Data Breach Law in New Jersey, Stringent Punishments

February 10, 2022 | 4 minutes read
Data Breach Law in New Jersey, Stringent Punishments

N.J. Stat. §§ 56:8-161, 163, 165 – 166, also known as the Data Breach Notification Statute, is a data breach notification law that was passed in the U.S. state of New Jersey in 2005. N.J. Stat. §§ 56:8-161, 163, 165 – 166 establishes both the protocol that business entities and organizations within the state of New Jersey are required to adhere to in the event that a security or data breach occurs, as well as the punishments that can be imposed against individuals and entities that are found to be in violation of the law. To this send, N.J. Stat. §§ 56:8-161, 163, 165 – 166 provides residents of New Jersey with an avenue for recourse should their personal information be compromised following a data breach.

How is a security breach defined under N.J. Stat. §§ 56:8-161, 163, 165 – 166?

Under New Jersey’s Data Breach Notification Statute, a security breach is defined as the “unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” Alternatively, the “disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.”

What are data breach notification requirements under N.J. Stat. §§ 56:8-161, 163, 165 – 166?

Much like other security breach notification legislation that has been passed at the U.S. state level in the past decade, N.J. Stat. §§ 56:8-161, 163, 165 – 166 mandates that business entities and organizations provide residents of the state with data breach notifications in the event that such an incident occurs. These notifications must be provided to residents of the state of New Jersey without unreasonable delay, and must be consistent with the legitimate needs of law enforcement, as well as any measures that have been taken by the affected entity to determine the scope and severity of the breach. Furthermore, affected entities are also responsible for providing residents with information concerning the steps that have been taken to restore the reasonable integrity of the data system in which the breach occurred.

Moreover, business entities and organizations that experience a data breach within the state of New Jersey are also required to provide notice “to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.” Additionally, if a data breach incident affects more than 1,000 residents within New Jersey, the entity or organization that experienced the breach is also responsible for providing notice to the three major credit reporting agencies within the U.S. (TransUnion, Equifax, and Experian), without unreasonable delay.

What categories of personal information are covered under N.J. Stat. §§ 56:8-161, 163, 165 – 166?

Under N.J. Stat. §§ 56:8-161, 163, 165 – 166, the following categories of personal information are protected should a data breach occur, in combination with a New Jersey resident’s first name or first initial and last name:

In terms of the enforcement of N.J. Stat. §§ 56:8-161, 163, 165 – 166, the provisions set forth in the law are enforced by the New Jersey Attorney General. With this being said, the New Jersey Attorney General has the authority to impose the following sanctions and penalties against agencies, business entities, and organizations within the state that are found to be in non-compliance with the law:

To further illustrate the potential severity of the punishments that can be imposed against business entities and organizations within the state of New Jersey that fail to comply with the provisions established in N.J. Stat. §§ 56:8-161, 163, 165 – 166, U.S. technology company Vizio was ordered to pay $2.2 million to the Federal Trade Commission or FTC and the State of New Jersey in 2017, as well as $915,940 in civil penalties and $84,060 in legal and investigative costs. These fines were imposed after it was discovered that Vizio had collected the viewing history of 11 million Smart Televisions without first obtaining consent. Vizio then sold this viewing history data to various marketing companies and data brokers.

Through the enactment of N.J. Stat. §§ 56:8-161, 163, 165 – 166 in 2005, New Jersey residents were provided with legal protection as it concerns the unauthorized disclosure of personal information relating to security breaches. While every state and major territory within the U.S. has passed some form of data breach notification legislation as of 2022, many of these laws have yet to result in any major enforcement action. As such, the case of Vizio in 2017 provides national notice to business entities and organizations around the U.S. as it pertains to the legal requirements that must be upheld under the provisions of New Jersey’s Data Breach Notification Statute.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »