New Jersey has enacted a new law that requires health insurance companies to protect patients' electronic personal information by, among other things, adding encryption requirements for “data at rest,” as well as transmitted “data in motion.” As the first state to enact such a law specific to health insurers, New Jersey stands to lead the way for other states' attempts to regulate personal data held by health insurance carriers. Health insurers and other companies should stay tuned for a potential rise in data breach litigation, particularly if other states pass similar laws imposing statutory penalties for data breaches.

New Jersey Law

While some states, such as Nevada, California and Massachusetts, require organizations and businesses to encrypt personal information, the New Jersey law is the first in the nation to focus on health insurers specifically.

The new law, codified at N.J.S.A. §§56:8-196 to 198, was passed in response to a number of high-profile data breaches over the past several years, including one earlier this year that purportedly affected millions nationwide. The law will specifically require health insurance carriers—defined as an “insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization” that can issue health benefits plans in the state—to render personal information unusable by unauthorized users.