of personal health records or PHR related entities.

Unsecured

    Proposed paragraph (h) defines the term ``unsecured'' as ``not 
protected through the use of a technology or methodology specified by 
the Secretary of Health and Human Services in the guidance issued under 
section 13402(h)(2) of the American Recovery and Reinvestment Act of 
2009.'' If such guidance is not issued by the date specified in such 
section (i.e., by 60 days after enactment of the Act and annually 
thereafter), the term unsecured means ``not secured by a technology 
standard that renders PHR identifiable information unusable, 
unreadable, or indecipherable to unauthorized individuals and that is 
developed or endorsed by a standards developing organization that is 
accredited by the American National Standards Institute.'' The proposed 
definition is substantively identical to the definition of ``unsecured 
PHR identifiable health information'' in the Recovery Act.

Vendor of Personal Health Records

    Proposed paragraph (i) defines the term ``vendor of personal health 
records'' to mean ``an entity, other than a HIPAA-covered entity or an 
entity to the extent that it engages in activities as a business 
associate of a HIPAA-covered entity, that offers or maintains a 
personal health record.'' This proposed definition is substantively 
identical to the statutory definition contained in section 13400(18) of 
the Recovery Act, but also clarifies that a vendor of personal health 
records does not include entities' activities as a business associate 
of a HIPAA-covered entity.

Proposed Section 318.3: Breach Notification Requirement

    Proposed paragraph 318.3(a) requires vendors of personal health 
records and PHR related entities, upon discovery of a breach of 
security, to notify U.S. citizens and residents whose information was 
acquired in the breach and to notify the FTC. This provision is 
substantively identical to section 13407(a) of the Recovery Act.
    Proposed paragraph 318.3(b) requires third party service providers 
to both vendors of personal health records and PHR related entities to 
provide notification to such vendors and entities following the 
discovery of a breach. The purpose of this requirement is to ensure 
that the vendor or entity receiving the breach notification is aware of 
the breach, so that it can in turn provide its customers with a breach 
notice. To further this purpose, proposed paragraph 318.3(b) requires 
that the third party service provider's notification shall include 
``the identification of each individual'' whose information ``has been, 
or is reasonably believed to have been acquired during such breach.''
    The proposed paragraph is substantively identical to section 
13407(b) of the Recovery Act,\10\ but adds language requiring entities 
to provide notice to a senior official of the vendor or PHR related 
entity and to obtain acknowledgment from such official that he or she 
has received the notice. The purpose of this requirement is to avoid 
the situation in which lower-level employees of two entities might have 
discussions about a breach that never reach senior management. It is 
also designed to avoid the problem of lost e-mails or voicemails.
---------------------------------------------------------------------------

    \10\ As noted above, although the Recovery Act does not define 
the term ``third party service provider,'' the proposed rule sets 
forth a definition based on the language in section 13407(b) 
describing such entities. Thus, it is not necessary to repeat the 
descriptive language in this section of the proposed rule.
    In addition, the proposed rule requires notification to 
individuals whose information was ``acquired,'' while the Recovery 
Act uses the terms ``accessed, acquired, or disclosed.'' This change 
is intended to harmonize the proposed rule with the other provisions 
of the Act making clear that the standard for FTC-regulated 
entities, including third party service providers, is ``acquired.'' 
Indeed, the statute requires third party service providers to notify 
individuals upon a ``breach of security,'' which is defined only as 
unauthorized acquisition.
---------------------------------------------------------------------------

    Finally, proposed section 318.3(c) provides that a breach ``shall 
be treated as discovered as of the first day on which such breach is 
known to a vendor of personal health records, PHR related entity, or 
third party service provider, respectively, (including any person, 
other than the individual committing the breach, that is an employee, 
officer, or other agent of such vendor of personal health records, PHR 
related entity, or third party service provider, respectively) or 
should reasonably have been known to such vendor of personal health 
records, PHR related entity, or third party service provider (or 
person) to have occurred.'' This proposed paragraph is substantively 
identical to section 13402(c) of the Recovery Act.\11\
---------------------------------------------------------------------------

    \11\ Section 13407(c) of the Recovery Act states that the 
standard for when breaches are discovered for HIPAA-covered entities 
also shall apply to FTC-regulated entities ``in a manner specified 
by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Regarding the ``reasonably should have been known'' standard, the 
Commission expects entities that collect and store unsecured PHR 
identifiable health information to maintain reasonable security 
measures, including breach detection measures, which should assist them 
in discovering breaches in a timely manner. If an entity fails to 
maintain such measures, and

[[Page 17918]]

thus fails to discover a breach, such failure could constitute a 
violation of the proposed rule because the entity ``reasonably'' should 
have known about the breach. The Commission recognizes, however, that 
certain breaches may be very difficult to detect, and that an entity 
with strong breach detection measures may nevertheless fail to discover 
a breach. In such circumstances, the failure to discover the breach 
would not constitute a violation of the proposed rule.\12\
---------------------------------------------------------------------------

    \12\ The Commission enforces a variety of laws requiring 
entities to provide reasonable and appropriate security for the data 
that they collect from consumers. See, e.g., Federal Trade 
Commission Act, 5 U.S.C. 45; Fair Credit Reporting Act, 15 U.S.C. 
1681-1681x; Gramm-Leach-Bliley Act, 15 U.S.C. 6801(b), and Standards 
for Safeguarding Customer Information, 16 CFR Part 314 (``Safeguards 
Rule''), available at (http://www.ftc.gov/os/2002/05/67fr36585.pdf.) 
The Commission has also disseminated educational materials 
encouraging companies to provide security for consumer data and 
providing guidance regarding practical ways to do so.
---------------------------------------------------------------------------

Proposed Section 318.4: Timeliness of Notification 13
---------------------------------------------------------------------------

    \13\ Section 13407(c) of the Recovery Act states that the 
requirements for timeliness of notification applicable to HIPAA-
covered entities also shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.4(a) requires breach notifications to 
individuals and the media to be made ``without unreasonable delay'' and 
in no case later than 60 calendar days after discovery of the breach. 
This language is substantively identical to section 13402(d)(1) of the 
Recovery Act, except that the Commission has clarified that the timing 
requirement for notice to consumers is different from the requirement 
for notice to the FTC. Proposed section 318.4(b) states that vendors of 
personal health records, PHR related entities, and third party service 
providers have the burden of proving that they provided the appropriate 
breach notifications. Finally, proposed section 318.4(c) allows breach 
notification to be delayed upon appropriate request of a law 
enforcement official. The proposed burden of proof and law enforcement 
provisions are substantively identical to sections 13402(d)(2) and 
13402(g) of the Recovery Act.\14\
---------------------------------------------------------------------------

