1. Governing Texts

1.1. Legislation

Data protection laws generally provide requirements related to how organisations may collect, use, store, and otherwise process personal information. Some data protection laws also provide individuals with certain rights with respect to their personal information. In the US, data protection laws tend to be sectoral in nature or specific to a particular data protection requirement (e.g., records disposal, breach notification), and most states, including New Jersey, do not have omnibus privacy legislation, but have adopted certain rules governing the collection, use, and disclosure of consumers' personal financial information by banks and other financial institutions.

This article aims to provide an overview of the New Jersey laws that relate to privacy and data protection in the financial sector. Section 1 introduces the legal landscape in New Jersey with respect to the financial industry, including relevant laws and the regulators who are charged with enforcing them. Section 2 summarises general requirements related to data management, such as requirements relating to notice, data security and risk management, data retention, and recordkeeping. Sections 3 to 9 cover legal requirements and local rules relating to a wide variety of topics, including but not limited to requirements related to insurance, permitted disclosures of personal data by financial institutions, and breach notification. Finally, section 10 provides an overview of the potential penalties for violations of these requirements. This article does not address federal data protection requirements applicable to the financial sector, including but not limited to, the Gramm-Leach-Bliley Act of 1999.

As stated above, a number of laws relevant to privacy and data protection have been enacted in New Jersey that govern the financial sector. Some of these laws are applicable to businesses generally (including financial institutions), such as the Identity Theft Prevention Act ('ITPA'), which includes the state's breach notification law, records disposal law, and a law governing the use of Social Security numbers. Other laws specifically govern financial institutions or insurance institutions. Laws regulating financial institutions include the New Jersey Electronic Fund Transfer Privacy Act of 1984 ('EFTPA'), which regulates the disclosure of information in the context of electronic fund transfers, and a records retention law. The New Jersey Insurance Information Practices Acts ('IIPA') applies to insurance institutions, agents, insurance-support organisations, and other persons who request personal or privileged information in connection with certain insurance transactions.

1.2. Supervisory authorities

The New Jersey Department of Banking and Insurance ('DOBI') regulates the banking and insurance industries in New Jersey. In particular, the DOBI's Division of Banking regulates state-chartered financial institutions, such as banks, savings banks, savings, loan institutions, and credit unions, and has the authority to bring enforcement actions against these types of institutions for the violation of any applicable banking law or regulation. The DOBI's Division of Insurance is charged with the oversight of various types of insurance regulated by the state of New Jersey.

In addition, violations of the laws discussed in this article that are generally applicable to New Jersey businesses, such as the state breach notification law, are considered violations of the New Jersey Consumer Fraud Act ('CFA').¹ The New Jersey Attorney General ('AG') has the authority to investigate violations of the CFA and, upon receiving evidence of any violation, may hold hearings to assess a penalty against the alleged violator. The AG also may issue subpoenas to any person, administer an oath or affirmation to any person, conduct hearings in aid of any investigation or inquiry, promulgate rules and regulations, and prescribe forms as may be necessary.²

2. Personal and Financial Data Management

2.1. Legal basis for processing

There are no specific New Jersey laws that require a 'legal basis' for the collection, processing, and transfer of personal financial data by financial institutions. As discussed in further detail throughout this article, however, a number of laws do place restrictions on the processing and disclosure of personal information.

2.2. Privacy notices and policies

There are no specific New Jersey laws that require privacy notices in the financial sector. Certain sector-specific state laws require the disclosure of specified information to individuals via required notices separate and apart from an institution's privacy notice. These requirements are described in further detail below in conjunction with information about the other requirements in each of these laws.

2.3. Data security and risk management

There are no New Jersey laws that specifically regulate data security and risk management requirements in the financial sector. However, the New Jersey Cybersecurity and Communications Integration Cell ('NJCCIC'), which is a component organisation within the New Jersey Office of Homeland Security and Preparedness, has published a New Jersey Statewide Information Security Manual ('SISM') that includes a set of policies, standards, procedures, and guidelines that 'set a clear direction for information security […] while effectively managing risk and ensuring the confidentiality, integrity and availability of their information and information systems.'

The NJCCIC states that the SISM is derived from state and federal laws, industry best practices, including the National Institute of Standards and Technology ('NIST') Cybersecurity Framework for Improving Critical Infrastructure, NIST Special Publication 800-53, NIST Special Publication 800-171, the Center for Internet Security ('CIS') Top 20 Critical Security Controls, the Cloud Security Alliance ('CSA') Cloud Controls Matrix ('CCM'), and other New Jersey State Government business and technology-related considerations. Although the SISM itself indicates that its purpose is to assist New Jersey State government organisations, the document's website description suggests that certain of the policies, standards, procedures, and guidelines contained within may be applicable to organisations in general.

