New Jersey Expands Definition of Personal Information Requiring Breach Notifications

Share this article on:

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach.

New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed.

The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie. Current state governor Phil Murphy is expected to sign the bill.

The bill closes a gap in current laws that would allow businesses to avoid notifying consumers of breaches of online information. If online accounts are compromised, criminals can gain access to a range of sensitive information that can be used for identity theft and fraud. If an online account can be accessed by someone else as a result of a data breach, consumers have the right to be informed so they can take steps to secure their accounts.

Under the new law, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if the cost of providing notices would exceed $250,000 or if more than 500,000 individuals have been affected. In such cases, breach victims should be emailed, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must deliver notices by other means, such as providing a conspicuous notice when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

Any business or public entity found to have willfully violated state data breach notification laws can be fined up to $10,000 for a first offense and up to $20,000 for any subsequent offenses. There is also a private right of action for individuals who have suffered ascertainable losses as a result of a data breach.

Author: HIPAA Journal

Share This Post On