    \14\ Section 13402(d)(1) of the Recovery Act sets forth the 
standard for timeliness of notification, but notes that this 
standard is subject to the exception for law enforcement set forth 
in section 13402(g).
---------------------------------------------------------------------------

    The Commission notes that the standard for timely notification is 
``without unreasonable delay,'' with the 60-day period serving as an 
outer limit. Thus, in some cases, it may be an ``unreasonable delay'' 
to wait until the 60\th\ day to provide notification. For example, if a 
vendor of personal health records or PHR related entity learns of a 
breach, gathers all necessary information, and has systems in place to 
provide notification within 30 days, it would be unreasonable to wait 
until the 60\th\ day to send the notice. There may also be 
circumstances where a vendor of personal health records or PHR related 
entity discovers that its third party service provider has suffered a 
breach (e.g., through a customer or whistleblower) before the service 
provider notifies the vendor or entity that the breach has occurred. In 
such circumstances, the vendor or entity should treat this breach as 
``discovered'' for purposes of providing timely notification, and 
should not wait until receiving notice from the service provider to 
begin taking steps to address the breach.

Proposed Section 318.5: Methods of Notice 15
---------------------------------------------------------------------------

    \15\ Section 13407(c) of the Recovery Act states that the 
requirements for methods of breach notification applicable to HIPAA-
covered entities also shall apply to FTC-regulated entities ``in a 
manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.5 addresses the methods of notice to 
individuals, the Commission, and the media in the event of a breach of 
security of unsecured PHR identifiable health information. The goal of 
this proposed section is to ensure prompt and effective notice.

Individual Notice

    Proposed paragraph (a) addresses notice to individuals. It contains 
four main requirements. First, proposed paragraph (a)(1) states that 
individuals must be given notice by first-class mail or, if the 
individual provides express affirmative consent, by e-mail. This 
language is identical to section 13402(e)(1)(A) of the Recovery Act, 
except that it interprets the statutory phrase ``specified as a 
preference by the individual'' to mean that the individual must provide 
``express affirmative consent'' to receive breach notices by e-mail. 
Entities may obtain such consent by asking individuals, when they 
create an account, whether they would prefer to receive important 
notices about privacy by first-class mail or e-mail.\16\
---------------------------------------------------------------------------

    \16\ The Commission does not regard pre-checked boxes or 
disclosures that are buried in a privacy policy or terms of service 
agreement to be sufficient to obtain consumers' ``express 
affirmative consent.''
---------------------------------------------------------------------------

    The Commission recognizes that the relationship between a vendor of 
personal health records or PHR related entity and the individual takes 
place online. Thus, e-mail notice may be particularly well-suited to 
the relationship. In addition, vendors of personal health records and 
PHR related entities may not want to collect mailing addresses from 
consumers, and consumers may not want to provide them. Under the 
proposed rule, these entities need not collect such mailing addresses, 
as long as they obtain consumers' express affirmative consent to 
receive notices by e-mail. The Commission recognizes that some e-mail 
notifications may be screened by consumers' spam filters and requests 
comment on how to address this issue.
    Second, as provided in section 13402(e)(1)(C) of the Recovery Act, 
proposed paragraph (a)(2) allows a vendor of personal health records or 
PHR related entity to provide notice by telephone or other appropriate 
means, in addition to the notice provided in paragraph (a)(1), if there 
is possible imminent misuse of unsecured PHR identifiable health 
information.
    Third, proposed paragraph (a)(3) states that if, after making 
reasonable efforts to contact an individual through his or her 
preferred method of communication, the vendor of personal health 
records or PHR related entity learns that such method is insufficient 
or out-of-date, the vendor or related entity shall attempt to provide 
the individual with a substitute form of actual notice, which may 
include written notice through the individual's less-preferred method, 
a telephone call, or other appropriate means. This provision gives 
effect to section 13402(e)(1)(B) of the Recovery Act, which requires a 
substitute form of notice in the case of insufficient or out-of-date 
contact information, but adds clarifying language requiring reasonable 
efforts to provide the preferred form of notice before substitute 
notice can be used. Examples of reasonable efforts include: (1) where 
e-mail is the consumer's preferred method, attempting to e-mail the 
notice and receiving a return message stating that the e-mail could not 
be delivered; (2) where first class mail is the consumer's preferred 
method, attempting to mail such notice and having it returned as 
undeliverable; (3) in the case of incomplete contact information, 
searching internal records and, if needed, undertaking additional 
reasonable efforts to obtain complete and accurate contact information 
from other sources. The proposed rule also adds language stating that 
methods of substitute notice may include written notice by the 
consumer's less preferred method or telephone.
    Finally, the proposed rule states that if ten or more individuals 
cannot be reached, the vendor of personal health records or PHR related 
entity must

[[Page 17919]]

provide substitute notice in one of two forms. First, it can provide 
notice through the home page of its website. Second, it can provide 
notice in major print or broadcast media. The language in the proposed 
rule is substantively identical to section 13402(e)(1)(B) of the 
Recovery Act, but adds certain clarifying language, as noted below.
    As to the first method of substitute notice, the Recovery Act 
states that the posting should appear for a period determined by the 
Commission and be ``conspicuous.'' The Commission believes that six 
months is an appropriate time period for posting of the notice and has 
so specified in the proposed rule. Requiring a six month posting will 
ensure that individuals who intermittently check their accounts obtain 
notice, without being unduly burdensome for businesses.
    To ensure conspicuousness, if an entity intends to use a hyperlink 
on the home page to convey the breach notice, the hyperlink should be 
(1) prominent so that it is noticeable to consumers, given the size, 
color and graphic treatment of the hyperlink in relation to other parts 
of the page; and (2) worded to convey the nature and importance of the 
information to which it leads. For example, ``click here'' would not be 
an appropriate hyperlink; a prominent ``click here for an important 
notice about a security breach that may affect you'' would be.\17\
---------------------------------------------------------------------------

