N.J. Stat. Ann §§ 56:8-161,-163,-165 |
---|
Type of Data Covered | Deadline for Notification | Government Notice |
---|---|---|
Electronic. | Most expedient time possible and without unreasonable delay. | Yes – Notify the Division of State Police if any resident is notified. |
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
Definition of Personal Information |
|
Definition of Breach |
Unauthorized access to unencrypted or unredacted electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information, excluding certain good faith acquisitions. |
Type of Data Covered |
Electronic. |
Encryption Safe Harbor |
Statute does not apply to information that is encrypted, or secured by any other method or technology that renders it unreadable or unusable. |
Risk of Harm Analysis |
Notification is not required if the entity determines that misuse of the personal information is not reasonably possible. Determination must be documented in writing and retained for five years. |
Consumer Notice Requirements |
Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. Method:
An entity that furnishes an email account cannot provide notice to the user via the same affected email account but must provide notice by another approved method or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an IP address or online location from which the entity knows the consumer customarily accesses the account. |
Substitute Notice Requirements |
Substitute notice may be provided if the cost of notice would exceed $250,000, or that the affected class of persons exceeds 500,000 or the entity does not have sufficient contact information. Substitute notice must include all of the following:
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation or civil investigation and request that it be delayed. |
Government Notice Requirements |
Before notifying residents, must report the breach and related information pertaining to it to the Division of State Police in the Department of Law and Public Safety. |
Third Party Notice Requirements |
If covered information is maintained on behalf of another entity, the entity must be notified immediately following discovery of a breach. |
Consumer Reporting Agency Obligations |
If more than 1,000 residents are notified, the entity must notify all nationwide credit reporting agencies without unreasonable delay as to the timing, distribution, and content of consumer notices. |
Potential Penalties |
Violations may result in civil penalties and other remedies. |
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Last updated: January 2024