ASSEMBLY, No. 175

STATE OF NEW JERSEY

214th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2010 SESSION

 


 

Sponsored by:

Assemblyman  GARY R. CHIUSANO

District 24 (Sussex, Hunterdon and Morris)

Assemblywoman  DENISE M. COYLE

District 16 (Morris and Somerset)

Assemblyman  ANTHONY CHIAPPONE

District 31 (Hudson)

 

Co-Sponsored by:

Assemblywoman McHose

 

 

 

 

SYNOPSIS

     Enhances duty and broadens liability concerning security of personal information, and response to breach of security, under “Identity Theft Prevention Act.”

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel

  


An Act concerning the security of certain personal information, and amending and supplementing P.L.2005, c.226.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1. Section 10 of P.L.2005, c.226 (C.56:8-161) is amended to read as follows:

     10. As used in sections 10 through 15 of this amendatory and supplementary act:

     "Breach of security" means unauthorized access to [electronic files, media or data] computerized records, or unauthorized physical custody of computerized records, whether or not accessed, containing personal information [that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable].  Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.

     "Business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.

     "Communicate" means to send a written or other tangible record or to transmit a record by any means agreed upon by the persons sending and receiving the record.

     “Computer” means an electronic, magnetic, optical, electrochemical or other high speed data processing device or another similar device capable of executing a computer program, including arithmetic, logic, memory, data storage or input-output operations and includes any computer equipment connected to such a device, computer system, or computer network.

     “Computer equipment” means any equipment or device, including all input, output, processing, storage, software, or communications facilities, intended to interface with a computer.

     “Computer network” means the interconnection of communication lines, including microwave or other means of electronic communication, with a computer through remote terminals, or a complex consisting of two or more interconnected computers.

     “Computer program” means a series of instructions or statements executable on a computer, which directs the computer system in a manner to produce a desired result.

     “Computer software” means a set of computer programs, data, procedures, and associated documentation concerning the operation of a computer system.

     “Computer system” means a set of interconnected computer equipment intended to operate as a cohesive system.

     “Computerized record” means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.

     "Customer" means an individual who provides personal information to a business.

     "Individual" means a natural person.

     "Internet" means the international computer network of both federal and non-federal interoperable packet switched data networks.

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     For the purposes of sections 10 through 15 of this amendatory and supplementary act, personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.

     "Private entity" means any individual, corporation, company, partnership, firm, association, or other entity, other than a public entity.

     "Public entity" includes the State, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in the State.  For the purposes of sections 10 through 15 of this amendatory and supplementary act, public entity does not include the federal government.

     "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.

     "Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  Records does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.

(cf: P.L.2005, c.226, s.10)

 

     2.  Section 11 of P.L.2005, c.226 (C.56:8-162) is amended to read as follows:

     11.  a.  A business or public entity shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person through generally available means.  A business or public entity’s compliance with this subsection shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program.

     b.  A business or public entity shall destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means.

(cf: P.L.2005, c.226, s.11)

 

     3.  Section 12 of P.L.2005, c.226 (C.56:8-163) is amended to read as follows:

     12. a. Any business that conducts business in New Jersey [,] or any public entity, that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information [was, or is reasonably believed to have been, accessed by an unauthorized person] is included in those computerized records.  The disclosure to a customer shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection c. of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the [data system.  Disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible] records.  Any determination shall be documented in writing and retained for five years.

     b.    Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity shall notify that business or public entity, who shall notify its New Jersey customers, as provided in subsection a. of this section, of any breach of security of the computerized records [immediately following discovery, if the personal information was, or is reasonably believed to have been, accessed by an unauthorized person].

     c.     (1) Any business or public entity required under this section to disclose a breach of security of a customer's personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.

     (2)   The notification required by this section shall be delayed if a law enforcement agency determines that the notification will impede a criminal or civil investigation and that agency has made a request that the notification be delayed.  The notification required by this section shall be made after the law enforcement agency determines that its disclosure will not compromise the investigation and notifies that business or public entity.

     d.    For purposes of this section, notice may be provided by one of the following methods:

     (1)   Written notice;

     (2)   Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 101 of the federal "Electronic Signatures in Global and National Commerce Act," Pub.L.106-229  (15 U.S.C. s.7001); or

     (3)   Substitute notice, if the business or public entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business or public entity does not have sufficient contact information.  Substitute notice shall consist of all of the following:

     (a)   E-mail notice when the business or public entity has an e-mail address;

     (b)   Conspicuous posting of the notice on the Internet web site page of the business or public entity, if the business or public entity maintains one; and

     (c)   Notification to major Statewide media.

     e.     Notwithstanding subsection d. of this section, a business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the business or public entity notifies subject customers in accordance with its policies in the event of a breach of security of the system.

     f.     (1)  In addition to any other disclosure or notification required under this section, in the event that a business or public entity discovers circumstances requiring notification pursuant to this section of more than 1,000 [persons] individuals at one time, the business or public entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis, as defined by subsection (p) of section 603 of the federal "Fair Credit Reporting Act," Pub.L.91-508 (15 U.S.C. s.1681a), of the timing, distribution and content of the notices.