2.4. Data retention/record keeping

State-chartered financial institutions are required to retain certain records for specified periods of time. Records of out-of-state banks, savings banks, and savings loan associations that relate to accounts, loans, or other transactions made or located in New Jersey also must be retained for specified time periods.³ For example, financial institutions are required to retain records of checks, drafts, money orders, and cashier's checks they issued for at least six years after the date of issue. Records of certified checks, electronic transfers, and other means of transferring funds from the financial institution must be retained for at least six years after the date of transfer of the funds.⁴ R­­ecords relating to safe deposit boxes (e.g., access records, access agreements, lease agreements, signature cards, records of payments for the rental or use of the box, power of attorney, and records of abandoned property) must be maintained for a period of at least six years after the date of termination of the lease or access agreement.⁵ In addition, correspondence that is not 'included as a record' must be retained for at least three years after the date of the correspondence.⁶

With respect to statement accounts (i.e., an account)⁷ that is not a passbook account and for which a financial institution supplies a periodic statement of the account's activity, balance, or both, or supplies any other statement of the account as the owner and financial institution may agree), the following retention periods apply:⁸

With respect to certificates of deposit (which have a specific maturity date and are not automatically renewed), the following retention periods apply:⁹

With respect to passbook accounts (and to the extent consistent with applicable federal law), the following retention periods apply:¹⁰

With respect to all loans, the following retention periods apply:¹¹

With respect to collateralised loans, the following retention periods apply:¹²

To the extent any records are subject to more than one retention period required by the statute, the longest time period for which those records are required to be kept will apply.¹³ In addition, the Commissioner of the DOBI ('the Commissioner') is permitted to establish, by regulation, minimum record retention requirements for any records not specifically covered by this law or by the retention requirements of any other state or federal law.¹⁴ Finally, the statute also clarifies that it does not impose on financial institutions any obligation to create data or to retain records that would not otherwise be created or retained.¹⁵

With respect to the disposal of records, if a customer record within the custody or control of a business or public entity contains personal information that is no longer to be retained, then New Jersey's ITPA requires the business or public entity to destroy (or arrange for the destruction of) the record by shredding, erasing or otherwise modifying the personal information in those records as to render it unreadable, undecipherable or non-reconstructable through generally available means.¹⁶

'Records' means any material, regardless of the physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed, or electromagnetically transmitted. Publicly available directories containing information an individual voluntarily has consented to have publicly disseminated or listed are not considered to be records.¹⁷

3. Financial Reporting and Money Laundering

New Jersey has not enacted analogous laws regulating these requirements at a state level.

Please refer to the Bank Secrecy Act¹⁸ which includes extensive regulatory requirements related to anti-money laundering ('AML') including Know Your Customer ('KYC') rules. Please also refer to the Fair Credit Reporting Act's Red Flags Rule,¹⁹ which requires financial institutions and creditors that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an identity theft prevention program in connection with new and existing accounts.

For more information on federal AML requirements see OneTrust DataGuidance's USA – Data Protection in the Financial Sector.

4. Banking Secrecy and Confidentiality

Pursuant to N.J.S.A. 17:16T et seq., financial institutions²⁰ are permitted to release certain customer account²¹ information relevant to actual or suspected illegal activities to a law enforcement agency (including state, county, or municipal law enforcement agencies) or a county adult protective service provide²² or both if:

• a vulnerable customer²³ or a senior customer²⁴ has a beneficial interest (in whole or in part) in the account; and
• the financial institution suspects that illegal activity (including but not limited to defrauding any vulnerable or senior customer who has a beneficial interest in the account) is, or will, take place.²⁵

Any financial institution (or any officer, employee or agent of the financial institution) that makes a disclosure pursuant to this law will not be liable to the customer under any state law or regulation for the disclosure or failure to notify the customer of the disclosure.²⁶ In addition, financial institutions (or officers, employees, or agents of the financial institution) who decide in good faith to not disclose information are permitted to disclose under this law and will not be held liable for the decision to not disclose.²⁷

This statute was intended to complement and parallel the federal Right to Financial Privacy Act of 1978 which provides that, among other requirements, a financial institution may release account information to federal governmental agents if the information may be relevant to a possible violation of any statute or regulation.²⁸ The Right to Financial Privacy Act did not address the release of information to state, county, or municipal law enforcement agencies or to county adult protective service providers.

5. Insurance

The New Jersey IIPA, which went into effect on 7 December 1985, regulates the collection, use, and disclosure of information gathered in connection with policies, contracts, or certificates of insurance issued or delivered in New Jersey for life, health or disability coverage, or property or casualty coverages. The IIPA applies to insurance institutions, agents and insurance support organisations²⁹ and to persons requesting personal or privileged information in connection with an insurance transaction involving personal, family or household coverages.³⁰ According to a statement by the sponsor of the bill, its objective was to balance the need for information by those conducting the business of insurance with the public's need for 'fairness in insurance information practices, including the protection of personal privacy and providing mechanisms by which natural persons and residents of this State may ascertain and dispute the accuracy of information gathered about them, and may obtain the reasons for any adverse underwriting decisions.' The IIPA was based on the National Association of Insurance Commissioners' Insurance Information and Privacy Protection Model Act.

At a high level, the IIPA requires insurance institutions and their agents to provide all applicants or policyholders with a written notice of information practices, and prohibits the disclosure of personal or privileged information about an individual without the written authorisation of that individual, and then only if:

• the disclosure of information is reasonably necessary to perform a business, professional, or insurance function for the disclosing institutions, agent, or support organisation; and
• the person agrees not to make further disclosures, except as authorised by the law.