    \17\ See ``Dot Com Disclosures: Information about Online 
Advertising,'' (http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus41.pdf).
---------------------------------------------------------------------------

    Regarding the requirement that the notice be posted on the home 
page, the Commission notes that individuals who already have accounts 
with vendors of personal health records may be directed to a first or 
``landing'' page that is different from the home page to which non-
account holders are directed. The Commission thus construes ``home 
page'' to include both the home page for new visitors and the landing 
page for existing account holders. In general, the Commission 
anticipates that, because PHRs generally involve an online 
relationship, web posting would be a particularly well-suited method of 
substitute notice to individuals.
    The alternative form of substitute notice described in this 
paragraph is media notice ``in major print or broadcast media, 
including major media in geographic areas where individuals affected by 
the breach likely reside, which shall be reasonably calculated to reach 
individuals affected by the breach.'' This language is substantively 
identical to section 13402(e)(1)(B) of the Recovery Act, but also adds 
a clause requiring that such notice ``be reasonably calculated to reach 
the individuals affected.'' Indeed, because this notice is intended to 
serve as a substitute for notice to particular individuals, it should 
be reasonably calculated to reach those individuals.
    The appropriate scope of substitute media notice will depend on 
several factors, including the number of individuals for whom no 
contact information can be obtained, the location of those individuals, 
and the reach of the particular media used. For example, if a vendor of 
personal health records experiences a breach in which a hacker obtains 
the health records of millions of individuals nationwide, and the 
vendor has no contact information for these individuals, the notice 
should run multiple times in national print publications and on 
national network and cable television. In contrast, if an online weight 
management application loses a customer list and can reach all but 20 
individuals in a particular city, it could run a more limited number of 
advertisements in appropriate local media.
    Further, a notice can only be ``reasonably calculated to reach the 
individuals affected'' if it is clear and conspicuous. Thus, the 
notices should be stated in plain language, be prominent, and run 
multiple times. The Commission requests further comment on the 
standards that should apply to substitute media notice.
    As set forth in section 13402(e)(1)(B) of the Recovery Act, the 
proposed rule also provides that notice under paragraph (3), whether on 
the home page of the website or by media notice, must include a toll-
free phone number where an individual can learn whether his or her 
unsecured PHR identifiable health information may be included in the 
breach. As to this requirement, the Commission notes that entities 
should have reasonable procedures in place to verify that they are 
providing the requested information only to the individual and not to 
an unauthorized person. For example, entities could provide the 
requested information pertaining to the consumer pursuant to the 
``preferred method'' designated in paragraph (a)(1).

Notice to Media

    Proposed paragraph (b) requires media notice ``to prominent media 
outlets serving a State or jurisdiction'' if there has been a breach of 
security of unsecured PHR identifiable health information of 500 or 
more residents of the state or jurisdiction.\18\ This media notice 
differs from the substitute media notice described in paragraph 318.5 
in that it is directed ``to'' the media and is intended to supplement, 
but not substitute for, individual notice. The proposed paragraph is 
substantively identical to section 13402(e)(2) of the Recovery Act, but 
adds a requirement that the notice include the information set forth in 
proposed section 318.6.
---------------------------------------------------------------------------

    \18\ Although section 13402(e)(2) of the Recovery Act requires 
notice to media for breaches involving ``more than 500'' residents, 
section 13402(e)(3) requires notice to the government for breaches 
with respect to ``500 or more'' individuals. For consistency, the 
proposed rule uses ``500 or more'' for both kinds of notice.
---------------------------------------------------------------------------

    This media notice should, at a minimum, include the dissemination 
of a press release to media outlets in the area(s) affected by the 
breach. For example, if a breach affects consumers from a particular 
state or locality, the press release could be sent to the relevant 
division or department (e.g., health, technology, or business) of a 
number of state or local print publications, network and cable new 
shows, and radio stations. The Commission requests further comment on 
the standards and criteria that should apply in determining the 
adequacy of media notice.

Notice to the Commission

    Proposed paragraph (c) addresses notice to the Commission. Under 
the proposed paragraph, vendors of personal health records and PHR 
related entities must provide notice to the Commission as soon as 
possible and in no case later than five business days if the breach 
involves the unsecured PHR identifiable health information of 500 or 
more individuals. If the breach involves the unsecured PHR identifiable 
health information of fewer than 500 individuals, vendors of personal 
health records and PHR related entities may, in lieu of immediate 
notice, maintain a breach log and submit such a log annually to the 
Commission. The proposed paragraph is substantively identical to 
section 13402(e)(3) of the Recovery Act, but clarifies the Act's 
requirements as follows.
    First, the paragraph interprets the term ``immediately'' to mean 
``as soon as possible, and in no case later than five business days.'' 
The Commission believes that this period of time satisfies the 
requirement for immediacy, while still being sufficient for the 
breached entity to learn enough about the breach to provide meaningful 
notice to the Commission.\19\
---------------------------------------------------------------------------

    \19\ The Commission recognizes that the breached entity may not 
learn all relevant information about the breach within five business 
days, such as number of consumers affected or extent of the 
information breached. Nonetheless, the entity should tell the 
Commission all that it knows and should provide additional 
information as it becomes available.

---------------------------------------------------------------------------

[[Page 17920]]

    Second, the paragraph states that the ``annual log'' to be 
submitted to the Commission for breaches involving fewer than 500 
individuals shall be due one year from the date of the entity's first 
breach.\20\ The Commission believes that specifying a date for 
submitting the log will assist entities in complying with the proposed 
rule.
---------------------------------------------------------------------------

    \20\ No annual log needs to be provided for years in which no 
breaches occur.
---------------------------------------------------------------------------

    Third, the paragraph references a form that the Commission plans to 
develop, to be posted on the Commission's website, www.ftc.gov, and to 
be used by entities to provide both the immediate and the annual 
required notice to the Commission under the proposed rule.\21\ Among 
other things, the form will request information similar to that 
required to be included in a notice to individuals under section 318.6.
---------------------------------------------------------------------------

    \21\ The Commission also will provide notice of breaches to the 
Secretary of HHS, as required by section 13407(d) of the Recovery 
Act.
---------------------------------------------------------------------------

