TRENTON – The Senate Commerce Committee today approved a bill sponsored by Senator Troy Singleton that expands the types of “personal information” that would trigger notification to customers if breached to include online account information. The new requirement would apply to all entities that compiles or maintains the computerized records.
“With online databases and private account information being hacked so frequently now, consumers are more vulnerable to exposure and harm,” said Senator Singleton (D-Burlington). “When a data breach occurs and sensitive or confidential protected data is accessed or disclosed without authorization, we have a right to know. This bill’s notification requirement puts consumers on alert to monitor for potential identity theft and helps them to quickly change online account information and prevent outside access to the account. This bill will bolster consumers’ rights to privacy and protection and instill a greater sense of security.”
Under current law, businesses and public entities are required to disclose breaches when certain personal information is involved: an individual’s first name or first initial and last name linked with (1) a Social Security number, (2) a driver’s license or State identification card number, or (3) credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. This bill, S-52, would widen the scope of information that, if breached, would require disclosure to include user names, email addresses or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
The bill requires that breach alerts would be provided to state resident consumers through written notice, electronic notice, or if the business or entity demonstrates that the cost of providing notice would exceed $250,000, or that the number of affected consumers exceeds 500,000, or if the business or public entity does not have sufficient contact information, a substitute notice would include an e-mail notice, a posting of the notice on the business or entity’s website and notification to major statewide media.
When a user name and password are breached in combination with any password or security question and answer, this bill would require that state residents be prompted to stop using their compromised password or other online credential. If the breached elements are an email address and password, the business or entity would not be able to satisfy notice requirements by sending an email to the compromised accounts and would be required to provide a clear and conspicuous notice delivered to the consumer online while he or she is connected to the online account from an IP address or location the business knows the resident connects from regularly.
The data breach law is a supplement to the Consumer Fraud Act, and those penalties apply for willful, knowing and reckless violation of the notification requirements: $10,000 for the first offense and $20,000 for the second and any subsequent offense; and triple damages in a civil suit.
In the previous session, the bill was passed by the Senate (33-0), but pocket vetoed by Governor Christie. Today it was released from the Commerce Committee with a vote of 5-0 and heads to the full Senate for further consideration.