Subject to certain exceptions, within 30 days of receipt of an appropriate request, an insurance institution, agent, or insurance-support organisation must provide authorised individuals with access to recorded personal information about themselves if reasonably described by the individual and reasonably retrievable. In addition, subject to certain exceptions, the IIPA sets forth the procedures by which an individual may request corrections or deletions of recorded personal information in dispute and stipulates the responsibilities of the insurance institution, agent, or support organisation receiving such request.

The IIPA also:

• limits the use of pretext interviews to the gathering of information from statutorily nonprivileged sources, if a reasonable basis exists for suspecting criminal activity, fraud, material misrepresentation or material nondisclosure in connection with a claim;
• prohibits requests for, or the preparation of investigative consumer reports unless the individuals is:
  • advised of their right and afforded the opportunity to be interviewed in accordance with reasonable procedures; and
  • advised of the right to request a copy of the report;
• specifies required content for disclosure authorisation forms, which are used by insurance institutions, agents or insurance support agents to authorise the disclosure of personal or privileged information about an individual by another insurance institution, agent or insurance support organisation; and
• contains certain provisions relating to underwriting.

The IIPA defines 'personal information' to mean any individually identifiable information gathered in connection with an insurance transaction³¹ from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. The term includes an individual's name and address and medical-record information³², but does not include privileged information.³³ 'Privileged information' means any individually identifiable information that relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual, and is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual.³⁴

Requirements for notice of insurance information practices

In connection with insurance transactions, all applicants and policyholders must be provided a notice of information practices of the insurance institution or agent.³⁵ The notice must be provided in writing and state:

• whether personal information may be collected from persons other than the individual or individuals proposed for coverage;
• the types of personal information that may be collected and the types of sources and investigative techniques that may be used to collect that information;
• the types of disclosure³⁶ and the circumstances under which the disclosure may be made without prior authorisation (note that only the circumstances that occur with such frequency as to indicate a general business practice need to be described);
• a description of rights (i.e., the right to request to be interviewed in connection with the preparation of an investigative consumer report, the right to request access to or correction, amendment, or deletion of recorded personal information) and the manner in which these rights may be exercised; and
• that information obtained from a report prepared by an insurance-support organisation may be retained by the insurance-support organisation and disclosed to other persons.³⁷

In addition, information that is collected for marketing or research purposes must be identified as such.³⁸

An abbreviated notice is permitted where the notice informs the applicant or policyholder that:

• personal information may be collected from persons other than the individual or individuals proposed for coverage;
• the information (as well as other personal or privileged information subsequently collected by the insurance institution or agent) may in certain circumstances be disclosed to third parties without authorisation;
• a right of access and correction exists with respect to all personal information collected; and
• the full notice will be provided to the applicant or policyholder upon request.³⁹

For applications for insurance, the notice must be provided at the time of the delivery of the insurance policy or certificate, when personal information is collected only from the applicant or from public records, or at the time the collection of personal information is initiated, when personal information is collected from a source other than the applicant or public records.⁴⁰ For policy renewals, the notice generally must be provided on the policy renewal date. No notice is required for policy renewals if personal information is collected only from the policyholder or from public records, or if a notice with the requisite content requirements was provided within the previous 24-month period.⁴¹ For policy reinstatements or changes in insurance benefits, the notice must be provided at the time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution; no notice is required in this case if personal information is collected only from the policyholder or from public records.⁴²

Disclosure limitations and conditions

An insurance institution, agent, or insurance-support organisation is prohibited from disclosing any personal or privileged information about an individual collected or received in connection with an insurance transaction except under certain circumstances, including:

• when the individual provides valid written authorisation;⁴³
• to a person other than an insurance institution, agent or insurance-support organisation, provided that the disclosure is reasonably necessary to achieve certain specified purposes;
• to an insurance institution, agent, insurance-support organisation or self-insurer, if the information disclosed is limited to that which is necessary to detect or prevent fraud or other criminal activity or for the receiving or disclosing institution to perform its functions in connection with an insurance transaction involving the individual;
• to a medical-care institution or medical professional for certain purposes;
• to an insurance regulatory authority;
• to law enforcement or other governmental authority, if the institution reasonably believes illegal activities have been conducted by the individual or to protect its interests in preventing or prosecuting fraud;
• as otherwise permitted or required by law;
• in response to a 'facially valid administrative or judicial order' (e.g., a search warrant or subpoena);
• disclosures made for the purpose of conducting actuarial or research studies, subject to certain requirements;
• to a party of a proposed or consummated sale, transfer merger or consolidation of all or part of the business of the insurance institution, agent or insurance-support organisation, subject to certain limitations;
• to a person whose only use of such information will be in connection with the marketing of a product or service, provided that:
  • no medical-record information, privileged information, or personal information relating to an individual's character, personal habits, mode of living or general reputation is disclosed, and no classification derived from that information is disclosed;
  • the individual has been provided with an opportunity to indicate that he does not want personal information disclosed for marketing purposes and has given no indication that he does not want the information disclosed; and
  •  the person receiving the information agrees to not use it except in connection with the marketing of a product or service;
• to an affiliate whose only use of the information will be in connection with an audit of the insurance institution or agent or the marketing of an insurance product or service, if the affiliate agrees to not disclose the information for any other purpose or to unaffiliated persons;
• by a credit reporting agency, if the disclosure is to a person other than an insurance institution or agent;
• to a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance institution's or agent's operations or services, if the information disclosed is reasonably necessary for the recipient to conduct the review or audit;
• to a professional peer review organisation for the purpose of reviewing the services or conduct of a medical-care institution or medical professional;
• to a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the governmental authority may be liable;
• to a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance transaction; or
• to a lienholder, mortgagee, assignee, lessor or other person shown on the records of an insurance institution or agent as having a legal or beneficial interest in a policy of insurance provided that certain limitations apply.⁴⁴