Proposed Section 318.6: Content of Notice 22
---------------------------------------------------------------------------

    \22\ Section 13407(c) of the Recovery Act states that the 
requirements for contents of breach notification applicable to 
HIPAA-covered entities also shall apply to FTC-regulated entities 
``in a manner specified by the Federal Trade Commission.''
---------------------------------------------------------------------------

    Proposed section 318.6 addresses the content of the notice to 
individuals. It requires that the notice include a description of how 
the breach occurred; a description of the types of unsecured PHR 
identifiable health information that were involved in the breach; the 
steps individuals should take to protect themselves from potential 
harm; a description of what the vendor of personal health records or 
PHR related entity involved is doing to investigate the breach, to 
mitigate any losses, and to protect against any further breaches; and 
contact procedures for individuals to ask questions or learn additional 
information. The language in the proposed rule is substantively 
identical to the language of section 13402(f) of the Recovery Act. The 
Commission notes two points with respect to this section.
    First, to ensure that notices do not raise concerns about phishing, 
those sending notices should not include any requests for personal or 
financial information.\23\
---------------------------------------------------------------------------

    \23\ Phishing is the act of sending an electronic message under 
false pretenses to induce unsuspecting victims to reveal personal 
and financial information.
---------------------------------------------------------------------------

    Second, the proposed rule requires that the notice identify steps 
individuals should take to protect themselves from potential harm. The 
Commission recognizes that these steps will differ depending on the 
circumstances of the breach and the type of PHR identifiable health 
information involved. In some instances--for example, if health 
insurance account information is compromised--there is a possibility 
that data will be misused. In such cases, the entity could suggest 
steps including, but not limited to, requesting and reviewing copies of 
medical files for potential errors; monitoring explanation of benefit 
forms for potential errors; contacting insurers to notify them of 
possible medical identity theft; following up with providers if medical 
bills do not arrive on time to ensure that an identity thief has not 
changed the billing address; and, in appropriate cases, trying to 
change health insurance account numbers.
    If the breach also involves Social Security numbers, the entity 
should suggest additional steps such as placing a fraud alert on credit 
reports; obtaining and reviewing copies of credit reports for signs of 
identity theft; calling the local police or sheriff's office in the 
event suspicious activity is detected; and if appropriate, obtaining a 
credit freeze.\24\ In the case of a breach involving financial account 
numbers, the entity also should direct consumers to monitor their 
accounts for suspicious activity and contact their financial 
institution about closing any compromised accounts. In appropriate 
cases, the entity also could refer consumers to the FTC's identity 
theft website, www.ftc.gov/idtheft.
---------------------------------------------------------------------------

    \24\ In general, once a consumer initiates a credit freeze with 
a consumer reporting agency, the freeze prevents the agency from 
releasing a credit report about that consumer unless the consumer 
removes the freeze.
---------------------------------------------------------------------------

    In other instances, the likely harm will be personal embarrassment. 
In such cases, any steps that an individual may choose to take will 
likely be personal to that individual, and the entity may not be in a 
position to advise the consumer.

Proposed Sections 318.7, 318.8, and 318.9

    Proposed sections 318.7, 318.8, and 318.9 are substantively 
identical to the statutory provisions on enforcement, effective date, 
and sunset. Proposed section 318.9 clarifies that the sunsetting of the 
rule is triggered when Congress enacts new legislation affecting 
entities subject to the FTC rule.

III. Communications by Outside Parties to Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding from any 
outside party to any Commissioner or Commissioner's advisor will be 
placed on the public record. See 16 CFR 1.26(b)(5).

IV. Paperwork Reduction Act

    The Commission is submitting this proposed rule and a Supporting 
Statement to the Office of Management and Budget for review under the 
Paperwork Reduction Act (``PRA'') (44 U.S.C. 3501-3521). The breach 
notification requirements discussed above constitute ``collections of 
information'' for purposes of the PRA. See 5 CFR 1320.3(c). 
Accordingly, staff has estimated the paperwork burden for these 
requirements as set forth below.
    In the event of a data breach, the proposed rule would require 
covered firms to investigate and, if certain conditions are met, notify 
consumers and the Commission. The paperwork burden of these 
requirements will depend on a variety of factors, including the number 
of covered firms; the percentage of such firms that will experience a 
breach requiring further investigation and, if necessary, the sending 
of breach notices; and the number of consumers notified.
    Based on input from industry sources, staff estimates that 
approximately 200 vendors of personal health records and 500 PHR 
related entities will be covered by the Commission's proposed rule. 
Thus, a total of 700 entities may be required to notify consumers and 
the Commission in the event that they experience a breach. 
Approximately 200 third party service providers also will be subject to 
the rule, and thus required to notify vendors of personal health 
records or PHR related entities in the event of a breach. Thus, a total 
of approximately 900 entities will be subject to the proposed rule's 
breach notification requirements.
    Staff estimates that these entities, cumulatively, will experience 
11 breaches per year for which notification may be required. Because 
there is insufficient data at this time about the number and incidence 
of breaches in the PHR industry, staff used available data relating to 
breaches incurred by private sector businesses in order to calculate a 
breach incidence rate. Staff then applied this rate to the estimated 
total number of entities that will be subject to the proposed rule. 
According to one recent research paper, private sector businesses 
across multiple industries experienced a total of approximately 50 
breaches per year

[[Page 17921]]

during the years 2002 through 2007.\25\ Dividing 50 breaches by the 
estimated number of firms that would be subject to a breach (4,187) 
\26\ yields an estimated breach incidence rate of 1.2% per year. 
Applying this incidence rate to the estimated 900 vendors of personal 
health records, PHR related entities, and third party service providers 
yields an estimate of 11 breaches per year that may require 
notification of consumers and the Commission.
---------------------------------------------------------------------------

