New Jersey Enacts Provisions Regarding Disclosure of Online Security Breach
The state of New Jersey has recently enacted provisions regarding the disclosure of a security breach of an online account, effective September 1, 2019.
The state of New Jersey requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. Notification of a breach provides a consumer with the opportunity to quickly change online account information to prevent outside access to the account, and puts a consumer on notice to monitor for potential identity theft.
The provisions define “breach of security” as unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
Under current law, businesses and public entities in New Jersey are required to disclose breaches involving certain types of personal information. These are listed as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
This bill adds new types of information to the list of data that if compromised would require a disclosure of the breach. These additional data are user names, email addresses, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. The bill states that in the case of a breach involving a user name or password, in combination with any password or security question and answer that would permit access to an online account, the business or public entity may provide the notification in electronic or other form that directs the customer to promptly change any password and security question or answer, or to take other steps to protect the online account. However any business or public entity that furnishes an email account shall not provide notification to the email account that is subject to a security breach.
Zachary Pearlstein, JD, is a Regulatory Compliance Director with CLA's Mortgage Advisory Division. He joined CLA on January 1, 2014, as part of its acquisition of Bankers Advisory, Inc. Zachary oversees Mortgage Advisory's regulatory compliance team, which focuses on federal and state compliance, fair lending, and the Home Mortgage Disclosure Act (HMDA). He is a graduate of Brandeis University and earned his juris doctor at Suffolk University Law School. He is admitted to the Massachusetts Bar.
Comments are closed.