February 27, 2015 Practice Points

New Jersey Legislators Seek to Expand Data Breach Notification

The N.J. Data Security Law requires companies that conduct business in New Jersey to notify New Jersey residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized party.

By Nancy A. Del Pizzo

New Jersey legislators advanced a bill to expand notification requirements in the event of a data breach affecting New Jersey residents. The bill, Assembly No. 3146, passed on December 15, 2014, by a vote of 75–0 and was referred to the Senate Commerce Committee where it has not yet been addressed. The Assembly bill seeks to expand the definition of "personal information" under N.J.S.A. § 56:8-163. (N.J. Data Security Law). (A similar bill, S2188, was introduced in the New Jersey Senate.)

The N.J. Data Security Law requires companies that conduct business in New Jersey to notify New Jersey residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized party. "Personal information" is defined as:

[a]n individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

N.J.S.A. § 56:8-161.

The Assembly bill addresses the apparent growth in consumer use of the internet in that, if passed, it will expand the definition to include a "(4) user name email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." See Assembly Bill No. 3146, State of New Jersey (216th Legislature).

The bill does not amend or change the requirement that prior to notifying any customers of a data breach, a New Jersey business must first notify the Division of State Police in the Department of Law and Public Safety for its own investigation or handling. N.J.S.A. § 56:8-163.

Keywords: intellectual property, litigation, Data Breach, Security Breach, New Jersey, Privacy

Nancy A. Del Pizzo is with Podvey, Meanor, Catenacci, Hildner, Cocoziello & Chattman, P.C., in Newark, New Jersey, and New York, New York.


Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

Nancy A. Del Pizzo – February 27, 2015