iGuard.org appreciates that the FTC issued this proposed Health Breach Notification Rule for comment.
iGuard.org provides registered members with timely, personalized drug safety ratings and alerts only by electronic mail. Accordingly, for this purpose, iGuard.org does not collect name, address and other directly identifiable data from the registrants. In addition to collection of minimal information from registrants, other measures that iGuard.org has implemented to ensure privacy protection include encryption for all identifying information, offline (decoupled) storage of indirect identifiers, staff access only to de-identified data, and an automated e-mail distribution system driven by selection of de-identified data.
As per the proposed rule, iGuard.org may be expected to contact all the current registrants, now over 1 million, asking them (1) whether we can send them an e-mail if there is a breach of information security or (2) whether they wish notification by first class mail. Many registrants simply may ignore the e-mail. Others may choose to be notified by first class mail so that they would have to provide their name and address to iGuard.org. This proposed rule is contrary to the Proportionality Principle and would pose a new and greater risk to the consumers’ personal data and increase the liability for iGuard.org.
We note that the currently accepted best practice standard for breach reporting is that the entity “knows or should have known” that a breach has compromised the security or privacy of information. Instead, the proposed rule places the burden of proof on the entity to show that unauthorized access could not have resulted in acquisition. If a third party provider or related entity accesses or uses only indirectly identifiable health information, the “identification” of individuals for “breach” notification may be practically impossible. Indeed, such a re-identification process, undertaken solely for the purpose of sending breach notices, would be costly and burdensome and disproportionate with the risk.
The proposed rule requires notifications to the consumer regardless of the level of risk involved. This may be confusing to the consumer and cause them to be inured to these notices. For the benefit of both the consumer and those subject to this proposed rule, we urge that the FTC take a practical approach to health breach notification to the extent permitted in the American Recovery and Reinvestment
Detailed comments from iGuard.org are attached.