The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statue
Covered Entities: Any individual, business, private or public entity which “compiles or maintains computerized records” that contain personal information.
Consumer Notification: Notification to customers required when “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
Regulatory Notification: To the Division of State Police in advance of disclosure to any NJ resident.
Notification Timeline: “[I]n the most expedient time possible and without unreasonable delay…” while also considering the “measures necessary to determine the scope of the breach and restore reasonable integrity” of computer systems.
Data Format: Electronic.
Citations: N.J. Stat. Ann. §§ 56:8-161 to 163
- Breach: Unauthorized “access to electronic files, media, or data containing personal information that compromises the security, confidentiality or integrity of personal information” that is not encrypted or rendered “unreadable or unusable.”
- Personal information (PI): A person’s first name or initial and last name “linked with any one or more of the following data elements”
- Social Security number
- Driver’s license number or State identification card number
- “Account number or credit or debit card number” along with a password or code permitting access to the person’s financial account
- “Username, email address, or any other account holder identifying information” together with a password or security question permitting access to the person’s online account
- “Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connected with access to the dissociated data”
- Does not include information that is publicly available after lawful posting from federal, state, or local government records, or “widely distributed media.”
- Encryption: There is no breach of personal information when that data was “secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.”
- Good Faith: Statute does not apply when the PI is acquired “by an employee or agent of the business for a legitimate business purpose” as long as the PI is “not used for a purpose unrelated to the business or subject to further unauthorized disclosure.”
- Risk of Harm: Notification to consumers not required if “misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.”
- Law Enforcement Delay: Notification shall be delayed if a law enforcement agency determines that the notification will impede a criminal or civil investigation
- Public Record: Notification is not required where there is a breach of information about an individual where such information has been lawfully made public by a federal, state, or local government record or a widely distributed media
- Timing: “Most expedient time possible and without unreasonable delay” consistent with “any measures to determine the scope of the breach and restore the reasonable integrity of the system.”
- Format: N/A
- Content: N/A
- Written notice
- Electronic notice
- Substitute notice
If notification costs exceed $250,000 or more than 500,000 must be notified, or there is not sufficient contact information, substitute notice may be made by satisfying all of the following: (a) Email notice when there is a known email address; (b) Conspicuous posting on the website; and (c) Notification to major Statewide media
For a breach involving a username or password allowing access to an online account, but no other personal information, notification may be made electronically or other form directing the customer to promptly change their “password and security question or answer” or take other steps to secure the online account and any other account with the “same username or email address or password or security question or answer.”
To the Division of State Police in advance of disclosure to the person.
Credit Reporting Agencies Notice:
If over 1,000 persons, credit reporting agencies must be notified of the “timing, distribution and content of the notices.”
A private or public entity that has computerized personal information on behalf another private or public entity shall notify that private or public entity, who shall notify its New Jersey customers, immediately after discovering that “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
Information Security Standard
Information Security (Retail Only)
Covered Entities: Any retail establishment that scans a New Jersey-issued driver's license, probationary license, or non-driver photo identification card, or any similar card issued by another state or the District of Columbia for purposes of identification or permitting its holder to operate a motor vehicle.
First Party Security Standard: Retail establishments are not permitted to maintain information scanned for Permitted Purposes paragraphs (1) or (2). Any scanned information for Permitted Purposes paragraphs (3) through (8) retained by a retail establishment pursuant to this statute shall be securely stored. Information collected by scanning a person's identification card shall be limited to the person's name, address, date of birth, the State issuing the identification card, and identification card number.
Third Party Security Standard: No retail establishment shall sell or disseminate to a third party any information obtained pursuant to this section for any purpose, including marketing, advertising, or promotional activities, except dissemination as permitted by Permitted Purposes paragraphs (3) through (8) of subsection b. of this section; provided, however, that nothing in this subsection shall be construed to prevent an automated return fraud system from issuing a reward coupon to a loyal customer.
Disposal/Destruction Standard: This is not defined.
Data Format: This is not defined.
Data Breach Notification: Any breach of the security of the information shall be promptly reported to the Division of State Police in the Department of Law and Public Safety and any affected person, in accordance with section 12 of P.L.2005, c. 226 (C.56:8-163).
Citations: NJ ST 56:11-53 through 56:11-55.
- Permitted Purposes: A retail establishment shall scan a person's identification card only for the following purposes:
- to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
- to verify the person's age when providing age-restricted goods or services to the person;
- to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
- to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
- to establish or maintain a contractual relationship;
- to record, retain, or transmit information as required by State or federal law;
- to transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal “Fair Credit Reporting Act,” 15 U.S.C. s.1681 et seq., “Gramm–Leach–Bliley Act,” 15 U.S.C. s.6801 et seq., and the “Fair Debt Collection Practices Act,” 15 U.S.C. s.1692 et seq.; or
- to record, retain, or transmit information by a covered entity governed by the medical privacy and security rules pursuant to Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the “Health Insurance Portability and Accountability Act of 1996,” Pub.L.104–191.
Methods of Compliance:
This is not defined.
This is not defined.
Any person who violates the provisions of this act shall be subject to a civil penalty of $2,500 for a first violation and $5,000 for any subsequent violation. The penalty prescribed in this section shall be collected in a civil action by a summary proceeding pursuant to the “Penalty Enforcement Law of 1999,” P.L.1999, c. 274 (C.2A:58–10 et seq.).
In addition to the penalties described in this section, any person aggrieved by a violation of this act may bring an action in Superior Court to recover damages.