An insurer or insurance producer also may not disclose any personal or privileged information collected or received in connection with an insurance transaction regarding an individual's status as a victim of domestic violence or a domestic violence-related condition, unless the disclosure meets certain requirements.⁴⁵

Investigative consumer reports

In addition to the requirements stated above, an insurance institution, agent, or insurance-support organisation is prohibited from preparing or requesting an investigative consumer report about an individual in connection with an insurance transaction involving an application for insurance, a policy renewal, a policy reinstatement, or a change in insurance benefits unless the insurance institution or agent informs the individual of certain information.

The insurance institution or agent must inform the individual that the individual may request to be interviewed in connection with the preparation of the investigative consumer report and, upon written request and proper identification, in certain circumstances such as when the information is reasonably locatable and retrievable, the individual has the right to receive a copy of the investigative consumer report to the extent that the information about them is collected and maintained by an insurance institution, agent or insurance-support organisation in connection with an insurance transaction.⁴⁶ Once such a request is received, the insurance institution, agent, or insurance-support organisation must, within 30 business days from the date the request is received:

• inform the individual in writing of the nature and substance of the recorded personal information;
• permit the individual to see and copy, in person, the recorded personal information pertaining to them or to obtain a copy of the recorded personal information by mail, whichever the individual prefers, unless the recorded personal information is in coded form, in which case an accurate translation in plain language must be provided in writing;
• disclose to the individual the identity, if recorded, of the persons to whom the insurance institution, agent or insurance-support organisation has disclosed the personal information within the two years preceding the request and, if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organisations, or other persons to whom such information is normally disclosed; and
• provide the individual with a summary of the proceedings by which they may request correction, amendment, or deletion of the recorded personal information.⁴⁷

For personal information provided in response to a request, the source of the information must be identified if the source is an institutional source.⁴⁸ In addition, with respect to requested information that is medical record information, if the information is supplied by a medical-care institution or medical professional, then the information should be provided to either the individual or to a medical professional the individual designates who also is licensed to provide medical care for the condition to which the information relates – whichever the insurance institution, agent or insurance-support organisation prefers – together with the identity of the medical professional or medical-care institution that provided the information. If this information is provided to the designated medical professional, then the insurance institution, agent or insurance-support organisation must at the time of disclosure notify the individual that the information was provided to the medical professional.⁴⁹

Insurance institutions, agents, or insurance-support organisations are permitted to make arrangements with an insurance-support organisation or a credit reporting agency to copy and disclose recorded personal information on its behalf.⁵⁰ Additionally, under most circumstances, a reasonable fee may be charged to cover the costs incurred in providing a copy of the recorded personal information to individuals.⁵¹

In addition to the right to request access to the recorded personal information, individuals also may request correction, amendment, or deletion of recorded personal information about them. Within 30 business days from the date of receipt of a written request from an individual to correct, amend or delete recorded personal information about the individual within the insurance institution, agent or insurance-support organisation's possession, the insurance institution, agent, or insurance-support organisation must either:

• correct, amend, or delete the portion of the recorded personal information in the dispute; or
•  notify the individual of:
  • its refusal to make the correction, amendment, or deletion;
  • the reasons for the refusal; and
  • the individual's right to file a statement.⁵²

If the insurance institution, agent, or insurance-support organisation corrects, amends or deletes the recorded personal information, then it must notify the individual that it did so and furnish the correction, amendment, or fact of deletion to:

• any person specifically designated by the individual who may have, within the preceding two years, received the recorded personal information;
• any insurance-support organisation whose primary source of personal information is insurance institutions, if the insurance-support organisation has systematically received the recorded personal information from the insurance institution within the preceding seven years (except that the correction, amendment, or fact of deletion need not be furnished if the insurance-support organisation no longer maintains recorded personal information about the individual); and
• any insurance-support organisation that furnished the personal information that has been corrected, amended, or deleted.⁵³

If, on the other hand, the insurance institution, agent or insurance-support organisation refuses to correct, amend, or delete the individual's recorded personal information, the individual must be able to file a concise statement with the insurance institution, agent, or insurance-support organisation setting forth what the individual believes is the correct, relevant or fair information and the reasons why the individual disagrees with the insurance institution's, agent's, or insurance-support organisation's refusal to correct, amend, or delete recorded personal information.⁵⁴ If a statement is filed, the insurance institution, agent or insurance-support organisation must file the statement with the disputed personal information and provide a means by which anyone reviewing the disputed personal information will be made aware of the individual's statement and have access to it. In addition, in any subsequent disclosure by the insurance institution, agent, or insurance-support organisation of the disputed recorded personal information, the insurance institution, agent, or insurance-support organisation must clearly identify the matter(s) in dispute and provide the individual's statement together with the recorded personal information that is being disclosed. The statement must be provided in writing to the same person or entity from the list above.⁵⁵

