Assemblywoman LINDA S. CARTER
District 22 (Middlesex, Somerset and Union)
Assemblyman CLINTON CALABRESE
District 36 (Bergen and Passaic)
Assemblyman WILLIAM W. SPEARMAN
District 5 (Camden and Gloucester)
Requires disclosure of breach of security of geolocation data.
CURRENT VERSION OF TEXT
An Act concerning disclosure of breaches of security and amending P.L.2005, c.226.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. Section 10 of P.L.2005, c.226 (C:56:8-161) is amended to read as follows:
10. As used in sections 10 through 15 of [this amendatory and supplementary act] P.L.2005, c.226 (C.56:8-161 through C.56:8-166):
"Breach of security" means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
"Business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.
"Communicate" means to send a written or other tangible record or to transmit a record by any means agreed upon by the persons sending and receiving the record.
"Customer" means an individual who provides personal information to a business.
"Geolocation" means the location of an individual, determined by the location of an electronic device, including, but not limited to, a cellular phone, computer, or tablet.
"Individual" means a natural person.
"Internet" means the international computer network of both federal and non-federal interoperable packet switched data networks.
"Personal information" means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; [or] (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (4) geolocation. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
For the purposes of sections 10 through 15 of [this amendatory and supplementary act] P.L.2005, c.226 (C.56:8-161 through C.56:8-166), personal information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media.
"Private entity" means any individual, corporation, company, partnership, firm, association, or other entity, other than a public entity.
"Public entity" includes the State, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in the State. For the purposes of sections 10 through 15 of [this amendatory and supplementary act] P.L.2005, c.226 (C.56:8-161 through C.56:8-166), public entity does not include the federal government.
"Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.
"Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted. Records does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed.
(cf: P.L.2005, c.226, s.10)
2. This act shall take effect on the 90th day next following enactment.
This bill requires entities that compile or maintain computerized records that include geolocation data to disclose to consumers breaches of security of geolocation information.
Under current law, businesses and public entities are required to disclose breaches which involve personal information. Under the bill, “personal information” means an individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number, driver’s license number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The bill adds geolocation data to the list of data elements requiring disclosure in the event of a security breach.