Take Another Look at New Jersey: Data Breach Notification Law is Expanded

Across this country, states are taking a hard look at data privacy and security, and making large scale revisions to their state regulations (California made headlines with the CCPA, but others closely followed suit, such as Washington, Massachusetts, Colorado . . . and the list goes on).  

Like many states, New Jersey is getting in on the conversation.  Last month, the New Jersey General Assembly adopted S52 (A-3245) which will amend the data breach notification law (the “Amendment”).  This Amendment focused on the following key aspects:

  • Expanded Definition of Personal Information: Prior to the Amendment, Personal Information was defined as Personal information as an individual’s name (first and last) plus (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”  This Amendment added a fourth area that, when combined with an individual’s name, would be considered Personal Information: “(4) user name,email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.”
  • Breach Notification Requirements: The Amendment also slightly changes the requirements for a breach notification in the event that it includes an email address and login information:

[ . . .] in the case of a breach of security involving a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information as defined in section 10 of P.L.2005, c.226 (C.56:8-161), the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the business or public entity and all other online accounts for which the customer uses the same user name or email address and password or security question or answer.

Any business or public entity that furnishes an email account shall not provide notification to the email account that is subject to a security breach.  The business or public entity shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an Internet Protocol address or online location from which the business or public entity knows the customer customarily accesses the account.

The Amendment is currently with Governor Murphy awaiting his signature (which is expected shortly).  The changes in this Amendment are significant for entities collecting information from individuals located within New Jersey.  

First, with the expanded definition of Personal Information, more companies are at risk of a security incident amounting to a “legal” breach; i.e., a breach that would require notification and expose a company to liability and negative PR implications. Companies can no longer rest easy if they do not collect the typical “sensitive” information: social security numbers, bank information, and credit card numbers.  An infiltration that impacts any “account holder information” will now potentially require a full breach response.

Second, entities are now required to take extra measures in notifying individuals if their account information is compromised that go beyond just sending them an email to the known email address. This adds to the breach notification complexity that is already, frankly, confusing.  

In addition to the changes brought by the Amendment, New Jersey has additional pending legislation that would further change the privacy and security landscape for companies operating in New Jersey:

  • A-4902: this bill would allow New Jersey consumers to opt-out of the collection of personally identifiable information (“PII”) by Internet website or an online service providers that operate for a commercial purpose (“operators”), and also impose notification requirements on those operators. The bill lists examples of PII, including name, age, race, gender, sexual orientation information, religious information, or political information. (For those of you following Europe, this definition of PII is aligned with the broader definition found in the GDPR). The bill also requires that the operator provide, free of charge, a list of all data collected and the third-parties it shares that information to customers.
  • A-4974: this bill focuses on mobile devices and geolocation tracking, requiring extra notifications to the end-user to ensure she is adequately informed of what information is actually being collected and the third-parties who have access to that information. Further, the end-user has to opt-in to the collection of geographic data collection (again, harking to the language of the GDPR).  
  • A-4978:  this bill addresses the collection and processing of children’s school data, placing restrictions on how an online educational service may utilize K-12 student’s data.  While there may be some overlap with COPPA and FERPA, the bill is drafted so as to exempt aspects of these entities that are already covered by those federal regulations.

Overall, New Jersey, like many of its neighbors and fellow states, is taking a hard look at its data privacy and security regulations and taking action.  Companies doing business in New Jersey need to pay particular attention to the nuanced changes to ensure they are adequately informing end-users of their data collection practices, and provide the necessary transparency in all data transactions.  The first step is understanding your data, and the architecture of your network system. This information will be key in making strategic decisions on how to comply with these evolving regulatory requirements. And, in this area, luck favors the prepared!