On May 10, 2019, Governor Phil Murphy signed into law a bill that expands businesses’ notification requirements in the wake of the growing incidence of cybersecurity breaches. This law, which passed unanimously in both the Senate and the Assembly, broadens the types of information whose theft triggers the requirements that notices of data breaches be given, and makes special provision for how that notice can be given.
New Jersey requires that “businesses” notify their “customers” of a breach of security of computerized records that include the customers’ “personal information.” Before passage of the new law, New Jersey defined “personal information” as an individual’s social security and driver’s license numbers, as well as credit card numbers and their associated security or access codes. Under the new law, “personal information” now also includes the individual’s user name, email address, or any other identifying information, such as a password or security question and answer, that would permit access to an online account.
When a data breach leads to the theft of only these new types of “personal information,” businesses can comply with the notification requirements by directing the customers to promptly change their passwords or security questions and answers, or to take any other necessary steps to protect their online accounts. However, there are a couple of caveats, such as if the business provides email accounts to customers, the notice cannot be given via the email account that is a subject of the breach.
The new law amends the New Jersey Consumer Fraud Act, and willful knowing and reckless violations of the law’s requirements can result in penalties of $10,000 for the first offense, $20,000 for further offenses and triple damages in a civil suit brought by a customer.
While the changes that this law brings are somewhat modest, and as its unanimous passage by the legislature indicates, uncontroversial, this is only the first of many cybersecurity bills that New Jersey may consider. There appears to be an appetite for additional cybersecurity legislation, and there are a number of other bills currently under consideration. We will continue to monitor these bills as they make their way through the legislature, and we will update you accordingly.
If you have a question about how this new law affects your business, or would like to discuss ways to protect your business in light of other cybersecurity laws and bills, contact Robert T. Egan at 856-354-3079, or firstname.lastname@example.org, or any other member of Archer’s Data Privacy and Cybersecurity Group.