FTC — The Federal Trade Commission has delayed the enforcement date of the Red Flag Rule until June 1, 2010.
Health data breach rulemaking — The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.
Resource — A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.
Telemarketing | Top Ten Opt Out List — Beginning today, pre-recorded telemarketing phone calls must come with an easy opt-out for consumers. If a pre-recorded telemarketing call is left on an answering machine, it must also include opt-out information. These rules will apply to telemarketers already subject to the Federal Trade Commission’s Telemarketing Sales Rule and Do Not Call List. There are some exemptions to the rule. For more details about the changes, see our Top Ten Opt Out List, which has been updated with the new information.
This conference is convened for the purpose of gaining a deepened mutual understanding of privacy and security approaches cross-culturally, with the conference providing an international forum for discussing and understanding the different concepts of privacy and security in the US, Asia, and the EU. Through sharing of current practices and ideas, the participants will explore possible bridges between what these concepts mean in different countries both now and looking to the future as well.