    \25\ Sasha Romanosky, Rahul Telang & Alessandro Acquisti, ``Do 
Data Breach Disclosure Laws Reduce Identity Theft?'' Seventh 
Workshop on the Economics of Information Security, June 2008. The 
authors tallied the breaches reported to the website Attrition.org 
during the time period 2002 to 2007 and counted a total of 773 
breaches for a range of entities, including businesses, governments, 
health providers, and educational institutions. Staff used the 
volume of breaches reported for businesses (246 over a 5 year 
period, or approximately 50 per year) because that class of data is 
most compatible with other data staff used to calculate the 
incidence of breaches.
    \26\ Staff focused on firms that routinely collect information 
on a sizeable number of consumers, thereby rendering them attractive 
targets for data thieves. To do so, staff focused first on retail 
businesses and eliminated retailers with annual revenue under 
$1,000,000. The 2002 Economic Census reports that, in that year, 
there were 418,713 retailers with revenue of $1,000,000 or more. To 
apply 50 breaches to such a large population, however, would yield a 
very small incidence rate. In an abundance of caution, to estimate 
more conservatively the incidence of breach, staff then assumed that 
only one percent of these firms had security vulnerabilities that 
would render them breach targets, thus yielding the total of 4,187.
---------------------------------------------------------------------------

    To determine the annual paperwork burden, staff has developed 
estimates for three categories of potential costs: (1) The costs of 
determining what information has been breached, identifying the 
affected customers, preparing the breach notice, and making the 
required report to the Commission; (2) the cost of notifying consumers; 
and (3) the cost of setting up a toll-free number, if needed.
    First, in order to determine what information has been breached, 
identify the affected customers, prepare the breach notice, and make 
the required report to the Commission, staff estimates that covered 
firms will require per breach, on average, 100 hours of employee labor 
at a cost of $4,652,\27\ and the services of a forensic expert at an 
estimated cost of $2,930.\28\ Thus, the cost estimate for each breach 
will be $7,582. This estimate does not include the cost of equipment or 
other tangible assets of the breached firms, because they likely will 
use the equipment and other assets they have for ordinary business 
purposes. Based on the estimate that there will be 11 breaches per 
year, the annual cost burden for affected entities to perform these 
tasks will be $83,402 (11 breaches x $7,582 each).
---------------------------------------------------------------------------

    \27\ Hourly wages throughout this notice are based on http://www.bls.gov/ncs/ncswage2007.htm (National Compensation Survey: 
Occupational Earnings in the United States 2007, U.S. Department of 
Labor released August 2008, Bulletin 2704, Table 3 (``Full-time 
civilian workers,'' mean and median hourly wages).
    The breakdown of labor hours and costs is as follows: 50 hours 
of computer and information systems managerial time at $52.56 per 
hour; 12 hours of marketing managerial time at $53.00 per hour; 33 
hours of computer programmer time at $33.77 per hour; and 5 hours of 
legal staff time at 54.69 per hour.
    \28\ Staff estimates that breached entities will use 30 hours of 
a forensic expert's time. Staff applied the wages of a network 
systems and data communications analyst ($32.56), tripled it to 
reflect profits and overhead for an outside consultant ($97.68), and 
multiplied it by 30 hours to yield $2,930.
---------------------------------------------------------------------------

    Second, the cost of breach notifications will depend on the number 
of consumers contacted. Based on a recent survey, 11.6 percent of 
adults reported receiving a breach notification during a one-year 
period.\29\ Staff estimates that for the prospective 3-year PRA 
clearance, the average customer base of all vendors of personal health 
records and PHR related entities will be approximately two million per 
year. Accordingly, staff estimates that an average of 232,000 consumers 
per year will receive a breach notification.
---------------------------------------------------------------------------

    \29\ Ponemon Institute, ``National Survey on Data Security 
Breach Notification,'' 2005. Staff believes that this estimate is 
likely high given the importance of data security to the PHR 
industry and the likelihood that data encryption will be a strong 
selling point to consumers.
---------------------------------------------------------------------------

    Given the online relationship between consumers and vendors of 
personal health records and PHR related entities, most notifications 
will be made by email and the cost of such notifications will be de 
minimis.\30\
---------------------------------------------------------------------------

    \30\ See National Do Not Email Registry, A Report to Congress, 
June 2004 n.93, available at www.ftc.gov/reports/dneregistry/report.pdf.
---------------------------------------------------------------------------

    In some cases, however, vendors of personal health records and PHR 
related entities will need to notify individuals by postal mail, either 
because these individuals have asked for such notification, or because 
the email addresses of these individuals are not current or not 
working. Staff estimates that the cost of notifying an individual by 
postal mail is approximately $2.30 per letter.\31\ Assuming that 
vendors of personal health records and PHR related entities will need 
to notify by postal mail 10 percent of their customers whose 
information is breached, the estimated cost of this notification will 
be $53,360 per year.
---------------------------------------------------------------------------

    \31\ Robin Sidel and Mitchell Pacelle, ``Credit-Card Breach 
Tests Banking Industry's Defenses,'' Wall Street Journal, June 21, 
2005, p.C1. Sidel and Pacelle reported that industry sources 
estimated the cost per letter to be about $2.00 in 2005. Allowing 
for inflation, staff estimates the cost to average about $2.30 per 
letter over the next three years of prospective PRA clearance sought 
from OMB.
---------------------------------------------------------------------------

    In addition, vendors of personal health records and PHR related 
entities sometimes may need to notify consumers by posting a message on 
their home page, or by providing media notice. Based on a recent study 
on data breach costs, staff estimates the cost of providing notice via 
website posting to be 6 cents per breached record, and the cost of 
providing notice via published media to be 3 cents per breached 
record.\32\ Applied to the above-stated estimate of 232,000 consumers 
per year receiving breach notification, the estimated total annual cost 
of website notice will be $13,920, and the estimated total annual cost 
of media notice will be $6,960, yielding an estimated total annual cost 
for all forms of notice to consumers of $74,240.
---------------------------------------------------------------------------

    \32\ Ponemon Institute, 2006 Annual Study: Cost of a Data 
Breach, Understanding Financial Impact, Customer Turnover, and 
Preventative Solutions, Table 2.
---------------------------------------------------------------------------

    Finally, the cost of a toll-free number will depend on the cost 
associated with T1 lines sufficient to handle the projected call 
volume, the cost of obtaining a toll-free telephone number and queue 
messaging (a service that provides rudimentary call routing), the cost 
of processing each call, and the telecommunication charges associated 
with each call. Because the proposed rule may require entities to 
notify consumers by posting a message on their homepage for a period of 
six months, staff estimated the cost of a toll-free line for a six-
month period. Based on industry research, staff projects that in order 
to accommodate a sufficient number of incoming calls for that period, 
affected entities may need two T1 lines at a cost of $18,000.\33\ Staff 
further estimates that the cost of obtaining a dedicated toll-free line 
and queue messaging will be $3,017,\34\ and that processing an 
estimated 5,000 calls for the first month per breach will require an 
average of 1,917 hours of employee labor at a cost of $27,468.\35\ 
Staff estimates that affected entities will need to offer the toll-free 
number for an additional five months, during which time staff projects 
that entities will

