New Jersey's Identity Theft Prevention Act May Catch You Off-Guard
Karl M. Zielaznicki
If your company does business in New Jersey, new laws taking effect Jan. 1, 2006 may require changes to avoid civil and criminal penalties. Acting Governor Richard J. Codey recently signed numerous privacy-related bills, including the "New Jersey Identity Theft Prevention Act," which requires the notification of consumers after a breach. Lawmakers enacted the bill partly in response to two major security breaches at New Jersey-based companies that led to the disclosure of personal consumer information.
The new law requires companies that conduct business in New Jersey and compile or maintain computerized records that include "personal information," as defined below, to follow these provisions:
Any business that lawfully collects and maintains computerized records containing personal information of New Jersey residents must take all reasonable measures to protect against unauthorized access to, or use of that information. Companies are required to notify affected consumers if their personal data is compromised; and
Businesses will be limited in the use of Social Security numbers to identify individuals and prohibited from displaying the numbers publicly or using them on printed materials, except where required by law.
The new law defines "personal information" as an individual's first name or first initial and last name, combined with other data. The other data that would trigger the definition is a Social Security number, driver's license number or state ID card number. Account, credit or debit card numbers also would qualify if those numbers could be used without additional identifying information, access codes or passwords.
The law also defines any of the data listed as "personal information" when it is not used with an individual's first name, or first initial and last name, if the data is breached in a way that allows a thief to commit, or try to commit, identity theft. However, personal information does not include public information disclosed by federal, state or local government officials.
Any New Jersey business and maintains or otherwise possesses "personal information" of New Jersey residents must take all reasonable measures to protect against unauthorized access or use by third parties. Businesses and public entities must implement policies that require the destruction of paper documents and electronic records that contain personal information which are no longer used. Outside record-disposal companies may be hired to dispose of such documents and records.
It is recommended that businesses create detailed destruction and disposal policies and include them as official policy in corporate/ employee handbooks as well as similar corporate documents.
When policies fail or do not exist, companies are required to report security breaches immediately to the New Jersey State Police. Any company that maintains computerized data that includes personal information that it does not own is required to notify the owner or licensee of the information immediately after the discovery of a breach.
The law defines a security breach as the unauthorized acquisition of any data that compromises the security and confidentiality, or integrity of personal information. An employee or agent of a business may access such personal data for a legitimate purpose — as long as the employee or agent does not use the data for a reason unrelated to the business or disclose it for an unauthorized purpose.
But perhaps most important for consumers is the requirement that businesses must provide expedient, written notification to New Jersey residents whose information was disclosed in a breach. The state police or another law enforcement agency may require a delay in notification if it could interfere with an ongoing criminal investigation.
The law also provides for electronic notice if it consistent with the federal "Electronic Signatures in Global and National Commerce Act." A substitute notice is allowed if the company demonstrates that the cost of providing notice would exceed $250,000, or that more than 500,000 people require notification, or the business lacks sufficient contact information.
Substitute notice is defined generally as:
Email notice when the business entity has an email address for the New Jersey resident whose personal information was affected by the breach;
Conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and
Notification of major statewide media.
If more than 1,000 persons must be notified at any one time, businesses must also immediately notify all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis of the timing, distribution and content of the notices.
The law gives individuals a private right of civil action against the offender to recover damages and/or injunctive relief, costs and reasonable attorney's fees. Each violation carries a maximum civil penalty of $3,000.
In just a few weeks, New Jersey's law will take effect. If companies have not yet grasped the requirements applicable to their business operations, there is an urgent need for an immediate review of relevant policies to assess compliance with the law. Taking proactive measures will avoid unnecessary criminal prosecution for violations and could save business owners millions of dollars in fines, damages, attorney's fees, not to mention the erosion of consumer trust and confidence.
Karl M. Zielaznicki is Counsel at the firm of Troutman Sanders LLP in New York, New York. Zielaznicki is member of the Intellectual Property Practice Group specializing in identifying, maintaining and protecting intellectual property assets especially trademarks. He is also a member of the firm's Privacy and Data Security Team. He can be reached at 212-704-6125 or firstname.lastname@example.org.