New Jersey Assembly Committees Advance Breach, Health Security Bills

Oct. 27 — Bills aimed at addressing the privacy and security of online accounts (A. 3146) and personal health information (A. 3322) were released by New Jersey Assembly committees Oct. 23.

The Assembly Consumer Affairs Committee reported A. 3146, which would amend the New Jersey statute that requires businesses and public entities that compile or maintain computerized records containing information that permits access to an online account to disclose any breach of the security of the information.

N.J. Stat. Ann. § 56:8-163 requires disclosure of data security breaches involving (1) Social Security numbers, (2) driver's license numbers or (3) credit or debit card numbers, in combination with any required security code, access code or password that would allow access to an individual's financial account.

A. 3146 would amend Section 56:8–161 to expand the list of breaches requiring disclosure to user names, e-mail addresses or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

“Identity theft is one of the fastest growing crimes in the country,” Assemblyman Troy Singleton (D), a co-prime sponsor of the measure, said in an Oct. 23 statement. “What we have learned from the recent security breaches at major retailers is that they can happen anywhere and to virtually any company, large or small. It is essential for consumers to be kept informed of data breaches so that they can take the necessary steps to protect their information.”

Password-Protection Program Insufficient

The Assembly Financial Institutions and Insurance Committee released A. 3322, which applies to health insurance carriers that compile or maintain computerized records containing personal information.

Personal information would be defined as a person's first name or first initial and last name linked with one or more data elements, including his or her Social Security number, driver's license or state identification card number, address or identifiable health information.

Under the measure, the information would have to be encrypted or secured by some other method or technology that made it “unreadable, undecipherable or otherwise unusable by an unauthorized person.”

A password-protection program alone would be insufficient, unless it rendered the personal information unusable by an unauthorized person who operated, altered, deleted or bypassed the password-protection program.

The requirements of the bill would apply to end-user computer systems, such as desktop and laptop computers, tablets or other mobile devices or removable media, and computerized records transmitted across public networks.

Violations would come under the New Jersey Consumer Fraud Act, N.J. Stat. Ann. §§ 56:8-1–56:8–80, which provides for penalties of up to $10,000 for a first offense and $20,000 for subsequent offenses, a cease and desist order from the state attorney general and a potential award of treble damages and costs to the injured party.

Assemblyman Gary S. Schaer (D), who co-sponsored the bill, said in an Oct. 23 statement that it is “a reasonable requirement to protect personal privacy in this digital age.”

Both bills are in position for a floor vote in the Assembly, after which they would move to the Senate.

If enacted, A. 3146 would take effect on the first day of the fourth month after enactment. The effective date for A. 3322 would be the first day of the seventh month after enactment.

Original article