The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft. Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.
Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.
Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account. Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.
Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa). The proposed amendment would require entities which conduct business in New York State, and which own or license computerized data which includes private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information. The New York amendment would impose requirements nearly identical to those required under Massachusetts law.
Each of these developments should be closely monitored so that companies can ensure compliance.