     (2)  The business or public entity shall also contract with one or more of the consumer reporting agencies receiving notification pursuant to paragraph (1) of this subsection, to provide each affected individual with at least five years of consumer credit monitoring and reporting as prescribed by the federal “Fair Credit Reporting Act,” Pub.L.91-508 (15 U.S.C. s.1681 et seq.).  The business or public entity shall contract for the consumer credit monitoring and reporting at no cost to any individual, and shall not pass through the contracting cost to any individual, as a charge, tax, or in any other manner.

(cf: P.L.2005, c.226, s.12)

 

     4.  Section 15 of P.L.2005, c.226 (C.56:8-166) is amended to read as follows:

     15.  a.  It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to willfully, knowingly [or], recklessly, or negligently violate sections 10 through 13 of [this amendatory and supplementary act] P.L.2005, c.226 (C.56:8-161 through 56:8-164).

     b.  Any civil penalty authorized and collected pursuant to section 1 of P.L.1966, c.39 (C.56:8-13) for a violation of sections 10 through 13 of P.L.2005, c.226 (C.56:8-161 through 56:8-164), shall be paid to the State Treasurer and credited to the Identity Theft Education Fund created by section 5 of P.L.     , c.    (C.     ) (pending before the Legislature as this bill).

(cf: P.L.2005, c.226, s.15)

 

     5.  (New section)  a.  There is established in the General Fund a special fund to be known as the Identity Theft Education Fund.  The fund shall be continuing and nonlapsing.  The State Treasurer shall credit to the fund all moneys received by the State for penalties authorized and collected pursuant to section 1 of P.L.1966, c.39 (C.56:8-13) for a violation of sections 10 through 13 of P.L.2005, c.226 (C.56:8-161 through 56:8-164).  The State Treasurer shall administer the fund, and credit to the fund any interest earned on monies in the fund.

     b.  The Division of Consumer Affairs, in the Department of Law and Public Safety, may draw upon the fund to produce materials and provide educational seminars to address issues regarding identity theft as set forth in section 6 of P.L.    , c.    (C.        ) (pending before the Legislature as this bill).

 

     6.  (New section)  a.  The Director of the Division of Consumer Affairs, in the Department of Law and Public Safety, shall develop and implement an education program to inform the public about issues of identity theft, subject to funds made available pursuant to section 5 of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), or any other source.

     b.    The functions of the program may include, but are not limited to:

     (1)  The preparation of materials regarding identity theft prevention and education, including summaries of the consumer credit monitoring and reporting provisions of the federal “Fair Credit Reporting Act,” Pub.L.91-508 (15 U.S.C. s.1681 et seq.), and the provisions of the State “Identity Theft Prevention Act,” P.L.2005, c.226 (C.56:11-44 et al.), and the distribution of those materials to the appropriate State and county agencies for dissemination to the public; and

     (2)  The underwriting of educational seminars and other forms of educational projects for the benefit of the public.

 

     7.  This act shall take effect on the first day of the seventh month next following enactment, but the Director of the Division of Consumer Affairs may take any anticipatory administrative action in advance thereof as shall be necessary for the implementation of this act.

 

 

STATEMENT

 

     This bill addresses the security of personal information, such as social security numbers, driver’s license numbers, or financial account numbers, by businesses and public entities.  It enhances the duty of a business or public entity to secure such information and respond to a breach of security, and broadens liability for violating this duty.

     First, the bill requires any business or public entity, when compiling or maintaining computerized records that include personal information, to secure the information by encryption or by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person through generally available means.  This requirement applies to any computer, including a desktop computer or laptop computer, computer equipment, computer network, or computer system, as defined by the bill.  Compliance with this requirement shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection program.

     Second, the bill expands the definition of “breach of security” to include unauthorized access to any computerized records containing personal information, or unauthorized physical custody of such computerized records, whether or not accessed.  The current law addresses a security breach more narrowly as only being an unauthorized access of personal information.  By expanding this definition, the bill broadens the scope of situations in which a business or public entity shall take affirmative steps to notify and protect individuals concerning a breach, such as the physical theft of a computer or other computer device.

     Third, in the event that a business or public entity discovers circumstances of a breach of security, requiring notice to more than 1,000 individuals, the business or public entity shall also contract with one or more consumer reporting agencies, as defined by federal law, to provide each individual with at least five years of consumer credit monitoring and reporting.  The business or public entity shall contract for the services at no cost to any individual, and shall not pass through the contracting cost to any individual as a charge, tax, or in any other manner.

     Fourth, the bill broadens the liability standard for establishing violations by a business or public entity.  Since the existing law protecting personal information adopts the remedies available for violations of the consumer fraud act, P.L.1960, s.39 (C.56:8-1 et seq.), violators are already subject to the wide range of enforcement provisions available under that act, including: civil penalties of not more than $10,000 for a first offense or not more than $20,000 for any subsequent offense; treble damage awards; and attorneys fees and costs of suit.  However, these do not apply unless the violation occurred willfully, knowingly, or recklessly.  The bill broadens the range of legal liability to which these penalty provisions apply by encompassing violations based upon the negligence of the business or public entity.

     Finally, the bill establishes a nonlapsing, special fund within the General Fund, known as the Identity Theft Education Fund.  The State Treasurer shall credit to the fund all civil penalties collected from violators pursuant to section 1 of P.L.1966, c.39 (C.56:8-13) of the consumer fraud act.  The Director of the Division of Consumer Affairs, in the Department of Law and Public Safety, may draw upon this fund to produce materials and provide educational seminars for the public, addressing issues regarding identity theft.