Data Breach Law in New Jersey, Stringent Punishments
N.J. Stat. §§ 56:8-161, 163, 165 – 166, also known as the Data Breach Notification Statute, is a data breach notification law that was passed in the U.S. state of New Jersey in 2005. N.J. Stat. §§ 56:8-161, 163, 165 – 166 establishes both the protocol that business entities and organizations within the state of New Jersey are required to adhere to in the event that a security or data breach occurs, as well as the punishments that can be imposed against individuals and entities that are found to be in violation of the law. To this send, N.J. Stat. §§ 56:8-161, 163, 165 – 166 provides residents of New Jersey with an avenue for recourse should their personal information be compromised following a data breach.
How is a security breach defined under N.J. Stat. §§ 56:8-161, 163, 165 – 166?
Under New Jersey’s Data Breach Notification Statute, a security breach is defined as the “unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” Alternatively, the “disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.”
What are data breach notification requirements under N.J. Stat. §§ 56:8-161, 163, 165 – 166?
Much like other security breach notification legislation that has been passed at the U.S. state level in the past decade, N.J. Stat. §§ 56:8-161, 163, 165 – 166 mandates that business entities and organizations provide residents of the state with data breach notifications in the event that such an incident occurs. These notifications must be provided to residents of the state of New Jersey without unreasonable delay, and must be consistent with the legitimate needs of law enforcement, as well as any measures that have been taken by the affected entity to determine the scope and severity of the breach. Furthermore, affected entities are also responsible for providing residents with information concerning the steps that have been taken to restore the reasonable integrity of the data system in which the breach occurred.
Moreover, business entities and organizations that experience a data breach within the state of New Jersey are also required to provide notice “to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.” Additionally, if a data breach incident affects more than 1,000 residents within New Jersey, the entity or organization that experienced the breach is also responsible for providing notice to the three major credit reporting agencies within the U.S. (TransUnion, Equifax, and Experian), without unreasonable delay.
What categories of personal information are covered under N.J. Stat. §§ 56:8-161, 163, 165 – 166?
Under N.J. Stat. §§ 56:8-161, 163, 165 – 166, the following categories of personal information are protected should a data breach occur, in combination with a New Jersey resident’s first name or first initial and last name:
- Social security numbers.
- Drivers license numbers.
- State identification card numbers.
- Account numbers, credit card numbers, debit card numbers, as well as any linked security codes, access codes, or passwords that could be used to permit unauthorized access to an individual’s financial account.
In terms of the enforcement of N.J. Stat. §§ 56:8-161, 163, 165 – 166, the provisions set forth in the law are enforced by the New Jersey Attorney General. With this being said, the New Jersey Attorney General has the authority to impose the following sanctions and penalties against agencies, business entities, and organizations within the state that are found to be in non-compliance with the law:
- Civil action.
- Substantial monetary fines that must be paid to the state of New Jersey.
- Requiring that a particular entity or organization destroy personal data.
- “Corrective Action Plans including cyber-security reforms.”
To further illustrate the potential severity of the punishments that can be imposed against business entities and organizations within the state of New Jersey that fail to comply with the provisions established in N.J. Stat. §§ 56:8-161, 163, 165 – 166, U.S. technology company Vizio was ordered to pay $2.2 million to the Federal Trade Commission or FTC and the State of New Jersey in 2017, as well as $915,940 in civil penalties and $84,060 in legal and investigative costs. These fines were imposed after it was discovered that Vizio had collected the viewing history of 11 million Smart Televisions without first obtaining consent. Vizio then sold this viewing history data to various marketing companies and data brokers.
Through the enactment of N.J. Stat. §§ 56:8-161, 163, 165 – 166 in 2005, New Jersey residents were provided with legal protection as it concerns the unauthorized disclosure of personal information relating to security breaches. While every state and major territory within the U.S. has passed some form of data breach notification legislation as of 2022, many of these laws have yet to result in any major enforcement action. As such, the case of Vizio in 2017 provides national notice to business entities and organizations around the U.S. as it pertains to the legal requirements that must be upheld under the provisions of New Jersey’s Data Breach Notification Statute.