May 13, 2019

Data breach reporting bill signed into law

A bill that amends current law in regards to the duty to report data breaches was signed into law by Gov. Phil Murphy on May 10.

The new law, P.L.2019, c.95., requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information.

Under the former law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers; driver’s license numbers; or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual’s financial account. The new law adds user names, email addresses or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure.

The law also provides that when a breach of security involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account.

This amended law does not require disclosure of a breach of security to a customer if the business or public entity establishes that misuse of the information is not reasonably possible (i.e., if the data had been encrypted).

The new law will go into effect on Sunday, Sept. 1, 2019.