Adverse underwriting decisions

With respect to adverse underwriting decisions, an insurance institution or agent responsible for the adverse underwriting decision is required to either provide the applicant, policyholder or individual proposed for coverage with:

•  the specific reason(s) for the adverse decision; or
• notice that the person may, upon request, receive the specific reason(s) for the decision.⁵⁶

In addition, the insurance institution or agent is required to provide a summary of the rights available, including the right to obtain the specific items of personal and privileged information that support the adverse decision (subject to certain exceptions, such as suspicion of fraud and certain medical-record information) and the names and addresses of the institutional sources that supplied these specific items of information.⁵⁷ In general, this information must be provided in writing; however, when an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and summary of rights may be provided orally.⁵⁸

6. Payment Services

The EFTPA regulates the disclosure of information in the context of an electronic fund transfer by a state or national bank, savings and loan association, mutual savings bank, or credit union, a person who directly or indirectly holds an account⁵⁹ belonging to a consumer, or any person who issues an access device⁶⁰ and agrees with a consumer to provide electronic fund transfer services. 'Electronic fund transfer' means any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, that is initiated through an electronic terminal, telephone, or computer or magnetic tape for the purpose of ordering, instructing, or authorising a financial institution to debit or credit account.⁶¹ The term includes, but is not limited to point-of-sale transfers, automated teller machine transfers, direct deposits or withdrawals of funds and transfers initiated by telephone. The term does not include payments made by check, draft or similar paper instrument at an electronic terminal or any transaction that is exempt, by statute or regulation, from the federal Consumer Credit Protection Act of 1968.

Pursuant to the EFTPA, a financial institution is permitted to disclose information about an electronic fund transfer or account to a third party under the following circumstances:

• when the disclosure is necessary for the completion of an electronic fund transfer;
• when the possessor of the account provides written permission to the financial institution to disclose the information;
• when the disclosure is for the purpose of verifying the existence and condition of an account for a third party, including, but not limited to, a credit bureau or a merchant;
• when the disclosure is necessary to resolve an error or an inquiry as to an alleged error;
• when the disclosure is made to a supervisory agency in the exercise of its supervisory and regulatory examination functions with respect to a financial institution; or
• when the disclosure is made to a government agency in the exercise of its statutory functions with respect to a person applying for or receiving public assistance.⁶³

Other than as provided above, government agencies are prohibited from obtaining information from an electronic fund transfer account without first obtaining a search warrant or subpoena.⁶⁴ In addition, government agencies are not permitted to intercept an electronic fund transfer without first obtaining a court order.⁶⁵

7. Data Transfers and Outsourcing

Not applicable.

Please refer to U.S. federal rules, regulations, and governmental guidance concerning outsourcing functions by federally regulated financial institutions.

In addition, please see our USA – Data Protection in the Financial Sector Guidance Note for more information.

8. Breach Notification

At the state law level, businesses, including financial institutions, that conduct business in New Jersey that compile or maintain computerised records that include personal information are required to disclose any 'breach of security'⁶⁶ of those computerised records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was (or is reasonably believed to have been) accessed by an unauthorised person. Disclosure of a breach of security to a customer is not required if the business establishes that misuse of the information is not reasonably possible; however, this determination must be documented in writing and retained for five years.⁶⁷

Timeframe

Notification to affected customers must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement (i.e., if a law enforcement agency determines that the notification will impede a criminal or civil investigation and that agency has made a request that the notification be delayed) or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. If applicable, the business must provide individuals notification of the breach once the law enforcement agency determines and notifies the business that disclosure of the breach will not compromise the investigation.⁶⁸

Procedure

Businesses may provide written, electronic (consistent with provisions regarding electronic records and signatures set forth in Section 1010 of the federal Electronic Signatures in Global and National Commerce Act under Title 15 of the United States Code § 7001), or 'substitute' notice to affected individuals. Substitute notice may only be used if the business demonstrates that:

• the cost of providing notice would exceed $250,000;
• the affected class of subject persons to be notified exceeds 500,000; or
• the business does not have sufficient contact information for the individuals to be notified.

Substitute notice consists of all of the following:

• email notice, if the business has an email address; or
• conspicuous posting of the notice on its website, if the business maintains one; and notification to major statewide media.⁶⁹

If the breach of security only involves a username or password, in combination with any password or security question and answer that would permit access to an online account, then the business may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question and answer, as applicable, or to take other appropriate steps to protect the online account with the business or public entity and all other online accounts for which the customer uses the same user name or email address and password or security question and answer.⁷⁰

If the business furnishes an email account, it may not provide notification to the email account that is subject to a security breach. In this case, the business must provide notice by another method described in this section or by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an IP address or online location from which the business or public entity knows the customer customarily accesses the account.⁷¹

Notification to authorities

A business that must provide notice of a breach of security to an affected individual must also report the breach of security, including any information pertaining to the breach, to the Division of State Police in the Department of Law and Public Safety which should be notified prior to the notification to affected individuals.⁷²

Notification to third parties

If the business is required to notify more than 1,000 individuals, the business also must notify, without unreasonable delay, all credit reporting agencies that compile or maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.⁷³

