The Garden State has been updating its data privacy and security laws and you may be wondering why. On October 28, 2018, Attorney General Gurbir S. Grewal and the New Jersey State Police the New Jersey announced statistics on the effects of data breaches in 2017 on New Jersey residents. Based on that report, here are some interesting data points:
- Reported breaches affecting NJ residents increased 41% from 2016 to 2017 (676 to 958). Remember, these are only reported breaches. Yes, not all breaches are reported, reported properly, or are even discovered.
- Business sectors most often involved with breaches include finance/banking, health services followed by business services and retail trade. Other areas include education, restaurant, industrial/manufacturing, hotels, non-profits, non-medical insurance, and telecommunications.
- Phishing attacks were the most popular method used to breach the security of an organization’s information systems, followed by website malware, employee incident, unauthorized email access and ransomware. It is unclear from the report if these are in any particular order. Importantly, note that with phishing attacks, unauthorized email access, and ransomware, employees very likely play a role in making the attacks successful. That is, employees typically are not intentionally causing these attacks, but they are duped into clicking a link or entering information that helps out the bad guys. Training and awareness are critical.
- The New Jersey’s Attorney General’s Office enforcement activities resulted in $4.8 million in civil settlements with the State.
The announcement also included some tips individuals can take to better protect sensitive personal and business information. Notably, the announcement states that:
this effort is part of a broader effort by Attorney General Grewal to strengthen the state’s cybersecurity protections, and follows an announcement earlier this year the creation of a Data Privacy & Cybersecurity Section within the Division of Law (DOL) to investigate data privacy cases and advise state agencies on related matters.
The tips offered by the NJ Division of Consumer Affairs are directed at individual consumers, but organizations and businesses certainly could adopt these, and require their employees to follow some or all of these best practices:
- Avoid clicking on e-mail links or attachments from unknown individuals, financial institutions, computer services or government agencies. To check out the message, go to the sender’s legitimate public website, and use the contact information provided.
- Choose a strong password containing letters, numbers and symbols. If a website offers two-factor authentication security, use it.
- Before disposing of any electronic device, wipe the hard drive using specialized software that will overwrite your information.
- Avoid free Wi-Fi, especially for health, financial, and other personal transactions.
Efforts similar to this are underway in a many states as personal information and confidential business information either continue to be under attack or are maintained without adequate safeguards. Organizations need to monitor these developments and strengthen their administrative, physical, technical, and organizational defenses.