The New Jersey General Assembly passed, on 25 February 2019, a bill (S52) (‘the Bill’) which would amend the New Jersey breach notification law (‘the Law’) to require the disclosure of data breaches of online accounts, following its approval by the New Jersey Senate on 25 June 2018. In particular, the Bill would add to the definition of personal information, by including ‘user name, email address, or any other account holder identifying information that, in combination with any password or security question and answer, would permit access to an online account.’
Joseph Lazzarotti, Principal at Jackson Lewis P.C., told DataGuidance, “By adding what is essentially online account access credentials […] to the list of personal information that, in general, would require notification if breached, the state is trying to address a very real problem […] The unauthorised acquisition of account credentials to an online news account may not seem nearly as concerning on its face as losing one’s social security number. But if the hacker can then use those credentials to access that person’s retirement plan account because the individual used the same credentials, for example, there is significant exposure. Thus, requiring notification in these cases can help alert individuals to change not only the credentials for the account compromised, but also other accounts with the same or similar credentials.”
One of the concerns many have with breach notification mandates is that individuals are getting so many of these notices
In addition, the Bill would specify that a business that furnishes email accounts must not provide notification to the email accounts that have been subject to a security breach. Instead, a business must notify the customer through one of the other methods outlined in the Law, or through a clear and conspicuous online notice when that customer is connected to the account from an IP address or location which the business knows the customer uses to commonly access the account.
Lazzarotti concluded, “I believe a number of states have updated their statutes to address breaches of online account information, such as Alabama, Arizona, California, Florida, Illinois, Nebraska, Nevada, Rhode Island, South Dakota and Wyoming […] One of the concerns many have with breach notification mandates is that individuals are getting so many of these notices that they simply have stopped paying attention. Acting in the abundance of caution, some organisations may send notices even if it is not clear that there has been a breach, or if there is a very low risk of harm, if any. Adding the email address as an element of personal information, by itself or together with a person’s first and last name, might unnecessarily increase the volume of breach notification letters and the likelihood that recipients will not read them.”
The Bill will now be sent to the New Jersey Governor for signature.
BART VAN DER GEEST Privacy Analyst