HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach.

New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed.

The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie. Current state governor Phil Murphy is expected to sign the bill.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The bill closes a gap in current laws that would allow businesses to avoid notifying consumers of breaches of online information. If online accounts are compromised, criminals can gain access to a range of sensitive information that can be used for identity theft and fraud. If an online account can be accessed by someone else as a result of a data breach, consumers have the right to be informed so they can take steps to secure their accounts.

Under the new law, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if the cost of providing notices would exceed $250,000 or if more than 500,000 individuals have been affected. In such cases, breach victims should be emailed, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must deliver notices by other means, such as providing a conspicuous notice when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

Any business or public entity found to have willfully violated state data breach notification laws can be fined up to $10,000 for a first offense and up to $20,000 for any subsequent offenses. There is also a private right of action for individuals who have suffered ascertainable losses as a result of a data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.