In the wake of a significant health insurance data breach, Democratic state senators have unveiled a proposal requiring state insurance companies to encrypt all personal information records, including social security numbers.
The legislation comes in light of several major data breaches over the past year targeting large corporations such as Sony, eBay and Home Depot. Senate Majority Leader Bob Duff of Norwalk said at a press conference Wednesday afternoon that he believes the Connecticut State Legislature is the first to present a bill in response to the most recent breach in the country in which hackers targeted sensitive health insurance information from Anthem, the country’s second-largest health insurer.
As the parent company of Anthem Blue Cross and Blue Shield in Connecticut, Anthem has 1.14 million customers in the state and is its largest health insurance company. The breach became public in early February and could affect as many as 80 million individuals nationwide.
“It is imperative that we step up our game, and that includes the private sector as well as government,” Duff said. “That is why we are introducing this necessary, common-sense legislation to encrypt personal information. If we cannot prevent hackers from getting in, we can at least thwart their efforts by limiting what information they get and rendering it useless.”
Duff said legislators plan to enable commissioners to certify new technologies regarding cybersecurity as they develop.
With the state interested in becoming a national leader in the $210 billion cybersecurity industry, lawmakers are also working on related legislation that would develop cybersecurity-appropriate standards of securing the data of both individuals and business, according to State Sen. and Senate Chair of the Commerce Committee Joan Hartley of Waterbury. Hartley added that this legislation is particularly important for state commercial interests because the state does not know the precise number of hacks that businesses, especially smaller enterprises, face on a regular basis.
Federal standards governing cybersecurity — such as the Health Information Technology for Economic and Clinical Health Act of 2009, which encourages but does not mandate encryption — have not served the public adequately, according to Duff. He said the state would also examine recent laws passed in Massachusetts, Nevada and New Jersey to see how these states have enforced cybersecurity legislation. If passed, the legislation outlined on Wednesday would make Connecticut the second state after New Jersey to require encryption from health insurers.
Ross Koppel, an adjunct professor of sociology at the University of Pennsylvania, suggested that encrypting data may not be enough. He added that using unique patient identification numbers — a system currently banned by the U.S. Congress — would be dramatically more effective than merely encrypting the social security numbers of customers.
Ted Wittenstein ’04 LAW ’12, a lecturer in Global Affairs at the Jackson Institute, said encryption is merely one of many elements an organization needs to protect sensitive data. Wittenstein added that a legislative approach alone will not solve the issue of cyberattacks, and that ultimately, the solution would require input on federal and local levels as well as from the private sector.
Another state Senate bill, introduced at the beginning of this year’s legislative session, also acts as a potential vehicle to address cybersecurity, said Senate President Pro Tempore Martin Looney of New Haven. The bill requires companies to notify their customers whenever unauthorized access to data in the company’s computer system occurs.
Duff commended Anthem for reporting the incident in a timely manner, noting that the company was a victim in the breach as well.
State Attorney General George Jepsen, who launched an investigation into the breach last week, joined nine other attorneys general from across the country on Feb. 10 to call for transparency and better communication from Anthem to its customers. Anthem has pledged to provide two years of free credit monitoring and identity theft protection to all Connecticut residents affected by the data breach. Anthem representatives from Connecticut could not be reached for comment.