On May 7, 2018, New Jersey Attorney General Gurbir Grewal announced the formation of a new civil enforcement unit focused on enforcing laws that protect the data privacy and cybersecurity of New Jersey residents. The Data Privacy & Cybersecurity (DPC) Unit has the authority to enforce laws and regulations as well as bring civil suits against violators.
According to the press release issued by the Office of the Attorney General, this unit is an attempt to “double-down” on efforts exerted to protect the interests of the residents of New Jersey. The unit will collaborate with the State Police’s Division of Consumer Affairs by managing investigations and instituting related civil litigation when residents become victims of data breaches, unauthorized collection, use and dissemination of personal information, and other misfeasance related to cyber-interests of residents. It will also be the civil companion to the Financial & Computer Crimes Bureau, a section within the Division of Criminal Justice.
The DPC will assume responsibility for the ongoing Facebook/Cambridge Analytica investigation, which is reported to have affected 1.6 million users in New Jersey. The aspirations of this unit are to build upon past successes of the Office of the Attorney General in data privacy. Examples include the 2017 settlement with health giant Horizon Health Care Services, which suffered a data breach impacting thousands of New Jersey residents. Currently, the Office of the Attorney General is undertaking the process of evaluating candidates to staff the DPC and, as of now, no Section Chief has been named.
With the announcement of this new section, New Jersey takes a critical step in the right direction. As the federal government lags with regard to comprehensive legislation and agency designation to handle cyber-related crimes and civil harms, the impetus currently falls on the individual states to take action—as cyber adversity is simply getting worse. Pairing this new unit with a comprehensive piece of legislation, New Jersey can produce an effective course of action that acts both preemptively and reactively towards wrongs committed to the data privacy interests of New Jersey citizens.
Cyber malfeasance is, by its nature, a borderless issue—as the current split in federal circuit courts regarding standing in data breach litigation highlights—in dire need of resolution. Yet, for the time being, actions such as this by New Jersey remind us of the continued relevance of the Tenth Amendment to the United States Constitution and the role that the individual states may have to sheriff an otherwise wild-west-like area of law. Battles of preemption are likely to follow, but at least New Jersey’s citizens can perhaps find solace in knowing that there will be increased efforts to protect their data privacy and security interests and remedies available for those who become victims.