Legislative Alert: New Jersey Enacts Legislation to Expand Disclosure of Online Data Breaches
On May 10, 2019, New Jersey enacted Senate Bill 52 (SB 52). This bill, which will take effect on September 1, 2019, will require disclosure of data breaches that impact usernames, email addresses, and/or other account holder identifying information belonging to residents of the Garden State when combined with any password or security questions and answers.
Previously, businesses and public entities that compiled data belonging to New Jersey residents were required to notify consumers of breaches involving “personal information,” defined to include only Social Security numbers, driver’s license numbers, and/or account, credit card, or debit card numbers in combination with a security code or password necessary for access.
SB 52 will expand New Jersey’s definition of “personal information” to include additional types of data. Specifically, the newly added types of data that will define “personal information” include usernames, email addresses, and any passwords or security questions and answers that would permit access to an online account.
SB 52 will also allow businesses to electronically notify affected consumers of data breaches involving only a username or password, in combination with a password or security question and answer that would allow access to an online account, provided that the notice does not affect any other “personal information” as defined above. Such a notification must instruct the residents on how to change their passwords or take other steps to protect their online accounts. Other methods of notification previously allowed by statute are still applicable and can be utilized for such incidents.
Lastly, SB 52 will prohibit any business or public entity that furnishes an email account from providing notice of an incident to the same affected email account. Instead, the business or public entity will have to notify the user through another method or "provide a clear and conspicuous notice delivered to the consumer online while he or she is connected to the online account" from an IP address or location the business knows the consumer connects from regularly.
With this expanded list of triggering information requiring notification of security breaches, there will be an increased responsibility for businesses serving New Jersey residents to vigilantly notify affected residents of security breaches.