Businesses must notify customers of breach involving certain personal data — but N.J. has changed what that is

Social Security numbers, driver’s license numbers, credit card numbers — all those digits that paper shredders love, hackers love, too.

So, when those sensitive details are stolen in a security breach by cybercriminals, New Jersey companies have been forced to fess up to it.

But, now, it takes far less for businesses to have to come clean.

In May, Gov. Phil Murphy signed into law an amendment that enhances the state’s existing data breach notification law in a way that businesses across the Garden State have to be sure they’re ready for.

In the past, companies had to go through the costly process of notifying customers only when a breach jeopardized their personal information — meaning their name and those hacker-treasured financial account or sensitive personal identity data. If a security breach didn’t have those elements, there was no strict requirement for companies to notify customers about it.

Under the state’s recently amended legislation, personal information was redefined to being someone’s user name, email address or any other identifying information, along with just a password or security question that could be an online account thoroughfare for hackers.

Scott Smedresman, a partner at McCarter & English LLP, said the idea is that these credentials might be used for other services as well, including for online banking accounts.

“There’s an emerging recognition here and around the globe that account access credentials can be just as sensitive as financial information or Social Security numbers,” Smedresman said. “As technology evolves and the way people interact does, we’ve become reliant on the dozens of different online accounts we use to manage every aspect of our lives.”

Smedresman, who represents clients in the tech industry, said there has always been a layer of strict governmental reporting that companies have had to comply with. 

But many small businesses that process online transactions through third party merchants have had a safeguard against having to dedicate resources to customer notification during breaches just by the fact that they weren’t themselves holders of financial or identifying details.

“So, they were fairly insulated in the past from these notification laws because they just didn’t hold the kind of data that would trigger an obligation to report a breach,” he said. “Now, an online business of almost any variety is going to face those requirements. It’s generally sending a message that data security is serious even if you’re not a bank or financial institution.”

Aside from altogether avoiding breaches in the first place — a lofty goal in an era when hackers have so many lines of attack — Smedresman is advising businesses that they need to treat user name and password information with the same level of care as more obviously sensitive details.

“This is an opportunity for all of those engaging in online commerce in New Jersey to check on their security standards and make sure they have the best-in-class security features,” he said. “Because, if they do suffer a breach, they’ll be subject to more obligations.”

Following a trend toward more enhanced consumer privacy laws, New Jersey is one of a handful of states that have made similar updates to data breach notification requirements. 

“There has been talk for many years about putting federal law in place covering these events, but, in the absence of that, the states have been leading the way on data security and privacy laws,” Smedresman said.

Even if states are each coming up with their own version of consumer data protections, what one state does — even as far away as California — often has a local impact.

That means that the California Consumer Privacy Act, which was meant to protect the information of California residents with the country’s most stringent oversight of data collection practices to date, is another policy New Jersey businesses have to pay attention to.

“If you’re an online service of any kind based in New Jersey with customers in California, this is going to be a compliance program you’re going to need to develop and implement prior to its launch,” Smedresman said.

The California legislation, which kicks in January 2020, is meant to give consumers more control over how personal information is used. California consumers will have the right to stop the sale of personal data to third-party companies or to opt out of sharing it altogether. 

There’s a lot of complexity to it, Smedresman explained, such as provisions that make it so California residents that opt out of information gathering can’t be enticed to offer those details again within a certain period.

What does it all mean? Garden State companies have a fair share of homework to do. 

“Any New Jersey business should take this summer as an opportunity to examine what these new laws will require of them,” Smedresman said.

Conversation Starter

Reach Scott Smedresman of McCarter & English LLP at: ssmedresman@mccarter.com or 732-867-9768.