On January 9, New Jersey Governor Chris Christie signed legislation that will require health insurance carriers in the state to encrypt their customers’ personal information. Specifically, the new law will prohibit health insurance carriers (including insurance companies, HMOs, and operators of certain other health plans) from collecting and storing personal information in computerized records unless the information is encrypted, making it "unreadable, undecipherable, or otherwise unusable by an unauthorized person.” Simply using passwords to protect personal information will not satisfy the requirements.
The new law defines “personal information” as “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information.” The requirements of the new law apply only to end user computer systems and records transmitted across public networks. “End user computer systems” include desktop computers, laptops, tablets, mobile devices, and removable media.
A statement by the New Jersey State Senate Commerce Committee provides that a violation of the encryption requirements will be a violation of the state’s consumer fraud law, resulting in a penalty of up to $10,000 for the first offense and up to $20,000 for each offense thereafter. The state Attorney General may also issue cease and desist letters to health insurance carriers that violate the law, and is empowered to award treble damages and costs to an injured party.
The legislation was passed by unanimous votes in both the New Jersey State Senate and State Assembly. The new law will take effect on August 1, 2015.