On December 15, 2014, the New Jersey Assembly voted 75-to-0 to advance a bill that would expand the existing data breach notification requirements for companies doing business in the state. The bill, A3146, would broaden the type of information that, if compromised, would trigger a company’s obligation to notify customers of the breach. The proposal now heads to the Senate, where a similar bill, S2188, has been pending in the Commerce Committee since June.
If enacted, the bill would expand the definition of “personal information” to include a customer’s “user name or email address, in combination with any password or security question and answer that would permit access to an online account.” The current definition already includes a customer’s (1) Social Security number; (2) driver’s license or State identification card number; and (3) account, debit, or credit card number, in conjunction with any required access code or password that would permit access to an individual’s financial account. Under the current law, if data falling into any one of these three categories is illegally accessed, along with an individual’s first name or initial and last name, the company must disclosure the breach to the customers affected.
With this proposed update, New Jersey lawmakers are recognizing that individuals are increasingly using online accounts to store sensitive and potentially valuable data. If hackers obtain the credentials to access such accounts, that data may be stolen and used to the detriment of the account holders. As the spate of recent corporate data breaches has shown, businesses of all sizes are increasingly being targeted by more sophisticated hackers and the risk of a data breach is growing everyday. Therefore, in addition to protecting against such security breaches before they occur, it is imperative that companies doing business in New Jersey are aware of the steps that should be taken following a data breach, including complying with all applicable data breach notification laws.