[[Page 17922]]

receive an additional 5,000 calls per breach,\36\ yielding an estimated 
total processing cost of $54,936. In addition, according to industry 
research, the telecommunication charges associated with the toll-free 
line will be approximately $2,500.\37\ Adding these costs together, 
staff estimates that the cost per breach for the toll-free line will be 
$78,453. Based on the above rate of 11 breaches per year, the annual 
cost burden for affected entities will be $862,983 (11 x $78,453).
---------------------------------------------------------------------------

    \33\ According to industry research, the cost of a single T1 
line is $1,500 per month.
    \34\ Staff estimates that installation of a toll-free number and 
queue messaging will require 40 hours of a technician's time. Staff 
applied the wages of a telecommunications technician ($25.14), 
tripled it to reflect profits and overhead of a telecommunications 
firm ($75.42), and multiplied it by 40 hours to yield $3,017.
    \35\ The breakdown of labor hours and costs is as follows: 667 
hours of telephone operator time (8 minutes per call x 5,000 calls) 
at $14.87 per hour and 1,250 hours of information processor time (15 
minutes per call x 5,000 calls) at $14.04 per hour.
    \36\ Staff anticipates that the greatest influx of calls will be 
in the first month, and that it will be equivalent to the volume of 
calls over the remaining five months.
    \37\ Staff estimates a cost per call of 25[cent] (5[cent] per 
minute/per call x 5 minutes per call). Assuming 10,000 calls for 
each breach, the total estimated telecommunications charges are 
$2,500.
---------------------------------------------------------------------------

    In sum, the estimated annual cost burden associated with the breach 
notification requirements is $1,020,625: $83,402 (costs associated with 
investigating breaches, drafting notifications of breaches, and 
notifying the Commission) + $74,240 (costs associated with notifying 
consumers) + $862,983 (costs associated with establishing toll-free 
numbers). Staff notes that this estimate likely overstates the costs 
imposed by the proposed rule because: (1) it assumes that all breaches 
will require notification, whereas many breaches (e.g., those involving 
data that is ``not unsecured'') will not require notification; (2) it 
assumes that all covered entities will be required to take all of the 
steps required above; and (3) staff made conservative assumptions in 
developing many of the underlying estimates.
    The Commission invites comments on: (1) whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the FTC, including whether the information will have 
practical utility; (2) the accuracy of the FTC's estimate of the burden 
of the proposed collection of information; (3) ways to enhance the 
quality, utility, and clarity of the information to be collected; and 
(4) ways to minimize the burden of collecting information on those who 
respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submission of responses.

V. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), 5 U.S.C. 604(a), requires an 
agency either to provide an Initial Regulatory Flexibility Analysis 
with a proposed rule, or certify that the proposed rule will not have a 
significant economic impact on a substantial number of small entities. 
The FTC does not expect that this rule, if adopted, would have a 
significant economic impact on a substantial number of small entities. 
First, most of the burdens flow from the mandates of the Act, not from 
the specific provisions of the proposed rule. Second, the rule will 
apply to entities that, in many instances, already have obligations to 
provide notification of data breaches under certain state laws covering 
medical breaches. Third, once a notice is created, the costs of sending 
it should be minimal because the Commission anticipates that most 
consumers will elect to receive notification by e-mail. Nevertheless, 
to obtain more information about the impact of the proposed rule on 
small entities, the Commission has decided to publish the following 
initial regulatory flexibility analysis pursuant to the Regulatory 
Flexibility Act, 5 U.S.C. 601-612, as amended, and request public 
comment on the impact on small businesses of its proposed rule.
A. Description of the Reasons That Action by the Agency Is Being 
Considered
    Section 13407 of the American Recovery and Reinvestment Act 
requires the Commission to promulgate this rule not later than six 
months after the date of enactment of the Act, or August 18, 2009.
B. Statement of the Objectives of, and Legal Basis for, the Proposed 
Rule
    To implement the requirement that certain entities that handle 
health information provide notice to individuals whose individually 
identifiable health information has been breached. The legal basis for 
the proposed rule is Section 13407 of the American Recovery and 
Reinvestment Act.
C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rule Will Apply
    The proposed rule will apply to vendors of personal health records, 
PHR related entities, and third party service providers. As discussed 
in the section on Paperwork Reduction Act above, FTC staff estimates 
that the proposed rule will apply to approximately 900 entities. 
Determining a precise estimate of which of these entities are small 
entities, or describing those entities further, is not readily 
feasible. The Commission invites comment and information on this issue.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
    The Recovery Act and proposed rule impose certain reporting 
requirements within the meaning of the Paperwork Reduction Act. The 
Commission is seeking clearance from the Office of Management & Budget 
(OMB) for these requirements, and the Commission's Supporting Statement 
submitted as part of that process is being made available on the public 
record of this rulemaking.
    Specifically, the Act and proposed rule require vendors of personal 
health records and PHR related entities to provide notice to consumers 
and the Commission in the event of a breach of unsecured PHR 
identifiable health information. The Act and proposed rule also require 
third party service providers to provide notice to vendors of personal 
health records and PHR related entities in the event of such a breach.
    If a breach occurs, each entity covered by Act and proposed rule 
will expend costs to determine the extent of the breach and the 
individuals affected. If the entity is a vendor of personal health 
records or PHR related entity, additional costs will include the costs 
of preparing a breach notice, notifying the Commission, compiling a 
list of consumers to whom a breach notice must be sent, and sending a 
breach notice. Such entities may incur additional costs in locating 
consumers who cannot be reached, and in certain cases, posting a breach 
notice on a website, notifying consumers through media advertisements, 
or sending breach notices through press releases to media outlets.
    In-house costs may include technical costs to determine the extent 
of breaches; investigative costs of conducting interviews and gathering 
information; administrative costs of compiling address lists; 
professional/legal costs of drafting the notice; and potentially, costs 
for postage, web posting, and/or advertising. Costs may also include 
the purchase of services of a forensic expert.
    As noted in the Paperwork Reduction Act analysis above, the 
estimated annual cost burden for all entities subject to the proposed 
rule will be approximately $1,020,625. The Commission seeks further 
comment on the costs and burdens of small entities in complying with 
the requirements of the proposed rule.
E. Other Duplicative, Overlapping, or Conflicting Federal Rules
    The FTC has not identified any other federal statutes, rules, or 
policies

