New Jersey Law Requires Health Data Encryption – Sort Of
New Jersey enacted a new law which requires data encryption (see bill information) as a response to the health care data breaches – I assume like Anthem.
The bill is short, only 4 pages, but, at least to me, that does not make things very clear.
The bill covers health insurance carriers, but then defines them this way:
“Health insurance carrier” means an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.
It defines personal information in a pretty normal way:
“Personal information” means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
Then it says that a health insurance carrier shall not compile or maintain computerized records that include personal information unless that information is secured by encryption. So far, so good.
But then it says that it only applies to end user computer systems and computerized records transmitted across public networks.
Fines, according to King & Spalding, are $10,000 for the first offense and $20,000 for subsequent offenses. What is not clear to me is whether, if you have 5 computers in the office, that counts as 5 offenses.
What is also not clear is whether whole disk encryption like Microsoft’s Bitlocker (or their Android and iPhone equivalents) count to make you compliant. Malware will likely cut through those like a hot knife through butter, because the malware is acting as your agent and you are allowed to see the data unencrypted.
Yet, the data is encrypted, so you likely would not be liable. Maybe.
Also, this offers ZERO protection against Anthem and Premera style attacks since those went after servers and not end user computers.
My reading would suggest that it does include mobile devices like phones and pads, so that is probably good.
Unfortunately, I think this is an example of lawmakers, who really don’t understand technology, trying really hard to do something useful, but kind of missing the mark. It definitely helps because lost laptops, phones and pads really do happen – a lot – but it will have no effect on the big breaches that you see on the news.