Amendment to Breach Statute
In the absence of Federal legislation addressing a breach compromising personal information, let alone the protection of that information, states are continuing to fill the void. On Friday, May 10, 20191, New Jersey amended its breach notification statute, expanding the definition of “personal information,” which would trigger a breach notice obligation.
Specifically, the state definition of “Personal Information” (or “PI”) was amended to include:
- user name,
- email address,
- any other account holder identifying information,
in each case, in combination with any password or security question and answer that would permit access to an online account.2
As such, this amendment recognizes that not only the compromise of a financial account, but any online account (e.g., a social media account or email account) has valuable PI that, if compromised, would cause the individual harm.
The manner of notice to be given was further (and logically) amended to provide that if breach was of an email account managed by the breached entity, the entity cannot provide notice to the impacted individuals by sending an electronic notice to the compromised account. Instead, notice must be provided in another manner permitted by the statute. N.J.S. 56:8-163.
For businesses, there is more to come in New Jersey. Pending legislation, if adopted, will require any entity that controls, processes, uses and/or stores PI of New Jersey residents to take reasonable measures to protect that information.3
Businesses that hold PI regarding New Jersey residents should expect that some version of a law that requires businesses to take measures to protect PI, and not “merely” to be reactive, giving notice of a breach, will be adopted before year end.
1 The amendments will be effective as of September 1, 2019.
2 Already, PI, under the NJ breach notification statute, includes: “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” N.J.S. 56:8-161.
3 The working draft of this legislation is still being revised, but at present, it further expands “personal information” beyond this amendment to the breach notification statute’s definition to include biometric data (e.g., fingerprints, etc.).