New Jersey Data Breach Notification Statute Summary

N.J. Stat. Ann §§  56:8-161,-163,-165

 

Type of Data Covered Deadline for Notification Government Notice
Electronic. Most expedient time possible and without unreasonable delay. Yes – Notify the Division of State Police .

 

Subject Entities

Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.

Definition of  Personal Information

  1. First name or first initial and last name linked with any one or more of the following data elements:
    • Social Security number; 
    • Driver’s license or state identification card number;
    • Account, credit or debit card number, in combination with any required security or access code or password permitting access to a individual’s financial account; or
    • Usernames, email addresses, or any other account holder information in combination with any password or security questions and answers that would permit access to an online account.
  2. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

Definition of Breach

Unauthorized access to unencrypted or unredacted electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, or secured by any other method or technology that renders it unreadable or unusable.

Risk of Harm Analysis

Notification is not required if the entity determines that misuse of the personal information is not reasonably possible. Determination must be documented in writing and retained for five years.

Consumer Notice Requirements

Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.

Method: 1) By written notice or electronic notice if consistent with E-SIGN. 2) If the breach involves usernames or email addresses in combination with a password or security question and answer that allows access to an online account, and does not involve any other personal information, notice may be made by email or other form directing the resident to change the password and security question or answer, or take other steps to protect the online account and other accounts where the resident uses the same username or email address and password or security question or answer.

An entity that furnishes an email account cannot provide notice to the user via the same affected email account but must provide notice by another approved method or by clear and conspicuous notice delivered to the consumer online when the consumer is connected to the online account from an IP address or online location from which the entity knows the consumer customarily accesses the account.

Substitute notice is also available under certain circumstances.

Substitute Notice Requirements

Substitute notice may be provided if the cost of notice would exceed $250,000, or that the affected class of persons exceeds 500,000 or the entity does not have sufficient contact information.

Substitute notice must include all of the following:

  • Email notice, when the entity has an email address;
  • Conspicuous posting on the entity’s web site, if it maintains one; and 
  • Notification to statewide media.

Delayed Notice Requirements

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation or civil investigation and request that it be delayed.

Government Notice Requirements

Before notifying residents, must report the breach and related information pertaining to it to the Division of State Police in the Department of Law and Public Safety.

Third Party Notice Requirements

If covered information is maintained on behalf of another entity, the entity must be notified immediately following discovery of a breach.

Consumer Reporting Agency Obligations

If more than 1,000 residents are notified, the entity must notify all nationwide credit reporting agencies without unreasonable delay as to the timing, distribution, and content of consumer notices.

Potential Penalties

Violations may result in civil penalties and other remedies.

Notification Requirements for Government Agencies

Please see the statute for specific requirements and/or penalties for applicable government agencies.

 

Last updated: January 1, 2021