ASSEMBLY FINANCIAL INSTITUTIONS AND INSURANCE COMMITTEE

 

STATEMENT TO

 

[First Reprint]

SENATE, No. 52

 

STATE OF NEW JERSEY

 

DATED:  DECEMBER 3, 2018

 

      The Assembly Financial Institutions and Insurance Committee reports favorably Senate Bill No. 52 (1R).

      This bill requires entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. 

      Under current law, businesses and public entities are required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

      The bill adds user names, email addresses, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. Notification of a breach provides a consumer with the opportunity to quickly change online account information to prevent outside access to the account, and puts a consumer on notice to monitor for potential identity theft.

      The bill also provides that when a breach of security involves a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account.  It also prohibits any business or public entity that furnishes an email account from providing notification to the email account that is subject to a security breach.  The business or public entity must provide notice by another method or by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an Internet Protocol address or online location from which the business or public entity knows the customer customarily accesses the account.

      As reported by the committee, this bill is identical to Assembly Bill No. 3245 (1R) as also reported by the committee.