New Jersey’s Data Breach Notification Law Went Into Effect on Sept 1 to Include Account Takeover PII Data
As of Sept 1st, 2019, businesses based in New Jersey are now required to notify impacted users of online account information exposed in a data breach. Because of this amended law, New Jersey residents are now better protected from the risk associated with account takeover.
The amendment specifically includes data elements that would allow a criminal to fraudulently access a customer’s online account and commit fraud.
New Jersey’s previous data breach notification law requires all business to notify impacted users after a data breach that includes:
- Driver’s license number
- State identification card number
- Social Security number
- Account number with access code
- Credit card number with access code
- Debit card number with access code
The New Jersey governor signed legislation (AB 3245) in March which extended the definition of “personal information” and the amendment went into effect on September 1st to include:
- An email address
- A user name
- Combined with a password
- And/or security questions and answers
According to National Law Review, other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota, and Wyoming.
“New Jersey has now become the 11th state to update its data breach notification law to specifically address online breaches. This a big win for consumers and reinforces the need for organizations to better secure their environments and protect their users from account takeover.” said Michael Greene, CEO of Enzoic. “Since so many data breaches include user-name and password combinations, screening for compromised credentials is now a must-have, not a nice-to-have.”
Increasingly, states are considering adopting similar legislation to better protect state residents in the absence of federal law. As more states put these state laws into effect, it calls into question why the United States does not have more federal legislation around personal information and privacy.