On May 10, 2019, New Jersey’s governor, Phil Murphy, signed legislation that amended the state’s current data breach laws, to expand the definition of personal information that requires consumers to be notified in the wake of a data breach. The law goes into effect on September 1, 2019.
New Jersey residents are required to be notified of a breach regarding their user name, email address, or “any other account holder identifying information, in combination with any password or security question and answer,” within “the most expedient time possible,” and without unreasonable delay. Previously, this kind of notification was only required for Social Security numbers, credit card numbers, and other such information. Notice has to be given in written form, and, in limited circumstances, electronic form.
The State of New Jersey is at the forefront of online consumer protection. New Jersey joins California, Alaska, Iowa, South Carolina, Virginia, and West Virginia with new online standards to combat the growing issue of data breaches. Assemblywoman Carol Murphy discussed the necessity of the law:
“The reality is many people give out their personal information when shopping or doing business online without a second thought. When those breaches inevitably occur, we have to make sure those potentially impacted have the chance to take steps to secure their information.”
The law does provide certain exceptions for these notification requirements. For instance, if a business demonstrates that the cost of providing notice would exceed $250,000.00; that the affected class of persons to be notified exceeds 500,000; or that there is insufficient contact information for people effected, less stringent notification requirements apply. In those cases, conspicuous posting online; e-mail notifications; and notifications to media sources are deemed sufficient alternative forms of notification.
The new law is an amendment to New Jersey’s Consumer Fraud Act. Under that Act, a willful, knowing, or reckless violation of the notification requirement can result in a fine of $10,000 for the first offense, and $20,000 for any subsequent offense. Moreover, a violation of this requirement will be deemed a violation of the Act, and thus any person who does not receive the notification can file a private cause of action under the Act – and seek an award including triple whatever damages are demonstrated, plus attorney’s fees, if successful. The new notification requirements thus enable another potentially significant area of litigation for consumer attorneys and a significant risk for businesses who are the victims of data breaches.
For more information on this topic, contact MKC&I’s Liz Barna.