Immediately following the discovery of a breach of security of computerised records containing personal information that a business compiles or maintains on behalf of another business, if personal information was or is reasonably believed to have been accessed by an unauthorised person, then the business must notify that business (who must then notify its New Jersey customers).⁷⁴

9. Fintech

In recent years, there have been a number of proposed bills related to digital currencies and digital asset businesses. For example, in February 2020, the New Jersey Legislature introduced  Assembly Bill ('AB') 2891 for the Digital Asset and Blockchain Technology Act ('AB 2891'), which would require a digital asset business to: 

• obtain a proper license to operate or otherwise be penalised $500 per day from the first day the DOBI issues a notice of failure to apply a license until an application is filed with the DOBI; and 
• disclose its terms and conditions at the time the consumer contracts for a digital asset business service. 

Under AB 2891, this disclosure must be full and complete, contain no material misrepresentations, be in readily understandable language and may include, as appropriate and to the extent applicable, certain information concerning fees and charges, risks to the consumer and any protections or securities that are in place. As currently drafted, AB 2891 defines 'digital asset' to mean a representation of economic, proprietary or access rights that is stored in a machine-readable format, has a transaction history that is recorded in a distributed, digital ledger or digital data structure in which consensus is achieved through a mathematically verifiable process. Examples of digital assets include digital consumer assets, digital securities and virtual currency. The bill passed by Assembly on 25 March 2021. A sister bill, Senate Bill 3132, was introduced in the Senate in November 2020. These bills carried over into the 2022-2023 legislative session as Assembly Bill 2371 and Senate Bill 1756.

10. Enforcement

Violations of the laws discussed in this article that are generally applicable to New Jersey businesses, such as the state breach notification law, are considered violations of the CFA.⁷⁶ The AG has the authority to investigate violations of the CFA and, upon receiving evidence of any violation, may hold hearings to assess a penalty against the alleged violator. The AG also may issue subpoenas to any person, administer an oath or affirmation to any person, conduct hearings in aid of any investigation or inquiry, promulgate rules and regulations, and prescribe forms as may be necessary.⁷⁷

The DOBI typically is charged with the authority to bring enforcement actions for the violation of laws that specifically apply to the financial or insurance institutions. The Commissioner has the power to examine and investigate the affairs of every insurance institution or agent doing business in New Jersey to determine whether the insurance institution or agent has been or is engaged in any conduct in violation of the IIPA. The Commissioner also is authorised to examine and investigate the affairs of every insurance-support organisation acting on behalf of an insurance institution or agent which either transacts business in New Jersey or outside of New Jersey but that has an effect on a New Jersey resident.⁷⁸ If the Commissioner believes a violation of the IIPA has occurred, the Commissioner must issue and serve upon the insurance institution, agent, or insurance-support organisation a statement of charges and a notice of hearing.⁷⁹ If, after the hearing, the Commissioner determines that the insurance institution, agent, or insurance-support organisation has engaged in conduct or practices in violation of the IIPA, the Commissioner must put into writing his findings and issue a cease and desist order.⁸⁰ The Commissioner may additionally order payment of a monetary penalty of not more than $500 for each violation, and not more than $10,000 in the aggregate for multiple violations.⁸¹ If the cease and desist order is violated, the Commissioner has the discretion to impose additional penalties, including:

• a monetary fine of up to $10,000 for each violation;
• a monetary fine of up to $50,000, if the Commissioner finds that violations have occurred with such frequency as to constitute a general business practice; or
• suspension or revocation of any insurance institution's or agent's license.⁸²

In addition, any person whose rights have been violated under certain sections of the IIPA may bring an action against an insurance institution, agent, or insurance-support organisation for appropriate equitable relief or for damages sustained by the person about whom the information relates (except that no individual will be entitled to a monetary award that exceeds the actual damages sustained by the individual as a result of the violation), depending on the type of violation. In addition, a court may award the costs of the action and reasonable attorney's fees to the prevailing party.⁸³

With respect to the EFTPA, if a court of competent jurisdiction determines that a financial institution acted negligently, wilfully, or recklessly in violating the EFTPA, the financial institution may be liable to the aggrieved person for actual damages sustained, reasonable litigation costs, and reasonable attorney's fees. In cases where a financial institution or government agency acted wilfully or recklessly, a court of competent jurisdiction may award punitive damages where appropriate.⁸⁴

11. Additional Areas of Interest

Many states, including New Jersey, also regulate the use of Social Security numbers. Specifically, in New Jersey businesses are prohibited from:

• publicly posting or displaying an individual's Social Security number, or any four or more consecutive numbers taken from the individual's Social Security number;
• printing an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed;
• printing an individual's Social Security number on any card required for the individual to access products or services provided by the entity;
• intentionally communicating or otherwise making available to the general public an individual's Social Security number;
• requiring an individual to transmit their Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; and
• requiring an individual to use their Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.⁸⁵

The CFA clarifies that, unless otherwise prohibited, Social Security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrolment process, or to establish, amend or terminate an account, contract, or policy, or to confirm the accuracy of the Social Security number. If a Social Security number is permitted to be mailed, the number may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.⁸⁶

Brittany Bacon Partner
[email protected]
Michael La Marca Counsel
[email protected]
Sam Smart Associate
[email protected]
Hunton Andrews Kurth, New York

