Gov. Chris Christie has signed into law S. 562, which, as its title states, “Requires health insurance carriers to encrypt certain information.”
Violation of this new law constitutes a facial violation of the New Jersey Consumer Fraud Act, a powerful consumer remedies statute. The NJCFA can be enforced by the state attorney general, or by private action. For private litigants showing ascertainable loss, the NJCFA allows for recovery of treble damages and attorney’s fees. The NJCFA is a favorite of the state class action bar.
For purposes of this Act, a “health insurance carrier” is “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State,” New Jersey.
Such health insurance carriers “shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” A simple password will not do. Unlike the Massachusetts data security regulation, the New Jersey Act does not expressly establish a duty to pass encryption standards on to vendors.
As defined by the Act, personal information “means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information.”
While the substantive requirements of this Act may not be onerous, the explicit link between this Act and the NJCFA should give pause to all New Jersey health carriers.