ASSEMBLY, No. 3146

STATE OF NEW JERSEY

216th LEGISLATURE

INTRODUCED MAY 15, 2014

 

 

Sponsored by:

Assemblyman  TROY SINGLETON

District 7 (Burlington)

Assemblyman  RALPH R. CAPUTO

District 28 (Essex)

Assemblywoman  MILA M. JASEY

District 27 (Essex and Morris)

Assemblyman  JOSEPH A. LAGANA

District 38 (Bergen and Passaic)

Assemblywoman  ANNETTE QUIJANO

District 20 (Union)

 

Co-Sponsored by:

Assemblymen DeAngelo, Giblin, Assemblywoman Mosquera and Assemblyman Webber

 

 

 

 

SYNOPSIS

     Requires disclosure of breach of security of online account.

 

CURRENT VERSION OF TEXT

     As introduced.

 

An Act concerning disclosure of breaches of security and amending P.L.2005, c.226.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    Section 10 of P.L.2005, c.226 (C.56:8-161) is amended to read as follows:

     10.  As used in sections 10 through 15 of this amendatory and supplementary act:

     "Breach of security" means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.  Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.

     "Business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.

     "Communicate" means to send a written or other tangible record or to transmit a record by any means agreed upon by the persons sending and receiving the record.

     "Customer" means an individual who provides personal information to a business.

     "Individual" means a natural person.

     "Internet" means the international computer network of both federal and non-federal interoperable packet switched data networks.

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; [or] (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (4) user name or email address, in combination with any password or security question and answer that would permit access to an online account.  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     For the purposes of sections 10 through 15 of this amendatory and supplementary act, personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.

     "Private entity" means any individual, corporation, company, partnership, firm, association, or other entity, other than a public entity.

     "Public entity" includes the State, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in the State.  For the purposes of sections 10 through 15 of this amendatory and supplementary act, public entity does not include the federal government.

     "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.

     "Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  Records does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.

(cf: P.L.2005, c.226, s.10)

 

     2.    This act shall take effect on the 90th day next following enactment.

 

 

STATEMENT

 

     This bill requires businesses and public entities that compile or maintain computerized records that include information that would permit access to an online account to disclose to consumers if there has been a breach of security of that information.  Under current law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  This bill adds user names and email addresses, in combination with any password or security question and answer that would permit access to an online account to this list of breaches requiring disclosure.

     Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and subject consumers to identity theft.  The bill confronts this problem by requiring businesses and public entities that compile or maintain computerized records including online account access information to disclose to consumers when a breach has occurred.  This will allow consumers to change their online account information quickly following a breach, and put consumers on notice to monitor for potential identity theft.