For the context of this law, personal information is defined as an individual's first name or first initial and last name linked with one or more of the following data elements:
- Social Security number,
- Driver's license number or State identification card number,
- Address, or
- Identifiable health information.
The loss of unencrypted devices and equipment is one of the leading causes of reported data breaches according to the US Department of Health and Human Services Office of Civil Rights. Part of this is driven by the fact many data protection and breach notification laws do not require disclosure of the breaches to regulatory authorities if the devices or equipment are encrypted.
Unlike the Health Insurance Portability and Accountability Act (HIPAA), the new law does not allow for a company to perform an assessment to determine whether to encrypt, instead it mandates encryption of personal information and the end user computer systems and computerized records transmitted across public networks. As a result, failure to encrypt such information would now be in violation of the New Jersey law.
One area unclear in the legislation is how this impacts third-party vendors who provide services to the entities required to comply with the law. Organizations should consider taking the following steps regardless of whether this law directly applies as it is possible similar legislation will follow or evolving legal interpretations will force their compliance:
- Given the ease at which information, including personal information, can be transferred, organizations should inventory all potential locations of personal information, including on mobile devices, and assess whether the current encryption requirements are being met.
- Rigorously enforce that all employees attend security awareness training to help them to understand where personal information should or should not be accessed, stored, or transmitted. Often times breaches are related to equipment that management was unaware had personal information.
- Perform a comprehensive, thorough, and documented risk assessment of the risks to the integrity, confidentiality, and security of personal information and map that risk assessment and findings to the applicable legal requirements, such as HIPAA, Payment Card Industry Data Security Standard (PCI DSS), and the New Jersey law.
For more information on this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.
 Defined in Department of Health and Human Services: 45 CFR 160.103