New Jersey
|
Click here to review text of state statute (see N.J. Stat., Title 56, §56:8-161 et seq.) |
Information Covered / Important Definitions
Information covered:
Personal information of New Jersey residents.
Definition also includes:
- Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
- User name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
Important definitions:
“Security Breach” means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method of technology that renders the personal information unreadable or unusable.
Note: Retail establishments in New Jersey are also regulated by the New Jersey Personal Information and Privacy Protection Act, which governs collection and use of personal information, and provides fines and a private right of action for violations.
Covered Entities* / Third Party Recipients
Subject to statute:
Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information.
Third party recipients:
Any covered entity that maintains computerized records containing personal information on behalf of another business or public entity must notify such other business or public entity of any security breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if the covered entity establishes that misuse of the information is not reasonably possible. Such determinations must be documented in writing and retained for five (5) years.
Notice for breaches involving user name or password, in combination with any password of security question and answer ONLY (and no other personal information):
- Covered entities may provide notification in electronic or other form that directs the consumers whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the business or public entity and all other online accounts for which the consumer uses the same user name or email address and password or security question or answer
- Any business or public entity that furnishes an email account shall not provide notification to the email account that is subject to the breach. Notice shall be provided by another method described in the statute or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an IP address or online location from which the business or public entity knows the consumer customarily accesses the account.
Other obligations:
Any covered entity that must notify more than 1,000 consumers at one time of a security breach is also required to notify consumer reporting agencies of the security breach without unreasonable delay.
Any business or public entity must destroy or arrange for destruction any customer records within its custody or control containing personal information which it no longer needs by shredding, erasing or otherwise modifying the personal information so that it is unreadable, undecipherable or nonreconstructable through generally available means.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted or secured by any other method or technology that renders the personal information unreadable or unusable.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of covered entity for a legitimate business purpose so long as personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the New Jersey statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the New Jersey statute.
Notification to Regulator / Waiver
Division of State Police in the Department of Law and Public Safety must be notified prior to notification to customers.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
Private Cause of Action / Enforcement
Private Cause of Action: No*.
*A private cause of action is available under the New Jersey Personal Information and Privacy Protection Act (applies only to retail establishments).
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute (see N.J. Stat., Title 56, §56:8-161 et seq.) |