On January 9, New Jersey Governor Chris Christie signed legislation that will require health insurance carriers in the state to encrypt their customers' personal information. Specifically, the new law will prohibit health insurance carriers (including insurance companies, HMOs, and operators of certain other health plans) from collecting and storing personal information in computerized records unless the information is encrypted, making it "unreadable, undecipherable, or otherwise unusable by an unauthorized person." Simply using passwords to protect personal information will not satisfy the requirements.
The new law defines "personal information" as "an
individual's first name or first initial and last name linked
with any one or more of the following data elements: (1) Social
Security number; (2) driver's license number or State
identification card number; (3) address; or (4) identifiable health
information." The requirements of the new law apply only to
end user computer systems and records transmitted across public
networks. "End user computer systems" include desktop
computers, laptops, tablets, mobile devices, and removable
media.
A statement by the New Jersey State Senate
Commerce Committee provides that a violation of the encryption
requirements will be a violation of the state's consumer fraud
law, resulting in a penalty of up to $10,000 for the first offense
and up to $20,000 for each offense thereafter. The state Attorney
General may also issue cease and desist letters to health insurance
carriers that violate the law, and is empowered to award treble
damages and costs to an injured party.
The legislation was passed by unanimous votes in both the New
Jersey State Senate and State Assembly. The new law will take
effect on August 1, 2015.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.