SENATE COMMERCE COMMITTEE

 

STATEMENT TO

 

SENATE, No. 52

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  MAY 10, 2018

 

      The Senate Commerce Committee reports favorably and with committee amendments Senate Bill No. 52.

      This bill, as amended, requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. 

      Under current law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 

      The bill adds user names, email addresses, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. Notification of a breach provides a consumer with the opportunity to quickly change online account information to prevent outside access to the account, and puts a consumer on notice to monitor for potential identity theft.

      This bill was pre-filed for introduction in the 2018-2019 session pending technical review.  As reported, the bill includes the changes required by technical review, which has been performed.

 

Committee Amendments:

      The committee amendments:

-          Provide that when a breach of security involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information as defined in section 10 of P.L.2005, c.226 (C.56:8-161), the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account.

-          Prohibit any business or public entity that furnishes an email account from providing notification to the email account that is subject to a security breach.  The business or public entity must provide notice by another method or by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an Internet Protocol address or online location from which the business or public entity knows the customer customarily accesses the account.