[[Page 17923]]

currently in effect that would conflict with the proposed rule. As 
noted above, there is a potential for overlap with forthcoming HHS 
rules governing breach notification for HIPAA-covered entities. The 
Commission is consulting with HHS on this potential overlap. The 
Commission invites comment and information on this overlap, along with 
any other potentially duplicative, overlapping, or conflicting federal 
statutes, rules, or policies.
F. Description of Any Significant Alternatives to the Proposed Rule
    In drafting the proposed rule, the Commission has made every effort 
to avoid unduly burdensome requirements for entities. In particular, 
the Commission believes that the alternative of providing notice to 
consumers electronically will assist small entities by significantly 
reducing the costs of sending breach notices.
    The Commission is not aware of alternative methods of compliance 
that will reduce the impact of the proposed rule on small entities, 
while also comporting with the Recovery Act. The statutory requirements 
are specific as to the timing, method, and content of notice, as well 
as the effective date of the final rule that results from this Notice 
of Proposed Rulemaking. Accordingly, the Commission seeks comment and 
information on ways in which the rule could be modified to reduce any 
costs or burdens for small entities consistent with the Recovery Act's 
mandated requirements.

VI. Proposed Rule

List of Subjects in 16 CFR Part 318

    Consumer protection, Data protection, Health records, Privacy, 
Trade practices.

    Accordingly, for the reasons set forth in the preamble, the 
Commission proposes to add a new Part 318 of title 16 to the Code of 
Federal Regulations to read as follows:

PART 318--HEALTH BREACH NOTIFICATION RULE

Sec.
318.1 Purpose and scope.
318.2 Definitions.
318.3 Breach notification requirement.
318.4 Timeliness of notification.
318.5 Method of notice.
318.6 Content of notice.
318.7 Enforcement.
318.8 Effective date.
318.9 Sunset.

    Authority: Pub. L. 111-5.


Sec.  318.1  Purpose and scope.

    This part, which shall be called the ``Health Breach Notification 
Rule,'' implements Section 13407 of the American Recovery and 
Reinvestment Act of 2009. It applies to vendors of personal health 
records, PHR related entities, and third party service providers. It 
does not apply to HIPAA-covered entities, or to any other entity to the 
extent that it engages in activities as a business associate of a 
HIPAA-covered entity.


Sec.  318.2  Definitions.

    (a) Breach of security means, with respect to unsecured PHR 
identifiable health information of an individual in a personal health 
record, acquisition of such information without the authorization of 
the individual. Unauthorized acquisition will be presumed to include 
unauthorized access to unsecured PHR identifiable health information 
unless the vendor of personal health records, PHR related entity, or 
third party service provider that experienced the breach has reliable 
evidence showing that there has not been, or could not reasonably have 
been, any unauthorized acquisition of such information.
    (b) Business associate means a business associate under the Health 
Insurance Portability and Accountability Act, Pub. L. 104-191, 110 
Stat. 1936, as defined in 45 CFR 160.103.
    (c) HIPAA-covered entity means a covered entity under the Health 
Insurance Portability and Accountability Act, Pub. L. 104-191, 110 
Stat. 1936, as defined in 45 CFR 160.103.
    (d) Personal health record means an electronic record of PHR 
identifiable health information on an individual that can be drawn from 
multiple sources and that is managed, shared, and controlled by or 
primarily for the individual.
    (e) PHR identifiable health information means ``individually 
identifiable health information,'' as defined in section 1171(6) of the 
Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an 
individual, information:
    (1) That is provided by or on behalf of the individual; and
    (2) That identifies the individual or with respect to which there 
is a reasonable basis to believe that the information can be used to 
identify the individual.
    (f) PHR related entity means an entity, other than a HIPAA-covered 
entity or an entity to the extent that it engages in activities as a 
business associate of a HIPAA-covered entity, that:
    (1) Offers products or services through the website of a vendor of 
personal health records;
    (2) Offers products or services through the websites of HIPAA-
covered entities that offer individuals personal health records; or
    (3) Accesses information in a personal health record or sends 
information to a personal health record.
    (g) Third party service provider means an entity that:
    (1) Provides services to a vendor of personal health records in 
connection with the offering or maintenance of a personal health record 
or to a PHR related entity in connection with a product or service 
offered by that entity; and
    (2) Accesses, maintains, retains, modifies, records, stores, 
destroys, or otherwise holds, uses, or discloses unsecured PHR 
identifiable health information as a result of such services.
    (h) Unsecured means PHR identifiable information that is not 
protected through the use of a technology or methodology specified by 
the Secretary of Health and Human Services in the guidance issued under 
section 13402(h)(2) of the American Reinvestment and Recovery Act of 
2009. If such guidance is not issued by the date specified in section 
13402(h)(2), the term ``unsecured'' shall mean not secured by a 
technology standard that renders PHR identifiable health information 
unusable, unreadable, or indecipherable to unauthorized individuals and 
that is developed or endorsed by a standards developing organization 
that is accredited by the American National Standards Institute.
    (i) Vendor of personal health records means an entity, other than a 
HIPAA-covered entity or an entity to the extent that it engages in 
activities as a business associate of a HIPAA-covered entity, that 
offers or maintains a personal health record.


Sec.  318.3  Breach notification requirement.

    (a) In general. In accordance with Sec. Sec.  318.4, 318.5, and 
318.6, each vendor of personal health records, following the discovery 
of a breach of security of unsecured PHR identifiable health 
information that is in a personal health record maintained or offered 
by such vendor, and each PHR related entity, following the discovery of 
a breach of security of such information that is obtained through a 
product or service provided by such entity, shall--
    (1) Notify each individual who is a citizen or resident of the 
United States whose unsecured PHR identifiable health information was 
acquired by an unauthorized person as a result of such breach of 
security; and
    (2) Notify the Federal Trade Commission.

