The Democratic leaders of the Connecticut Senate responded Wednesday to the Anthem data breach by proposing that insurers selling health plans in the state be required to encrypt Social Security numbers and other client information.
Connecticut would be the second state in the nation to impose an encryption standard on health insurers, following a New Jersey law passed last month after a breach involving Horizon Blue Cross and Blue Shield of New Jersey.
The proposal outlined Wednesday by Senate Majority Leader Bob Duff of Norwalk and Senate President Pro Tem Martin M. Looney of New Haven comes as cyber-security experts and others warn that encryption is no panacea.
“Encryption Wouldn’t Have Stopped Anthem’s Data Breach” was the headline on a story posted Tuesday by the MIT Technology Review.
But Duff said that after telephone conversations with security experts the senators believe that a reasonable encryption standard can be set in state law, along with “per occurrence” financial penalties for violators.
“It is imperative that we step up our game,” Duff said.
Looney and Duff pledged that there would be no rush to judgment, even as Duff took note that their bill appeared to be the first proposed after Anthem’s disclosure that 80 million customer records had been stolen.
“I’m proud of the fact that I believe since the Anthem breach that we’re the first legislature in the nation to propose some new legislation,” Duff said.
Looney estimated that one-third of Connecticut residents might be affected by the breach, given the major role Anthem plays in the state’s health insurance market.
An aggressive legislative response by one or more states could prompt federal action, he said.
“I think in many ways states are the laboratory of democracy,” Looney said. “And many programs that have been implemented at the state level ultimately have become a national model with national mandates.”
Sen. Joan Hartley, D-Waterbury, who was the co-chair of the Public Safety and Security Committee until this year, said state homeland security officials are in a position to advise them.
The state government’s web sites are subjected to nearly one million attempted hacks monthly, she said.
Anthem’s spokeswoman in Connecticut did not directly respond to a question about the encryption proposal. Instead, she issued a general update on the company’s response to the breach:
“Anthem is committed to timely notification to consumers affected by the cyber-attack on one of our databases. Since the attack was discovered, we have been working with a vendor that is quickly making the necessary preparations to provide credit monitoring and identity theft protection services to the millions of people potentially affected by this attack.
“We have laid out a thoughtful plan with this vendor so that they can accommodate what we anticipate will be very high demand for these services. Our goal is to provide peace of mind to consumers, while minimizing frustration. Consumers will be able to sign up for these services, which will be offered free of charge for two years, beginning Friday. Information on how to enroll will be posted at anthemfacts.com.”