New Jersey Assembly Approves Expanded Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly unanimously approved a bill that broadens the types of personal data that call for the sending of notifications to consumers in case of a data breach.

According to the New Jersey breach notification rules, businesses and public organizations need to notify consumers in the event of a breach exposing the following information:

  • Social Security number
  • Driver’s license number
  • Bank account number or credit/debit card details, including a password or code which allows the account to be accessed

The amendment to the requirements of the New Jersey data breach notification provision of the Consumer Fraud Act extends the definition of personal information to include email addresses and usernames together with a password or answers to security questions that will enable the account to be accessed.

Ralph Caputo (D-Essex) sponsored the bill (A-3245), which was recently approved by the Senate with a 37-0 vote and the Assembly with a 76-0 vote. The Senate and Assembly passed a similar bill, S-52, in 2018, yet state governor Chris Christie did not sign the amendment into law. Present state governor Phil Murphy is expected to sign the bill.

The bill fixes a loophole in present laws that would let businesses avoid notification of consumers when there has been a breach of online data. When there is a breach of online accounts, criminals could get access to an array of sensitive data that may be misused for identity theft and other types of fraud. If consumers are notified, they could take steps to prevent harm.

According to the new law, consumers may get breach notifications by mail or email. If the cost of issuing notifications would be more than $250,000 or if there are over 500,000 persons affected by a breach, a substitute breach notice could be issued. In these cases, breach victims must be emailed a breach notice, in addition to the posting of a breach notice being placed in a highly visible place on the company’s webpage.

However, if a company or public organization provides an email account, it is prohibited to issue email notices to breached accounts. The notice must be delivered by other means, such as providing a warning behind the login page to the service so that users can see it when they log into their account using an IP address or from a location formerly used to access their account.

Any company or public organization discovered to have intentionally violated state data breach notification rules may be issued a fine amounting to as much as $10,000 for a first offense and as much as $20,000 for succeeding offenses. People who have sustained ascertainable losses because of a data breach are permitted to take legal action against the company to recover damages.