Amendments to NJ Identity Theft Prevention Act: All NJ Businesses Must Comply
On May 10, 2019, Governor Phil Murphy signed into law (New Jersey S52) amendments to the New Jersey Identity Theft Prevention Act (Act). The Act generally requires New Jersey businesses and public entities to take various steps to protect the private “personal information” they collect from customers, employees, and other individuals. Businesses and public entities must minimize the risk of identity theft by, among other things, keeping Social Security numbers confidential and destroying customer records that contain personal information that is no longer necessary. The Act also requires such businesses and public entities to notify affected New Jersey residents of any breach of security of such personal information.
Prior to the amendments, “personal information” was defined under the Act to mean an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) account number or credit or debit card number, in combination with any required security or access code or password. Under the amendments, the definition was expanded to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” The expansion of the definition is significant, since an “online account” is an extremely broad category of potential accounts an individual may have, ranging from gym and other membership and activity accounts, to social media accounts, to school and college online accounts, to credit card and financial accounts, and more.
If a security breach occurs involving personal information of an individual, the Act requires the business or entity to take certain steps to alert the affected individuals and to notify the appropriate authorities in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. Notice may generally be provided in writing or by electronic means. The sponsors of the bill noted that the addition of online account information to the definition of personal information will “provide consumers with the opportunity to quickly change online account information to prevent outside access to the account, and puts a consumer on notice to monitor for potential identity theft.”
The amendments also provide that if a breach involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the individual to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account and all other online accounts for which the individual uses the same user name or email address and password or security question or answer. It also prohibits any business or public entity that furnishes an email account from providing notification to the email account that is the subject of the security breach. The business or public entity must provide notice by another method or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an Internet Protocol address or online location from which the business or public entity knows the individual customarily accesses the account.
Since the Act contains severe penalties for willful, knowing, and reckless violations of the law, it is incumbent on every New Jersey business to implement or update policies and procedures necessary to comply with the Act.
If you need more information or assistance in preparing or updating your Identity Theft Prevention Policy or any other privacy and security policies, please contact:
Lani M. Dornfeld, CHPC│973.403.3136│email@example.com