1. New Jersey Statutes Annotated (N.J.S.A.) 56:8-1, et seq.
2. N.J.S.A. 56:8-3 to 56:8-4.
3. N.J.S.A. 17:16W-11.
4. N.J.S.A. 17:16W-6.
5. N.J.S.A. 17:16W-7.
6. Id.
7. A 'passbook' means a document or record issued by a financial institution, which document or record represents an obligation of the financial institution, which obligation either has no fixed maturity or due date or which by its term is subject to automatic renewal or renewals for an indefinite time or indefinite number of times. Neither a periodic account statement nor any obligation for which applicable law provides a time by which the payment is due is considered a passbook. A 'passbook account' means an account which is evidenced by a passbook, certificate of deposit or similar document. N.J.S.A. 17:16W-2.
8. N.J.S.A. 17:16W-3.
9. Id.
10. Id.
11. N.J.S.A. 17:16W-5(a).
12. N.J.S.A. 17:16W-5(b).
13. N.J.S.A. 17:16W-8.
14. N.J.S.A. 17:16W-9.
15. N.J.S.A. 17:16W-10.
16. N.J.S.A. 56:8-162.
17. N.J.S.A. 56:8-161.
18. 31 U.S.C. §§ 5311-5330.
19. 16 C.F.R. Part 681.
20. 'Financial institution' means a state or federally chartered bank, savings bank, savings and loan association or credit union. N.J.S.A. 17:16T-2.
21. 'Account' means a deposit or fiduciary account maintained with a financial institution in the senior or vulnerable customer's name. Id.
22. 'County adult protective services provider' means a county Board of Social Services or other public or nonprofit agency with experience as a New Jersey provider of protective services for adults, designated by the county and approved by the Commissioner of Human Services pursuant to the 'Adult Protective Services Act.' Id.
23. 'Vulnerable customer' means a natural person, who is at least 18 years of age, resides in a community setting, and, to a financial institution acting in good faith, appears to have a physical or mental illness, disability or deficiency, or lacks a sufficient understanding of, and the capacity to make, communicate or carry out decisions concerning, the management of the customer's savings or resources, who utilized or is utilizing any service of a financial institution, or for whom a financial institution is acting or has acted as a fiduciary, in relation to an account maintained in the person's name. Id.
24. 'Senior customer' means a natural person, who, to the financial institution acting in good faith, appears to be at least 60 years of age, who utilized or is utilizing any service of a financial institution, or for whom a financial institution is acting or has acted as a fiduciary, in relation to an account maintained in the person's name. Id.
25. N.J.S.A. 17:16T-3.
26. N.J.S.A. 17:16T-4(a).
27. N.J.S.A. 17:16T-4(b).
28. 12 U.S.C. § 3401 et seq.
29. 'Insurance support organization' means any person who regularly engages, in whole or in part, in the practice of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including: (1) the furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction, or (2) the collection of personal information from insurance institutions, agents or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity. Notwithstanding the foregoing, agents, government institutions, insurance institutions, medical-care institutions, medical professionals and rating organizations are not considered insurance support organizations for purposes of this act. N.J.S.A. 17:23A-2.
30. Specifically, the IIPA applies to insurance institutions, agents or insurance-support organisations which, on or after December 7, 1985: (1) in the case of life, health or disability insurance, (a) Collect, receive or maintain information in connection with insurance transactions which pertains to natural persons who are residents of New Jersey, or (b) engage in insurance transactions with applicants, individuals or policyholders who are residents of New Jersey; and (2) In the case of property or casualty insurance, (a) Collect, receive or maintain information in connection with insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in New Jersey, or (b) engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or renewed in New Jersey. N.J.S.A. 17:23A-1(a).
31. 'Insurance transaction' means any transaction involving insurance primarily for personal, family or household needs rather than business or professional needs. N.J.S.A. 17:23A-2(n).
32. 'Medical-record information' means personal information that: (1) relates to an individual's physical or mental condition, medical history or medical treatment; and (2) is obtained from a medical professional or medical-care institution, from the individual, or from the individual's spouse, parent or legal guardian. N.J.S.A. 17:23A-2(r).
33. N.J.S.A. 17:23A-2(t).
34. N.J.S.A. 17:23A-2(w). Note that information otherwise meeting the requirements for privileged information will be considered personal information under this act if it is disclosed in violation of the act's prohibition on the disclosure of any personal or privileged information about an individual collected or received in connection with an insurance transaction by insurance institutions, agents or insurance-support organizations, except under certain circumstances. N.J.S.A. 17:23A-13. These circumstances are covered in the 'Disclosure Limitations and Conditions' section below.
35. N.J.S.A. 17:23A-4.
36. See N.J.S.A. 17:23A-13(b)-(f), (i), (k), (l) and (n) for the different types of disclosures.
37. N.J.S.A. 17:23A-4(b)(1)-(5).
38. N.J.S.A. 17:23A-5.
39. N.J.S.A. 17:23A-4(c)(1)-(4).
