ASSEMBLY, No. 311

STATE OF NEW JERSEY

217th LEGISLATURE

 

PRE-FILED FOR INTRODUCTION IN THE 2016 SESSION

 


 

Sponsored by:

Assemblyman  TROY SINGLETON

District 7 (Burlington)

Assemblyman  RALPH R. CAPUTO

District 28 (Essex)

Assemblywoman  MILA M. JASEY

District 27 (Essex and Morris)

Assemblyman  JOSEPH A. LAGANA

District 38 (Bergen and Passaic)

Assemblywoman  ANNETTE QUIJANO

District 20 (Union)

 

Co-Sponsored by:

Assemblymen DeAngelo, Giblin, Assemblywoman Mosquera, Assemblymen Webber and Coughlin

 

 

 

 

SYNOPSIS

     Requires disclosure of breach of security of online account.

 

CURRENT VERSION OF TEXT

     Introduced Pending Technical Review by Legislative Counsel.

  


An Act concerning disclosure of breaches of security and amending P.L.2005, c.226.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    Section 10 of P.L.2005, c.226 (C.56:8-161) is amended to read as follows:

     10.  As used in sections 10 through 15 of this amendatory and supplementary act:

     "Breach of security" means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.  Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.

     "Business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.

     "Communicate" means to send a written or other tangible record or to transmit a record by any means agreed upon by the persons sending and receiving the record.

     "Customer" means an individual who provides personal information to a business.

     "Individual" means a natural person.

     "Internet" means the international computer network of both federal and non-federal interoperable packet switched data networks.

     "Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements:  (1) Social Security number; (2) driver's license number or State identification card number; [or] (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (4) user name,email

address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.  Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

     For the purposes of sections 10 through 15 of this amendatory and supplementary act, personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.

     "Private entity" means any individual, corporation, company, partnership, firm, association, or other entity, other than a public entity.

     "Public entity" includes the State, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in the State.  For the purposes of sections 10 through 15 of this amendatory and supplementary act, public entity does not include the federal government.

     "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.

     "Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  Records does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.

(cf: P.L.2005, c.226, s.10)

 

     2.    This act shall take effect on the first day of the fourth month next following enactment.

 

 

STATEMENT

 

      This bill requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. 

      Under current law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 

      The bill adds user names, email addresses, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. Notification of a breach provides a consumer with the opportunity to quickly change online account information to prevent outside access to the account, and puts a consumer on notice to monitor for potential identity theft.