New Jersey's New Encryption Requirement May Reach Beyond Health Insurers
Effective August 1, 2015, health insurance carriers that issue health insurance in New Jersey must use encryption or other technology that renders personal information unreadable, undecipherable, or unusable by unauthorized persons when compiling or maintaining computerized records that include personal information. Mere password protection is inadequate to comply with this law, known as Senate Bill 562 or S562. The New Jersey legislature unanimously enacted S562 in response to heightened public concern about privacy and cybersecurity issues.
Unlike most state cybersecurity and data breach laws that require businesses to take certain actions in response to a data security breach, including notifying persons whose personal information has been subject to unauthorized disclosure, S562 aims to prevent data security breaches, or at least make breaches less likely. As one of the first of its kind among state data security laws, it is anticipated that New Jersey's law will serve as a model for other states as they struggle to protect personal information while preventing data breaches.
Under S562, "personal information" is defined as a person's first name or first initial and last name linked with at least one of the person's (1) Social Security number, (2) driver's license number or other State identification card number, (3) address, or (4) identifiable health information. Failure to encrypt personal information under S562 constitutes a violation of New Jersey's consumer fraud statute and subjects violators to the Attorney General's enforcement powers as well as treble damages.
Encryption provides greater security than password protection because it alters the protected data, rendering it indecipherable until the correct "key" is applied. Whereas data protected by a password can be accessed in its original form if a hacker or other unauthorized user gains access to or circumvents the password, encrypted data will be indecipherable and unusable unless the proper key is used to unlock the code. Encryption is not ironclad protection, as a hacker could steal the key or potentially decipher the code. Encryption also can add costs and make the protected data more difficult to access and use.
In some respects, S562 requires health insurance carriers to employ greater measures to protect personal information than is required under the federal Health Insurance Portability and Accountability Act (HIPAA), which requires health insurance carriers to protect personal information but does not establish a baseline means of protection. HIPAA regulations merely encourage encryption, but do not require it.
S562 also differs from HIPAA because it does not expressly address the statutory obligations of "business associates" — persons and entities that perform functions for or provide services to health insurance carriers. By virtue of their relationship to health insurance carriers, business associates have access to much of the same sensitive personal information as health insurance carriers. Common examples of business associates include medical equipment companies, information technology companies that provide network support, electronic record companies, lawyers, and auditors.
It is unclear whether the New Jersey legislature intended to omit business associates from the scope of S562. To meet their own statutory obligations, New Jersey health insurers should consider adding to their business associate agreements encryption standards consistent with S562. The extent to the which the health insurer may be subject to the statutory remedies on account of a business associate’s violation, or the extent to which those remedies are also available against the business associate, are issues on which the statute is silent. A well drafted business associate agreement can allocate these risks at least as between the insurer and its vendors.