Years ago you would only read about a data breach once in a blue moon – it was the rare exception. Fortunately, it continues to be the rare exception, but as the world has moved to become fully digital, the frequency of significant data breaches is no longer like finding a four-leaf clover. Every business must anticipate the possibility of a data breach, more a function of the magnitude of the “when” vs. the “if”.
All companies which collect personally identifiable information of consumers (financial information is considered personal information) are subject to the data breach notification rules of each state in which the persons whose data was collected reside. Under New Jersey Rev Statute Sec. 56:8-163, if you sell products or services to a person located in New Jersey and your systems (whether maintained by you or on your behalf by a third party) are compromised, then you are required to provide various notices to the affected individuals and to certain state agencies. A brief summary follows.
What constitutes Personal Information? Personal information (“PI”) means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. It is important to note that the definition of personal information is broadly construed – the goal of the statute is to protect affected individuals and thus, if certain information is disclosed but other information listed in the definition of Personal Information is not, the state will very likely take the position that breach notification is nonetheless required.
What constitutes a Breach of Security? A breach of security (“Breach”) occurs when any unauthorized access to electronic files, media or data containing PI that compromises the security, confidentiality or integrity of PI when access to the PI has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
What are your obligations?
Investigation and Notice to the Authorities: In the event of a Breach, an investigation is required. The entity must notify the Division of State Police in the Department of law and Public Safety. They will conduct an investigation and, if it is determined necessary, refer the matter to other law enforcement authorities.
Notice to your Customers: If the investigation concludes that PI was, or is reasonably believed to have been, accessed by an unauthorized party, notice must be given to its customers “in the most expedient time possible and without unreasonable delay consistent with the legitimate needs of law enforcement… and restoring reasonable integrity of the data system”.
Notice: Notice may be given by 1) written notice, 2) electronic notice as long as certain guidelines are followed, or, 3) “substitute” notice (conspicuous posting on the Internet or via a major Statewide media) in the event that it is determined the cost of notice to individual consumers would be in excess of $250,000, or the number of individuals to be noticed exceeds 500,000.
What should the notice state? While there are no specific requirements in New Jersey, the Notice should provide a description of the circumstances of the Breach, what has been done to resolve the Breach, and what a consumer can reasonably do to protect themselves.
For more information, go to: https://www.cyber.nj.gov/data-breach-notifications/