SENATE, No. 562

STATE OF NEW JERSEY

216th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2014 SESSION

 


 

Sponsored by:

Senator  SHIRLEY K. TURNER

District 15 (Hunterdon and Mercer)

Senator  NIA H. GILL

District 34 (Essex and Passaic)

 

 

 

 

SYNOPSIS

     Requires health service corporation to encrypt certain information.

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel

  


An Act concerning the security of certain personal information and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    As used in this act:

     “Computer” means an electronic, magnetic, optical, electrochemical or other high speed data processing device or another similar device capable of executing a computer program, including arithmetic, logic, memory, data storage or input-output operations and includes any computer equipment connected to such a device, computer system, or computer network.

     “Computer equipment” means any equipment or device, including all input, output, processing, storage, software, or communications facilities, intended to interface with a computer.

     “Computer network” means the interconnection of communication lines, including microwave or other means of electronic communication, with a computer through remote terminals, or a complex consisting of two or more interconnected computers.

     “Computer program” means a series of instructions or statements executable on a computer, which directs the computer system in a manner to produce a desired result.

     “Computer software” means a set of computer programs, data, procedures, and associated documentation concerning the operation of a computer system.

     “Computer system” means a set of interconnected computer equipment intended to operate as a cohesive system.

     “Computerized record” means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system. 

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information.  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     "Record" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  Record does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.

     2.    A health service corporation established pursuant to P.L.1985, c.236 (C.17:48E-1 et seq.) shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.  Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.  

 

     3.    It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to violate the provisions of this act.

 

     4.    This act shall take effect on the first day of the seventh month next following enactment.

 

 

STATEMENT

 

     This bill requires a health service corporation established pursuant to P.L.1985, c.236 (C.17:48E-1 et seq.), when compiling or maintaining computerized records that include personal information, to secure the information by encryption or by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.  This requirement applies to any computer, including a desktop computer or laptop computer, computer equipment, computer network, or computer system, as defined by the bill.  Compliance with this requirement shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection program.

     As defined in the bill, “personal information” means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information.

     It is an unlawful practice and a violation of the consumer fraud law (C.56:8-1 et seq.) for a health service corporation to violate the provisions of this bill.  Such violation is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for a second or any subsequent offense.  In addition, a violation can result in cease and desist orders issued by the Attorney General, the assessment of punitive damages and the awarding of treble damages and costs to the injured party.