[[Page 17924]]

    (b) Third party service providers. A third party service provider 
shall, following the discovery of a breach of security, provide notice 
of the breach to a senior official at the vendor of personal health 
records or PHR related entity to which it provides services, and obtain 
acknowledgment from such official that such notice was received. Such 
notification shall include the identification of each individual whose 
unsecured PHR identifiable health information has been, or is 
reasonably believed to have been, acquired during such breach.
    (c) Breaches treated as discovered. A breach of security shall be 
treated as discovered as of the first day on which such breach is known 
to a vendor of personal health records, PHR related entity, or third 
party service provider, respectively, (including any person, other than 
the individual committing the breach, that is an employee, officer, or 
other agent of such vendor of personal health records, PHR related 
entity, or third party service provider, respectively) or should 
reasonably have been known to such vendor of personal health records, 
PHR related entity, or third party service provider (or person) to have 
occurred.


Sec.  318.4  Timeliness of notification.

    (a) In general. Except as provided in paragraph (c) of this section 
and Sec.  318.5(c), all notifications required under Sec. Sec.  
318.3(a) and 318.3(b) shall be made without unreasonable delay and in 
no case later than 60 calendar days after the discovery of a breach of 
security.
    (b) Burden of proof. The vendor of personal health records, PHR 
related entity, and third party service provider involved shall have 
the burden of demonstrating that all notifications were made as 
required under this part, including evidence demonstrating the 
necessity of any delay.
    (c) Law enforcement exception. If a law enforcement official 
determines that a notification, notice, or posting required under this 
part would impede a criminal investigation or cause damage to national 
security, such notification, notice, or posting shall be delayed. This 
paragraph shall be implemented in the same manner as provided under 
Sec.  164.528(a)(2) of title 45, Code of Federal Regulations, in the 
case of a disclosure covered under such section.


Sec.  318.5  Method of notice.

    (a) Individual notice. A vendor of personal health records or PHR 
related entity that experiences a breach of security shall provide 
notice of such breach to an individual promptly, as described in Sec.  
318.4, and in the following form:
    (1) Written notice by first-class mail to the individual (or the 
next of kin of the individual if the individual is deceased) at the 
last known address of the individual or the next of kin, respectively, 
or, if the individual provides express affirmative consent, by 
electronic mail. The notice may be provided in one or more mailings as 
information is available.
    (2) In any case deemed by the vendor of personal health records or 
PHR related entity to require urgency because of possible imminent 
misuse of unsecured PHR identifiable health information, that entity 
may provide information to individuals by telephone or other means, as 
appropriate, in addition to notice provided under paragraph (a)(1) of 
this section.
    (3) If, after making reasonable efforts to contact the individual 
through his or her preferred form of communication under paragraph 
(a)(1) of this section, the vendor of personal health records or PHR 
related entity finds that such preferred form of communication is 
insufficient or out-of-date, the vendor of personal health records or 
PHR related entity shall attempt to provide the individual with a 
substitute form of actual notice, which may include written notice by 
the consumer's less preferred method or telephone.
    (4)(i) If ten or more individuals cannot be reached by the methods 
specified in paragraphs (a)(1)through (3) of this section, the vendor 
of personal health records or PHR related entity involved shall provide 
notice:
    (A) Through a conspicuous posting for a period of six months on the 
home page of its website; or
    (B) In major print or broadcast media, including major media in 
geographic areas where the individuals affected by the breach likely 
reside, which shall be reasonably calculated to reach the individuals 
affected by the breach.
    (ii) Such a notice in media or web posting shall include a toll-
free phone number where an individual can learn whether or not the 
individual's unsecured PHR identifiable health information may be 
included in the breach.
    (b) Notice to media. A vendor of personal health records or PHR 
related entity shall provide notice to prominent media outlets serving 
a State or jurisdiction, following the discovery of a breach of 
security, if the unsecured PHR identifiable health information of 500 
or more residents of such State or jurisdiction is, or is reasonably 
believed to have been, acquired during such breach. Such notice shall 
include, at a minimum, the information contained in Sec.  318.6.
    (c) Notice to FTC. Vendors of personal health records and PHR 
related entities shall provide notice to the Federal Trade Commission 
following the discovery of a breach of security. If the breach involves 
the unsecured PHR identifiable health information of 500 or more 
individuals, then such notice shall be provided as soon as possible and 
in no case later than five business days following the date of 
discovery of the breach. If the breach involved the unsecured PHR 
identifiable health information of fewer than 500 individuals, the 
vendor of personal health records or PHR related entity may maintain a 
log of any such breach occurring over the ensuing twelve months and 
submit the log to the Federal Trade Commission documenting breaches 
from the preceding year. All notices pursuant to this paragraph shall 
be provided according to instructions at the Federal Trade Commission's 
website.


Sec.  318.6  Content of notice.

    Regardless of the method by which notice is provided to individuals 
under section 318.5, notice of a breach of security shall include, to 
the extent possible, the following:
    (a) A brief description of how the breach occurred, including the 
date of the breach and the date of the discovery of the breach, if 
known;
    (b) A description of the types of unsecured PHR identifiable health 
information that were involved in the breach (such as full name, Social 
Security number, date of birth, home address, account number, or 
disability code);
    (c) Steps individuals should take to protect themselves from 
potential harm resulting from the breach;
    (d) A brief description of what the entity that suffered the breach 
is doing to investigate the breach, to mitigate losses, and to protect 
against any further breaches; and
    (e) Contact procedures for individuals to ask questions or learn 
additional information, which shall include a toll-free telephone 
number, an e-mail address, website, or postal address.


Sec.  318.7  Enforcement.

    A violation of Sec.  318.3 of this part shall be treated as an 
unfair or deceptive act or practice in violation of a regulation under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

[[Page 17925]]

Sec.  318.8  Effective date.

    This part shall apply to breaches of security that are discovered 
on or after September 18, 2009.


Sec.  318.9  Sunset.

    If new legislation is enacted establishing requirements for 
notification in the case of a breach of security that apply to entities 
covered by this part, the provisions of this part shall not apply to 
breaches of security discovered on or after the effective date of 
regulations implementing such legislation.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E9-8882 Filed 4-17-09: 8:45 am]
[BILLING CODE 6750-01-S