on
New Jersey Amends Its Data Breach Notification Law
On May 10, 2019, New Jersey Governor Phil Murphy signed into law P.L.2019, c.95., amending the previous data breach notification requirements of the Consumer Fraud Act and expanding the types of personal data that will trigger a required notification to customers in the event of a breach. Under P.L.2019, c.95 “personal information” that triggers consumer breach notification obligations now includes “username, email address or any other account holder identifying information, in combination with any password or security questions and answer” that would permit access to an online account 1.
Under N.J.S. 56:8-161, breach notification was required pursuant to disclosure of the following information “an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” Importantly, as supplemented by the recent amendment, breach notification requirements will no longer be limited to breaches of financial accounts.
P.L.2019, c.95 also changed the manner in which businesses and public entities must notify consumers of the breach. In the event of a breach involving a “user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information,” the responsible entities may provide notification via electronic or other form that would enable a customer to take appropriate steps to protect their online account 2. In the event of a breach of an email account, a responsible entity shall not provide notice to the compromised email account.
The amendment did not affect the penalties under the Consumer Fraud Act, which apply for willful, knowing and reckless violation of the notification requirements: $10,000 for the first offense and $20,000 for the second and any subsequent offense; and treble damages in a civil suit.