A bill that would provide companies with an affirmative defense for certain data security incidents has been introduced this term in the New Jersey Legislature. The bill seeks to follow legislation passed in other states - Utah, Ohio and Connecticut – by providing an affirmative defense for entities that create and maintain a written cybersecurity program that reasonably conforms to industry standards.
Known as a “safe harbor,” this legislation aims to provide a defense to entities operating in New Jersey whose cybersecurity programs address the following issues:
- Breaches of the security and confidentiality of “personal information” (as defined by J.S.A. 56:8-161), such as social security numbers or email addresses;
- Any anticipated threats to the protection or integrity of personal information, restricted information or both such as phishing attacks or social engineering; and
- Unauthorized access to and acquisition of personal information, restricted information, or both, that is likely to result in a “material” risk of identity theft or other fraud to the related individual.
Additionally, the proposed Bill addresses the scope of an entity’s security program. A compliant program will account for the following items:
- Size and complexity of the entity involved;
- Nature and scope of the entity’s activities (i.e., the extent and detail of the collection of personal or restricted information);
- The sensitivity of the information to be protected;
- Cost and availability of tools to improve information security / reduction of vulnerabilities; and
- The resources available to the entity.
Furthermore, the Director of the Division of Consumer Affairs, within the Department of Law and Public Safety, will be empowered with the ability to review and deem satisfactory cybersecurity programs created by entities operating within New Jersey. The program must reasonably conform to industry-approved frameworks such as: NIST 800-171, 800-53, 800-53a; FedRAMP; the EC27000 framework; or, the Center for Internet Security Critical Security Controls for Effective Cyber Defense publication.
If the entity is also covered by federal legislation or regulation (i.e., HIPAA or GLBA), or other industry-regulated frameworks like the PCI-DSS (for payment cards), compliance with the most current version of such requirements may also satisfy the requirements under this law, opening the door to an affirmative defense in court without predetermination of compliance by the Director of the Division of Consumer Affairs.
The Bill does not create a private right of action, inclusive of class actions, and calls for regulations to be promulgated by the Division of Consumer Affairs. Overall, adoption of this legislation will incentivize organizations operating in New Jersey to adopt reasonable cybersecurity best practices and, in return, avoid costly data breach litigation that often follows.
 Defined as: “any information about an individual, other than personal information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is linked or linkable to an individual, if the information is not encrypted, redacted, or altered by any method or technology in a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.”