ePHI Data Breach and the Consumer Fraud Act

by John Zen Jackson

The important protection against data breach liability by encrypting ePHI has been pointed out a number of times on this blog. Although not required by HIPAA or HITECH security rules, encryption is a practical solution to a potentially big problem. Indeed, the Office of Civil Rights has commented in the past that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.” While not required, encryption is an “addressable” implementation that nonetheless becomes effectively required under the “reasonable and appropriate” standard of review applied to the retrospective evaluation of security measures utilized in data breach circumstances. The burden is on the covered entity to show that it was unreasonable and inappropriate to have used encryption.

In any event, the persuasiveness of the argument for encryption as a matter of routine was strengthened on January 9, 2015 when Governor Christie signed Senate Bill 562 into law as P.L. 2014, c. 88.

This is an amendment to the New Jersey Consumer Fraud Act that will be codified at N.J.S.A. 56:8-196 to 56:8-198. The new legislation has an effective date of August 1, 2015.

It uses the definition of individually identifiable health information found in the HIPAA Privacy Rule and incorporates it into a broader category of “personal information.” N.J.S.A. 56:8-196. As of its effective date the statute mandates that a health insurance carrier shall not compile or maintain computerized records with personal information “unless that information is secured by encryption or by any other method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” N.J.S.A. 56:8-197. It explicitly provides that “more than the use of a password protection” is required if the password program only prevents general unauthorized access and does not render the information “unreadable, undecipherable, or otherwise unusable.”   These requirements are directly at computer sytems broadly, including desktop computers, laptops, tablets or other mobile devices, or removable media.

New Jersey is the second state to impose explicit encryption requirements on personal information in a computerized form. Massachusetts had taken the first step with regulations effective in 2010 that had been promulgated pursuant to its anti-identity theft legislation. See generally 201 Mass. Code Regs. 17.04. The New Jersey restrictions currently apply only to health insurance carriers and do not extend to health care providers. This is consistent with the long-standing general proposition that the New Jersey Consumer Fraud Act does not apply to licensed professionals such as physicians or hospitals who are subject to comprehensive regulations by their own regulatory bodies. See, e.g., Macedo v. Dello Russo, 178 N.J. 340, 344-46, 840 A.2d 238, 240-42 (2004); Hampton Hosp. v. Bresan, 288 N.J. Super. 372, 381-83, 672 A.2d 725, 730-31 (App. Div.), certif. denied, 144 N.J. 588, 677 A.2d 760 (1996). But the statute certainly may be viewed as an expression of best practices if not an emerging standard of care.

Pursuant to N.J.S.A. 56:8-198 violations of the computer encryption statute are declared to be “an unlawful practice” subjecting violators to consequences under the Consumer Fraud Act. These include penalties of up to $10,000 for the first violation and up to $20,000 for the second and any subsequent violation. The Attorney General can bring an action for a cease and desist order and the court can order restitution. Lastly, an individual consumer who can demonstrate an ascertainable loss and a causal nexus between the alleged act of consumer fraud and the damages sustained can bring a private action for treble damages and attorney’s fees.