[BreachExchange] New Jersey’s Anticipated Expansion of Data Breach & Privacy Laws

Destry Winant destry at riskbasedsecurity.com
Fri Mar 15 09:01:12 EDT 2019


An amendment to New Jersey’s data breach notification requirements of
the Consumer Fraud Act is currently awaiting signature by State
Governor Phil Murphy.  The bill, Assembly No. 3245, was recently
passed by both the New Jersey Senate and Assembly.  If signed into law
as expected, the amendment will expand the definition of personal
information to include “user name, email address, or any other account
holder identifying information, in combination with any password or
security question and answer that would permit access to an online
account.”  In turn, it would require businesses to notify consumers of
online account security breaches – thereby eliminating a business’s
ability, under the current law, to avoid notifying consumers when
there is a breach of online information.  The bill’s statement
indicates that its purpose is to provide consumers with the
opportunity to quickly change online account information to prevent
outside access to online accounts, and to put consumers on notice to
monitor for potential identity theft.

In addition to Assembly Bill No. 3245, two other bills have been
introduced in New Jersey and both address the State’s focus on privacy
protections.  Assembly Bill 4902 requires commercial Internet websites
and online services to notify customers of the collection and
disclosure of personally identifiable information and to allow
customers to opt out.  Specifically, the bill requires any person or
entity that owns an Internet website or online service to provide on
its Internet website or online service a notification that includes:
(1) a complete description of the personally identifiable information
that is collected; (2) all third parties with whom a customer’s
personally identifiable information may be disclosed; and (3)
information concerning one or more designated request addresses that a
customer may use to request information under the bill.  The bill also
requires that Internet websites or online service homepages include a
link, entitled “Do Not Sell My Personal Information”, which enables a
customer to opt out of the disclosure of personally identifiable

Assembly Bill 4974 requires any person or entity that owns a mobile
device application that collects and maintains user global positioning
system (“GPS”) data to notify users about how GPS data is disclosed
and allow users to opt in to disclosure.  Specifically, the bill
requires notification, prior to a customer activating a mobile device
application, of the following: (1) a complete description of the user
GPS data that will be collected through the mobile device application;
(2) all third parties to whom the user GPS data may be disclosed; (3)
the length of time the user’s GPS data will be retained.  In addition,
the bill requires the operator to allow a user to opt in to the
disclosure of the user’s GPS data.

If signed into law, the above bills will create additional
notification and compliance obligations for entities that collect,
use, store or disclose what is defined as “personal information” under
Assembly Bill No. 3245, “personally identifiable information” under
Assembly Bill 4902 and “GPS data” under Assembly Bill 4974.  Companies
impacted by these bills should be vigilant about monitoring the state
of this legislation and consider the potential impact on their current
policies and procedures.

More information about the BreachExchange mailing list