The recent data breach at health insurer Anthem has sparked new legislation in Connecticut. During the breach, at least 80 million records were stolen. According to NBC News, among the 80 million victims, tens of millions of American children had their Social Security numbers, dates of birth, and health care ID numbers stolen. In response, Connecticut state legislators are proposing legislation that would require health insurance companies to encrypt their customers’ data. Connecticut’s proposed legislation is similar to recent legislation passed in New Jersey which followed the data breach of Horizon Blue Cross and Blue Shield of New Jersey. These state legislative initiatives are among the several actions being taken and proposed by several government entities.
However, some experts argue that encryption, while a useful tool, is not a one-size-fits-all tool. Many people have been surprised to hear that this sensitive data was not encrypted and that the federal mandate for securing health-related data, HIPAA, does not require it to be.
In the run-up to the State of the Union, President Obama proposed several new federal initiatives including:
- introducing new federal legislation that would create a federal standard to notify consumers when their data is stolen. This would replace the current state laws in place, which may be very different. Under this proposed legislation, companies would have to notify consumers of a data breach within 30 days;
- encouraging banks, credit card institutions, and other financial entities to allow consumers access to their credit scores without charge as a means of fighting identity theft; and
- introducing a Consumer Privacy Bill of Rights.
In addition, the White House has announced the creation of a new Cyber Threat Intelligence Integration Center which will act as a central agency to coordinate intelligence relating to cyber threats.
As federal and state governments continue to pass legislation and promulgate regulations related to cyber security, insurance companies, and other businesses need to ensure that they are taking all appropriate steps to protect customers’ data.