New Jersey Data Breach Notification Law

Notification deadline: Most expedient time possible, no later than 30 days

Enforcement: New Jersey Attorney General, Division of Consumer Affairs

Overview

New Jersey requires businesses to notify affected residents "in the most expedient time possible" but no later than 30 days after confirming a breach. Recent amendments expanded the scope to include username/password combinations.

Who Must Be Notified

• • Affected New Jersey residents (within 30 days)
• • New Jersey Division of State Police
• • Consumer reporting agencies (if 1,000+ residents affected)

Covered Data Types

Social Security number, Driver's license number, State ID number, Financial account number with access code, Credit/debit card number, Username with password or security questions, Dissociated data if linked together

Notification Requirements

• • Written, electronic, or telephonic notice within 30 days
• • Must notify NJ Division of State Police before notifying residents
• • Description of breach and types of information involved
• • Contact information for business and credit bureaus
• • Notify consumer reporting agencies if 1,000+ residents affected

Exemptions

• • Encrypted data (if key not compromised)
• • Entities in compliance with GLBA, HIPAA
• • Good faith acquisition by employee

Penalties

Civil penalties up to $10,000 for first violation, $20,000 for subsequent violations. AG can seek injunctions and additional penalties.