NJ Amends State Consumer Fraud Act to Expand Businesses’ Responsibilities in the Event of an Electronic Data Breach

Governor Phil Murphy signed into law P.L. 2019, c.95, which amends the New Jersey Consumer Fraud Act (Act) to expand businesses’ notification requirements in the event of a data breach. The amendments went into effect on September 1, 2019.

The Current Law

Under the current law,[1] businesses that operate in New Jersey – including nonprofit corporations – have a legal obligation to notify their customers when there is a breach of security with respect to the businesses’ electronic records that contain customers’ personal information. The following definitions apply:

  • A “customer” means a person who provides personal information to a business.
  • A “breach of security” is the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” where the information has not been encrypted or otherwise rendered unusable by the actor who breached security. However, if the information is accessed in good faith and for a legitimate business purpose by an employee or agent of the business, then there is no breach.
  • “Personal information” is an individual’s first initial or name and last name linked with at least one of the following data elements: a Social Security number, a driver’s license number or State identification card number, or a financial account number or credit/debit card number combined with a code or password that allows someone to access the account or card.

If a breach occurs, a business must first notify the State Police. After the State Police determines that disclosure of the security breach will not compromise its investigation and so informs the business, the business must then notify any customer in New Jersey whom the business reasonably believes has been affected by the breach. The business has to notify those customers as expediently as possible. It can do so by a variety of methods, such as written notice or by substitute notice, including notice by email.

If the business determines that it’s not reasonably possible that the breach will result in any misuse of information, it does not have to notify customers, but must confirm its determination in writing and keep the written determination on file for five years.

A willful, knowing, or reckless violation of the Act could result in penalties of up to $10,000 for the first offense and up to $20,000 for each additional offense. A business might also be liable for treble (triple) damages if a customer decides to bring a civil lawsuit.

What Changed When the Amendments Took Effect on September 1, 2019?

The amendments broaden the definition of “personal information” by adding a new data element to the definition: a “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

The amendments also add two provisions relating to how a business should notify its customers of a security breach:

  • If a breach results in the unauthorized access to a user name or password, in combination with any password or security question and answer that would allow access to an online account, but no access to other personal information, then the business may provide notice that directs affected customers to promptly change their usernames, passwords, and other account access information.
  • If the business furnishes email accounts to its customers and a breach results in the unauthorized access to personal information that would allow access to the email accounts, then the business cannot provide notice of the breach to its customers via the compromised email accounts. Instead, the business must provide notice by (1) one of the normal notice methods set forth in the Act [2] or (2) a clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from either a recognized internet protocol address or an online location from which the business knows the customer customarily accesses the account.

For a more detailed description of the notification requirements, you can refer directly to the relevant provisions of the Act (see footnote 1 above). To learn more about cybersecurity and privacy laws in Connecticut, New Jersey, and New York, see our primer at https://www.probonopartner.org/publications/privacy-identity-theft-information-security-laws-for-nonprofits. For further questions about the Act and data breaches, please contact Alexandra Kilduff from Pro Bono Partnership at 973-240-6955 ext. 305.

This document is provided as a general informational service to volunteers, clients, and friends of Pro Bono Partnership. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does distribution of this document create an attorney-client relationship.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of: (i) avoiding penalties under the Internal Revenue Code or any other U.S. federal tax law; or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein.

[1] The relevant sections of the Act, as amended, are set forth in N.J.S.A. 56:8-161 to -166.  To read those sections, go to https://lis.njleg.state.nj.us/nxt/gateway.dll?f=templates&fn=default.htm&vid=Publish:10.1048/Enu and enter “56:8-161” in the search box.
[2] Under the Act, notice may be provided by one of the following methods:

  1. Written notice;
  2. Electronic notice; or
  3. Substitute notice, if the business demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information.  Substitute notice consists of all of the following:
    1. a. E-mail notice when the business has an e-mail address (bearing in mind that the business cannot use the compromised email accounts described above);
    2. Conspicuous posting of the notice on the Internet web site page of the business, if the business maintains one; and
    3. Notification to major statewide media.

See N.J.S.A. 56:8-163(d).