In light of several large-scale breaches of late, the New Jersey General Assembly is taking steps to enhance the state’s data breach notification requirements. In late February, Assembly Bill 3245 (AB 3245), introduced by Assembly Members Ralph Caputo and Carol Murphy, was unanimously approved by both the Assembly and the Senate, and is now headed to Governor Phil Murphy for signing. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches.
New Jersey’s data breach notification law requires businesses to notify consumers of a breach of their personal information. Currently the law defines personal information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:
- Social Security number;
- driver’s license number or State identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
AB 3245 would add to the above list of data elements:
- user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
This amendment would keep New Jersey in line with other states that have similarly enhanced their data breach notification laws to address online breaches, including Alabama, Arizona, California, Florida, Illinois, Nebraska, Nevada, South Dakota and Wyoming.
“Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and expose consumers to identity theft,” said Caputo (D-Essex). “If an individual’s personal information has become unwillingly available to someone else, they have the right to know as quickly as possible.”
New Jersey is on the forefront of consumer privacy and security law with other related bills recently introduced including AB 4902, which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data. Be on the look out for our full update on some of New Jersey’s other initiatives, coming later this week.