[BreachExchange] New Jersey Data Breach Notification Law

Destry Winant destry at riskbasedsecurity.com
Thu Sep 19 10:13:22 EDT 2019


As of Sept 1st, 2019, businesses based in New Jersey are now required
to notify impacted users of online account information exposed in a
data breach.  Because of this amended law, New Jersey residents are
now better protected from the risk associated with account takeover.

The amendment specifically includes data elements that would allow a
criminal to fraudulently access a customer’s online account and commit

New Jersey’s previous data breach notification law requires all
business to notify impacted users
after a data breach that includes:

- Driver’s license number
- State identification card number
- Social Security number
- Account number with access code
- Credit card number with access code
- Debit card number with access code

The New Jersey governor signed legislation (AB 3245) in March which
extended the definition of “personal information” and the amendment
went into effect on September 1st to include:

- An email address
- A user name
- Combined with a password
- And/or security questions and answers

According to National Law Review, other states that include these
identifiers as “triggering” of their states’ breach notice statutes
include Alabama, Arizona, California, Colorado, Delaware, Florida,
Nebraska, Nevada, Puerto Rico, South Dakota, and Wyoming.

“New Jersey has now become the 11th state to update its data breach
notification law to specifically address online breaches. This a big
win for consumers and reinforces the need for organizations to better
secure their environments and protect their users from account
takeover.” said Michael Greene, CEO of Enzoic.  “Since so many data
breaches include user-name and password combinations, screening for
compromised credentials is now a must-have, not a nice-to-have.”

Increasingly, states are considering adopting similar legislation to
better protect state residents in the absence of federal law. As more
states put these state laws into effect, it calls into question why
the United States does not have more federal legislation around
personal information and privacy.

More information about the BreachExchange mailing list