Setting a new standard for encryption, New Jersey has enacted a new law (P.L. 2014, c. 88, codified at N.J. Stat. Ann. §§ 56:8-196 - 56:8-198) effective August 1, 2015, requiring health insurance carriers authorized to issue health benefits plans in New Jersey to encrypt personal information that they store electronically. Unique relative to existing data security requirements, the new law requires encryption of “personal information” defined to include name and address (without other data), and applies to data residing on desktop computers and other computer systems – not just data stored on mobile devices or in transit. The new law applies to health insurance companies, HMOs, medical service corporations and other entities, and will require a thorough review of data security practices by all health insurers licensed in New Jersey. Particularly given the recent announcement of a high profile breach involving a health plan affecting tens of millions of Americans, this New Jersey legislation may well inspire similar legislative initiatives in other states, and in other industries.
Why is it Unique?
Unlike similar, existing federal and state data security requirements:
- The New Jersey law requires encryption without regard to reasonableness, technical feasibility, or the results of risk assessments. The New Jersey law instead mandates encryption or “any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person,” for all companies subject to the law, specifying that mere password protection is not sufficient. In contrast, many existing laws (including HIPAA) allow companies to determine what specifications (such as encryption) are reasonable, appropriate and/or technically feasible.
- New Jersey’s encryption requirement extends to personal information when stored on desktops and other computer systems designed to allow end users to access computerized information, software, programs or networks, and when transmitted across public networks. In contrast, the existing state laws (Massachusetts and Nevada) only require encryption of data residing on mobile or portable devices, data in flight, or data otherwise transferred outside the control of the company -- not data residing on desktops, servers and other internal company systems.
- The New Jersey statute extends the definition of personal information for this purpose to include an individual’s name together with his or her address alone (subject to a narrow exception for publicly available directories). Like many other data security requirements, however, the definition also extends to more sensitive data, such as name together with Social Security number, driver’s license number or State ID card number, or identifiable health information as defined in 45 CFR 160.103.
What Needs to be Done Now?
- Each health insurance carrier licensed in New Jersey must revisit its data security safeguards and protocols for compliance with the new requirements. As name and address alone have not previously been subject to encryption requirements, companies should review where this data exists on their systems, and how it is used, transmitted and stored in order to ensure compliance with the new requirement.
- Health insurance carriers not licensed in New Jersey should monitor legislative developments in other states that may consider similar legislation. The recently announced breach involving a large health plan, reportedly affecting tens of millions of Americans, may inspire other states to impose encryption requirements as well.
- Companies in other industries should consider the possibility that similar encryption obligations may be imposed outside the health insurance industry, and consider whether to implement encryption more broadly in anticipation, or as risk mitigation.