40. N.J.S.A. 17:23A-4(a)(1).
41. N.J.S.A. 17:23A-4(a)(2).
42. N.J.S.A. 17:23A-4(a)(3).
43. With respect to disclosures made with the written authorisation of the individual, if the authorization is submitted by a person other than an insurance institution, agent or insurance support organization, the authorization must be dated, signed by the individual, and obtained within one year before the date of disclosure. N.J.S.A. 17:23-13(a)(2). If the authorization is submitted by another insurance institution, agent or insurance-support organization, a disclosure authorization form or statement is required. The disclosure authorization form or statement must be dated, written in plain language and specify (1) the type of person authorized to disclose information about the individual, (2) the nature of the information authorized to be disclosed, (3) the purposes for which the information is collected, and (4) the length of time the authorization will be valid. The disclosure authorization form or statement also must include the names of the insurance institution or agent and identify by generic reference representatives of the insurance institution to whom the individual is authorizing information to be disclosed. Finally, the disclosure authorization form or statement also must advise the individual (or a person authorized to act on his or her behalf) that the individual (or the individual's authorized representative) is entitled to receive a copy of the authorization form. N.J.S.A. 17:23A-6(a)-(h). The length of time during which the signed authorization form will be valid varies based on the purpose for which the information will be collected. For authorizations signed for the purposes of collecting information in connection with an application for an insurance policy, a policy reinstatement or a request for a change in policy benefits, the signed authorization may not be valid for more than: (1) 30 months from the date the authorization is signed, if the application or request involves life, health or disability insurance; or (2) 12 months from the date the authorization is signed, if the application or request involves property or casualty insurance. For authorizations signed for the purpose of collecting information in connection with a claim for benefits under an insurance policy, the signed authorization may not be valid for more than (1) the term of coverage of the policy, if the claim is for a health insurance benefit, or (2) the duration of the claim, if the claim is not for a health insurance benefit. N.J.S.A. 17:23A-6(g)(1)-(2).
44. N.J.S.A. 17:23A-13.
45. N.J.S.A. 17:23A-13.3.
46. N.J.S.A. 17:23A-7, 8(a), 8(f).
47. N.J.S.A. 17:23A-8(a).
48. N.J.S.A. 17:23A-8(b).
49. N.J.S.A. 17:23A-8(c).
50. N.J.S.A. 17:23A-8(d).
51. Id.
52. N.J.S.A. 17:23A-9(a).
53. N.J.S.A. 17:23A-9(b).
54. N.J.S.A. 17:23A-9(c).
55. N.J.S.A. 17:23A-9(d).
56. N.J.S.A. 17:23A-10(a).
57. N.J.S.A. 17:23A-10(b).
58. N.J.S.A. 17:23A-10(d).
59. 'Account' means a demand, time or savings deposit, or other consumer asset account, other than an occasional or incidental credit balance, held either directly or indirectly by a financial institution and established for personal, family or household purposes. N.J.S.A. 17:16k-2(b).
60. 'Access device' means a card, code or other means of access to a consumer's account, or any combination thereof that may be used by the consumer for the purpose of initiating electronic fund transfers. N.J.S.A. 17:16k-2(a).
61. N.J.S.A. 17:16k-2(c).
62. 'Financial institution' means a New Jersey state or national bank, a state or federal mutual savings bank, a state or federal credit union or any other person who, directly or indirectly, holds an account belonging to a consumer. The term also includes any person who issues an access device and agrees with a consumer to provide electronic fund transfer services. N.J.S.A. 17:16k-2(d).
63. N.J.S.A. 17:16k-3.
64. N.J.S.A. 17:16k-4.
65. N.J.S.A. 17:16k-5.
66. A 'breach of security' means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure. N.J.S.A. 56:8-161.
67. N.J.S.A. 56:8-163(a).
68. N.J.S.A. 56:8-163(a), (c)(2).
69. N.J.S.A. 56:8-163(d).
70. N.J.S.A. 56:8-163(g)(1).
71. N.J.S.A. 56:8-163(g)(2).
72. N.J.S.A. 56:8-163(c)(1).
73. N.J.S.A. 56:8-163(f).
74. N.J.S.A. 56:8-163(b).
75. N.J.S.A. 56:8-163(b).
76. N.J.S.A. 56:8-1, et seq.
77. N.J.S.A. 56:8-3 to 56:8-4.
78. N.J.S.A. 17:23A-14.
79. N.J.S.A. 17:23A-15.
80. N.J.S.A. 17:23A-17.
81. N.J.S.A. 17:23A-18.
82. Id.
83. N.J.S.A. 17:23A-20.
84. N.J.S.A. 17:16k-6.
85. N.J.S.A. 56:8-164(a)(1)-(6). Certain exceptions apply, for example, the law does not: (1) prevent a public or private entity from using a Social Security number for internal verification and administrative purposes, as long as the use does not require the release of the Social Security number to persons not designated by the entity to perform associated functions allowed or authorized by law; (2) prevent the collection, use or release of a Social Security number, as required by State or federal law; (3) apply to documents that are recorded or required to be open to the public pursuant to Title 47 of the Revised Statutes, to records required by statute, case law, or New Jersey Court Rules, or to the interactive computer service provider's transmissions or routing or intermediate temporary storage or caching of an image, information or data that is otherwise subject to this section. N.J.S.A. 56:8-164(b), (c), (e)-(f).
86. N.J.S.A. 56:8-164(e).