Attention, Health Insurers: Unique Encryption Requirements in NJ

As further analyzed in our QuickStudy, available here, New Jersey has enacted a new law (P.L. 2014, c. 88, codified at N.J. Stat. Ann. §§ 56:8-196 – 56:8-198) effective August 1, 2015, requiring health insurance carriers authorized to issue health benefit plans in New Jersey to encrypt personal information that they store electronically. Unique relative to existing data security requirements, the new law (i) defines “personal information” to include name and address (without other data), (ii) applies to data residing on desktop computers and other computer systems – not just data stored on mobile devices, in transit, or otherwise transferred outside the control of the company, and (iii) is not subject to reasonableness, technical feasibility or results of a risk assessment.