The Federal Trade Commission (FTC) has clarified the scope of their Health Breach Notification Rule. The move seeks to provide notice to health applications—many of which handle sensitive user information—that security breaches of user information could result in hefty fines.
The Rule, 16 C.F.R. Part 318, was passed as part of the American Recovery and Reinvestment Act of 2009. However, in the time since, the FTC claims that they have “never enforced the Rule, and many appear to misunderstand its requirements.” The Rule requires that individuals “notify U.S. consumers and the FTC, and, in some cases the media” if there is a data breach.
A breach could include outside actors accessing information, or the app itself disclosing information without the authorization of the user. The FTC’s Wednesday statement also clarifies which apps fall under the regulation; namely, any app which “collects information directly from multiple sources, such as through a combination of consumer inputs and application programming interfaces.”
The FTC does not explain why the rule has never been enforced. However, the statement makes it clear that the Commission now intends on enforcing the rule and bringing civil actions in the case of a breach. If an app violates the guidelines of the Rule, they “face civil penalties of $43,792 per violation per day.”
The FTC chose to address the issue because the Commission is sensitive to the proliferation of health apps over the past decade. Whether it be apps which help track fitness, sleep, medication, or fertility, the number of apps has grown substantially since the Rule was initially passed in 2009. Though strongly suggested, it remains to be seen whether the FTC will follow through on enforcing the Rule.