New Jersey Imposes Unique Encryption Requirements

Effective August 1, 2015, New Jersey will require health insurance carriers authorized to issue health benefit plans in New Jersey to encrypt personal information that they store electronically. The new law (P.L. 2014, c. 88, codified at N.J. Stat. Ann. §§ 56:8-196 - 56:8-198) is unique relative to existing data security requirements, as follows:

• The new requirement defines “personal information” expansively to include an individual’s name and address (without other data), as well as other more sensitive data typically subject to data security requirements.
• The new law applies to such data when residing on desktops and other computer systems designed to allow end users to access computerized information, software, programs or networks, and when transmitted across public networks. In contrast, existing state encryption requirements (such as Massachusetts and Nevada) only require encryption of data residing on mobile or portable devices, data in flight, or data otherwise transferred outside the control of the company.
• The requirement is absolute; unlike most other existing requirements (including HIPAA), it is not subject to risk assessments, reasonableness, or technical feasibility, but rather mandates encryption or “any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person” for all companies subject to the law, specifying that mere password protection is not sufficient.

This unique encryption requirement applies to licensed health insurance companies, HMOs, medical service corporations, and other entities licensed to issue health benefit plans in New Jersey. In preparation for the effective date of this new requirement, each such company should review its data security safeguards and protocols for compliance. Given the expansive definition of personal information and the extension of the encryption requirement to all computer systems and programs accessible by end users, many companies will likely need to extend their existing encryption technology to cover additional systems and data.

Particularly given the recent announcement of a high profile breach involving a health plan affecting tens of millions of Americans, this New Jersey legislation may well inspire similar legislative initiatives in other states. Therefore, carriers in all jurisdictions should monitor legislative and regulatory initiatives imposing similar encryption requirements that may be expected to follow. As the health insurance industry is by no means the only industry threatened by attacks on the privacy and security of personal information, companies in every industry should consider extending the scope of current encryption practices for risk mitigation, and be vigilant in monitoring legislative developments for new encryption requirements that may be inspired by this unique New Jersey requirement.

Theodore P. Augustinos is a Partner and Karen L. Booth is an Associate in Locke Lord’s Hartford office. They can be reached at ted.augustinos@lockelord.com and karen.booth@lockelord.com.