After a massive data breach at the Garden State's largest health insurer, carriers and others now have to comply with data protection standards that exceed HIPAA.
New Jersey Governor Chris Christie has signed into law new personal information protection requirements for data encryption. Under the new law, health insurers compiling or maintaining computerized records with personal information have to secure the information by encryption or another "method or technology rendering it unreadable, undecipherable or otherwise unusable by an unauthorized person."
"We've seen far too many examples of personal information being stolen from retailers and other invasions of privacy, so some common sense is needed when it comes to securing health information, which for many people is as personal as it gets," said Gary Schaer, a Democratic state representative who co-sponsored the legislation. "This law is a reasonable requirement to protect personal privacy in this digital age."
The law comes a year after two laptops with unencrypted data were stolen from the headquarters of New Jersey's largest health insurer, Horizon Blue Cross Blue Shield. On the two computers was personal data like Social Security numbers and medical conditions for almost a quarter of the insurer's 3.6 million membership.
New Jersey's new law applies to end-user systems and computerized records that transmitted across public networks. The goal of the law, as Schaer put it, is to get the healthcare industry to require "more than the use of a password."
Under the law, personal information is defined to include an individual's first name or first initial and last name linked with a Social Security number, a driver's license or state identification card number, an address, or identifiable health information.
Failing to comply with these standards is punishable by a maximum fine of $10,000 for a first offense and $20,000 for a second or any subsequent offense. A violation can also bring cease and desist orders issued by the attorney general -- and damage payments to affected individuals.
An encryption mandate being enacted in a state as densely-populated as New Jersey suggests it is a key time in the evolution of consumer data protection law. While HIPAA is the federal standard for personal health information, and more recently has been aggressively enforced against organizations who expose patient information, states have stepped in to fill gaps.
In 2003, California adopted the first law requiring notification of consumer information breaches, and today almost all states have similar laws. In 2008, Nevada became the first state to require business to encrypt all personal information being transferred digitally. Massachusetts and now New Jersey have followed suit.