New Jersey's Expansion on Data Breach Notification Requirements

New Jersey's Expansion on Data Breach Notification Requirements

Currently, New Jersey’s data breach notification law requires businesses to notify consumers of a breach of personal information that includes first name or first initial and last name linked with any one or more of the listed data elements:

-          Social Security number;

-          Driver’s license number or State identification card number;

-          Account number or credit card number, in combination with any required security code, access code, or password that would permit access to a financial account.

The current law requires businesses and public entities to notify consumers of breaches by written notice or electronic notice, as long as the notice is consistent with the E-SIGN Act.

Effective September 1, 2019, the law will be expanded to include:

-          User name, email address, or any other account holder identifying information, in combination with a password or security question and answer that allows access to an online account.

Businesses or public entities who experience a breach involving user name or passwords, in combination with any password or security question and answer that allows access to an online account, may notify affected individuals via electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, or to take steps to protect the online account with the business or public entity, in addition to other accounts for which they use the same user name.

For breaches involving email accounts, a business or public entity may not provide notice of the breach via the compromised email account. Notice must be provided by another method described in the law, or by clear and conspicuous noticed delivered to the individual online when they connect to the online account from an IP address or online located from which the business or public entity knows the individual usually accesses the account.

If you have any questions or concerns about the expansion of New Jersey’s data breach notification law, please do not hesitate to reach out to the Employment and Labor Practice Group at Laddey, Clark & Ryan, LLP: Thomas N. Ryan Esq. (tryan@lcrlaw.com), Ursula H. Leo, Esq. (uleo@lcrlaw.com), Jessica A. Jansyn, Esq. (jjansyn@lcrlaw.com), or Nicole C. Tracy, Esq. (ntracy@lcrlaw.com). Our attorneys can also be reached by phone at (973) 729-1880.