On May 10, 2019, Governor Phil Murphy signed into law an amendment to the New Jersey Consumer Fraud Act which expands the data breach notification requirements of entities that compile digital personal information.1
First, under the new law, the definition of “personal information” has now been expanded to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.”2 Previously, “personal information” had only been defined to include first name or initial and last name linked to one or more of the following: i) a social security number; ii) driver’s license number; and iii) account, credit card, debit numbers in combination with any required security code, access code, or password that permits access to an individual’s financial account.
Second, under the new law, if an entity suffered a data breach exposing the newly added terms of personal information: usernames; passwords; and answers to security questions, then the entity is required to expeditiously notify its affected customers, through written or electronic notice, that their account information has been compromised and that passwords and answers to security questions should be changed immediately.3 However, if a customer’s email address is subject to the data breach, an entity cannot provide notice of the breach to that customer via their impacted email address and must otherwise clearly and conspicuously notify the customer.4
Third, the new law does not modify any of the existing notification requirements under the New Jersey Consumer Fraud Act. To that end, and prior to any disclosure to affected customers, an entity which suffered a data breach has an obligation to notify the Division of State Police in the Department of Law and Public Safety so they might begin an investigation.5 Once that has occurred, and if the data breach affects more than one thousand (1,000) people, an entity is required to promptly notify all consumer reporting agencies that aggregate consumer data into a national database.6 Finally, however, if the entity can demonstrate that: i) providing notice to all customers affected would cost more than two-hundred and fifty thousand dollars ($250,000.00), or ii) that the breach affected more than half a million (500,000) customers, or iii) that the entity does not have sufficient contact information for its affected customers it can post a notice on the entity's website as well as notify major statewide media.7
Fourth, penalties remain unchanged under the new law, as willful, knowing, and reckless violations of the notification requirements will result in a ten thousand dollar ($10,000) fine for the first offense, and twenty thousand dollar ($20,000) fine for the second and any subsequent offense.
The new amendments to the New Jersey Consumer Fraud Act will take effect on June 14, 2019. Companies impacted by these amendments should consider the potential impact on their current policies and procedures. If you have any questions, please contact one of this Alert's authors: Michael P. O'Mullan at momullan@riker.com, Labinot Alexander Berlajolli at lberlajolli@riker.com or Daniel J. Parziale at dparziale@riker.com.
Riker Danzig's Cybersecurity & Data Privacy Partners:
Brian E. O’Donnell
Michael P. O’Mullan
Maura C. Smith
Samuel P. Moulthrop
Robert J. Schoenberg
Lance J. Kalik
Jason D. Navarino
Anthony J. Zarillo, Jr.
Zahid N. Quraishi
______________________
1 L. 2005, c. 226, § 10 amending N.J.S.A. §56:8-161 and N.J.S.A. §56:8-163, respectively.
2 The new definitions were added to the definition of “personal information” under N.J.S.A. §56:8-161.
3 See L. 2005, c. 226, § 12 amending N.J.S.A. §56:8-163(g)(1).
4 See L. 2005, c. 226, § 12 amending N.J.S.A. §56:8-163(g)(2).
5 See N.J.S.A. §56:8-163(c)(1).
6 See N.J.S.A. §56:8-163(f).
7 See N.J.S.A. §56:8-163(d)(3).