As the result of recent legislation, New Jersey residents now have additional rights to privacy and protection when it comes to their online accounts. Effective September 1, companies must disclose data breaches that involve usernames, email addresses and/or other account holder identifying information belonging to residents of New Jersey when that information is combined with any password or security questions and answers. The new law strengthens New Jersey’s earlier breach notification requirements and reflects a growing awareness among consumer residents and lawmakers about how sensitive online information remains vulnerable.
Previously, businesses and public entities that compiled data belonging to New Jersey residents were required to notify consumers of breaches involving “personally identifiable information” (PII) -- defined to include only Social Security numbers, driver’s license numbers, and/or account, credit card or debit card numbers -- in combination with a security code or password necessary for access. However, this new law will broaden New Jersey’s definition of PII to include additional types of data. Specifically, usernames, email addresses, and any passwords or security questions and answers that would permit access to an online account are now considered part of the protected class of PII.
The new statute will also allow businesses to electronically notify affected consumers of data breaches involving only a username or password, in combination with a password or security question and answer that would allow access to an online account, provided that the notice does not affect any other “personal information” as defined above. Such a notification must instruct the residents on how to change their passwords or take other steps to protect their online accounts. With that said, other methods of notification previously allowed by statute are still applicable and can be utilized for such incidents.
Further, the legislation prohibits any business or public entity that furnishes an email account from providing notice of an incident to the same affected email account. Instead, the business or public entity will have to notify the user through another method or "provide a clear and conspicuous notice delivered to the consumer online while he or she is connected to the online account" from an IP address or location the business knows the consumer connects from regularly.
A welcome step for consumers, the new law underscores the diligence that companies must take to understand what type of online data they maintain, as well as the importance of protecting that data. For more information, please feel free to contact Connell Foley’s Cybersecurity and Data Privacy Group.