NJ Bill to Expand Security Breach Notifications Clears First Legislative Hurdle – By Ron Benvenisti

BreachLockBy Ron Benvenisti. Is it too little too late? In any case, while it’s tougher on businesses and public services, it’s good news for consumers. New Jersey has just updated its security breach notification statute which was first proposed on April 16, 2007 (39 N.J.R. 1397(a); and issued slightly less than a year later on April 7, 2008 as N.J.A.C. 13:45F.

Like many states, NJ followed California’s lead (which enacted the first breach notification law in the country in 2002) albeit 6 years later.

http://www.njconsumeraffairs.gov/adoption/dcado47.htm

Our state is now fully up to date with the key additions to the NJ statute. Following California’s and other state’s recent revisions to their original statutes, NJ now includes email addresses, passwords and other security info such as PIN numbers and questions such as mother’s maiden name, car, best friend, school, birthplace, etc. which are also subject to theft.

An Assembly panel on Thursday approved the additional legislation sponsored by Assembly Democrats Troy Singleton, Ralph Caputo, Mila Jasey, Joseph Lagana and Annette Quijano to ensure that consumers are informed of security breaches made to their account.

Summary Statement:

This bill requires businesses and public entities that compile or maintain computerized records that include information that would permit access to an online account to disclose to consumers if there has been a breach of security of that information. Under current law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. This bill adds user names and email addresses, in combination with any password or security question and answer that would permit access to an online account to this list of breaches requiring disclosure.

Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and subject consumers to identity theft. The bill confronts this problem by requiring businesses and public entities that compile or maintain computerized records including online account access information to disclose to consumers when a breach has occurred. This will allow consumers to change their online account information quickly following a breach, and put consumers on notice to monitor for potential identity theft.”

Sponsor’s Remarks:

Between 2005 and 2014, there have been 4,695 breaches exposing 633 million records, according to the nonprofit Identity Theft Resource Center. The average cost of a breach to an organization is estimated at $3.5 million. Ouch! Many businesses, when found to be non-compliant, can now be forced into bankruptcy and out of business.

The statute brings more teeth to the original with required audits and a business’ responsibility for liabilities caused by sub-contractors and contracted vendors who will also be subject to stricter enforcement by a variety of agencies under the auspices of the Attorney General; not just the Division of Consumer Affairs.

“Identity theft is one of the fastest growing crimes in the country,” said Singleton (D-Burlington). “What we have learned from the recent security breaches at major retailers is that they can happen to anywhere and to virtually any company, large or small. It is essential for consumers to be kept informed of data breaches so that they can take the necessary steps to protect their information.”

The bill (AB 3146) requires businesses and public entities that compile or maintain computerized records that include information to permit access to an online account to disclose to consumers if there is a breach of security of that information.

“Consumer information has become increasingly vulnerable with the popular use of the internet for shopping and banking,” said Caputo (D-Essex). “Immediate and clear notification of company data breaches is critically important to the consumer and the protection of their personal information.”

“Many residents rely on the convenience of online accounts, banking, and credit cards,” said Jasey (D-Essex, Morris). “Timely notification of a security breach is crucial to consumer protection.”

Current law provides that business and public entities must disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’ financial account.

“While many companies are working to protect consumers’ personal information from identity thieves,” said Lagana (D-Bergen, Passaic). “This bill underscores the importance of notifying consumers as soon as possible if their personal information is at risk of identity theft.”

“Swift notification of a data breach will put consumers on alert,” said Quijano (D-Union). “Notification allows consumers to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft.”

The bill adds user names and email addresses, in combination with any password or security question and answer that would permit access to an online account to this list of breaches requiring disclosure.

The bill can be found here: http://www.njleg.state.nj.us/2014/Bills/A3500/3146_I1.HTM

As always, If your business or public entity have any questions or is in need of assistance regarding Computer Security, you can contact me via LinkedIn for no-cost upfront, no obligation compliance and security posture services (including some initial hands on proactive risk analysis and evaluations) for qualifying small to medium sized businesses and public entities by my A-List team of IT Security professionals. I’m just a click away at www.linkedin.com/in/benvenisti/

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.