New Jersey legislators advanced a bill to expand notification requirements in the event of a data breach affecting New Jersey residents. The bill, Assembly No. 3146, passed on December 15, 2014, by a vote of 75–0 and was referred to the Senate Commerce Committee where it has not yet been addressed. The Assembly bill seeks to expand the definition of "personal information" under N.J.S.A. § 56:8-163. (N.J. Data Security Law). (A similar bill, S2188, was introduced in the New Jersey Senate.)
The N.J. Data Security Law requires companies that conduct business in New Jersey to notify New Jersey residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized party. "Personal information" is defined as:
[a]n individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
N.J.S.A. § 56:8-161.
The Assembly bill addresses the apparent growth in consumer use of the internet in that, if passed, it will expand the definition to include a "(4) user name email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." See Assembly Bill No. 3146, State of New Jersey (216th Legislature).
The bill does not amend or change the requirement that prior to notifying any customers of a data breach, a New Jersey business must first notify the Division of State Police in the Department of Law and Public Safety for its own investigation or handling. N.J.S.A. § 56:8-163.
Keywords: intellectual property, litigation, Data Breach, Security Breach, New Jersey, Privacy