State Report: New NJ Data Breach Notification Legislation Signed

Legislation expanding the types of personal data that will trigger a required notification to customers in case of a breach, including email addresses and passwords, was signed into law by Gov. Phil Murphy.

The online breach bill, S52, was signed on May 10, 2019.

With his signature, New Jersey joins California, Alaska, Iowa, South Carolina, Virginia and West Virginia with the new online standards to combat the growing menace of data breaches.

Existing law required businesses and public entities that compile digital information to notify consumers of breaches involving personal information, such as Social Security numbers, driver's license numbers, or credit and debit card information.

The new law amends those standards to include usernames, email addresses, and any passwords or security questions and answers that would permit access to an online account.

The legislation amends the Consumer Fraud Act. Penalties that apply to a willful, knowing and reckless violation of the notification requirements are: $10,000 for the first offense and $20,000 for the second and any subsequent offense; and treble damages in a civil suit.

Sen. Troy Singleton (D-Burlington) said it's intended to bolster consumers' rights to privacy and protection and instill a greater sense of security.

“With online databases and private account information being hacked so frequently now, consumers are more vulnerable to exposure and harm,” said Singleton, primary sponsor of S-52 in the Senate with Sen. Nia Gill (D-Essex), in a statement. “When a data breach occurs and sensitive or confidential protected data is accessed or disclosed without authorization, we have a right to know.”

The new law requires that breach alerts be provided to New Jersey resident consumers through written or electronic notice. If the business or entity demonstrates that the cost of providing notice would exceed $250,000, or that the number of affected consumers exceeds 500,000, or if the business or public entity does not have sufficient contact information, a substitute notice would include an email notice, a posting of the notice on the business or entity's website, as well as notification to major statewide media.

The bill's sponsors had companies with huge customer databases in mind when amending the current law after a year of high-profile data breaches. Breach victims included Marriott/Starwood Hotels, a subsidiary of Marriott International, whose data breach reportedly may have exposed personal information of up to 500 million guests. The hotel company said that an unauthorized party had four years of access to the Starwood guest reservation database, which contained guest information — including names, addresses, phone numbers, email addresses, passport numbers, date of birth, reservation dates, and credit and debit card information.

Other large companies such as Yahoo, Ebay, Equifax and Target have also been victims of data breaches in the past several years.

Under the new law, if breaches occur, consumers would have the opportunity to change their online account information quickly and monitor for potential identity theft, according to Assemblyman Ralph Caputo (D-Essex), who sponsored companion bill A-3245 in the Assembly with Assemblywoman Carol Murphy (D-Burlington).

“Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and expose consumers to identity theft,” Caputo said in a statement.

The bill passed both chambers with relative ease after being introduced in early 2018. The full Senate approved it Jan. 31 by a 39-0-1 vote, and the Assembly passed it 76-0-0 on Feb. 25.

“Data breaches are an unfortunate effect of the technological age in which we live,” Assemblywoman Murphy said: “The reality is, many people give out their personal information when shopping or doing business online without a second thought.

“When those breaches inevitably occur, we have to make sure those potentially impacted have the chance to take steps to secure their information,” she said.

*****

Suzette Parmley is the Trenton Correspondent who covers the N.J. Supreme Court, N.J. Legislature and Business of Law for the New Jersey Law Journal, an ALM sibling of Cybersecurity Law & Strategy. Prior to joining ALM, she spent a decade and a half at The Philadelphia Inquirer, mostly on the Business Desk as Atlantic City Gaming Writer, Trenton Statehouse Correspondent, and Retail Columnist/Reporter. Suzette is a five-time winner of the Business Financial Writing Portfolio Award given out annually by the New Jersey Press Association. She is a graduate of the Fels Center of Government at the University of Pennsylvania. She can be reached at [email protected] or follow her on Twitter @SuzParmley.