The headlines are constant: Millions of accounts hacked. Health and financial data stolen. Personal information shared widely with advertisers and technology companies.
New Jersey is not immune. More than 4 million New Jersey accounts were affected by security breaches in 2017, according to the most recent state estimates, and a Pew survey published that year found that a majority of Americans have personally experienced some sort of data theft or fraud.
Welcome to the new normal.
Against that backdrop, New Jersey is starting to grapple with some of the thorniest questions of the digital age. Yes, consumers can take steps to protect themselves online, as outlined by the state’s cybersecurity unit. But what responsibilities do companies have in collecting your personal information? Who controls that data? And what should be done if it's compromised?
State policymakers are debating those issues right now. New Jersey law already requires companies to tell customers when information such as Social Security or credit card numbers is hacked, but a bill on Gov. Phil Murphy’s desk would expand that list to include things like email addresses and passwords, which are often all that is needed to break into an online account.
Other measures working their way through the Legislature would allow online users to opt out of having their personal information shared with third parties and require mobile apps to better inform users of how their location data may be used.
The reexamination of New Jersey’s laws governing cybersecurity and online privacy comes in the wake of numerous high-profile data breaches — affecting Marriott, Yahoo, Panera, Under Armour, Target, Equifax and Home Depot, to name just a few companies — and as incidents like the Cambridge Analytica scandal involving the unauthorized use of Facebook profiles have made people more sensitive to how tech firms monetize user-generated information.
This month, The New York Times reported that Facebook is under criminal investigation for data-sharing deals it made with scores of other technology companies that provided intrusive access to users' personal information.
Dozens of other states are looking to update their consumer protection policies, too. At least 31 states, for example, considered legislation to amend existing security breach laws last year, according to the National Conference of State Legislatures.
“It is absolutely a best practice for states to be reviewing their current data breach notification laws and any of the laws that are around identity crimes and cybersecurity and things of that nature because this is such a dynamic space,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit that offers free assistance to victims of identity theft and provides educational resources about online fraud and security.
Her organization tracked 1,244 security breaches that occurred throughout the U.S. in 2018, exposing a staggering 447 million records — more than double the number of records exposed the previous year.
The proposals in New Jersey could have sweeping effects on consumers and companies alike.
The measure closest to becoming law, S-52, would force companies to disclose data breaches involving an expanded definition of “personal information." The bipartisan bill was approved unanimously in the Legislature and now awaits a signature or veto by Murphy, a Democrat.
Current state law mandates that companies tell customers when their driver’s license numbers, Social Security numbers, account numbers or credit or debit card numbers have been compromised. The bill would expand that list to include user names, email addresses and passwords or security questions and answers that could be used to gain access to an online account.
“You take someone’s user name and password — that can already be linked to their credit card account” on many websites, said Sen. Troy Singleton, D-Burlington, a sponsor of the bill. With notification of the breach, however, consumers can potentially take defensive measures or at least monitor the compromised account more closely, he said.
Another bill that has yet to receive a hearing in committee, A-3541, gets to the heart of another big question after security breaches: When do customers have the right to know that their information was compromised?
Current law simply says disclosures must be made “in the most expedient time possible and without unreasonable delay.” The bill would accelerate that timeline, requiring companies to disclose a breach to customers within five days of discovering it unless it is still under investigation by the company or law enforcement.
Other proposals would change what data companies have control of in the first place.
One measure, A-4974, would require mobile apps that collect users’ GPS data to share how that data is used and require users to opt in to the disclosure of that data to third parties, such as advertisers.
Another measure, S-2834, is modeled on language from the European Union’s sweeping new data protection legislation, known as the General Data Protection Regulation, or GDPR. It would require commercial websites and services to tell users all the “personally identifiable information” they collect and give users a chance to opt out of having that data shared with third parties.
A similar provision was included in the California Consumer Privacy Act, which was also modeled on the GDPR and signed into law last year.
Those bills, which have been approved in one committee but must clear several more procedural hurdles before becoming law, have encountered resistance from companies whose business models depend on the collection and sale of personal information.
At a hearing in Trenton last month, Gerard Keegan, vice president for state legislative affairs with CTIA, a trade association for the wireless communications industry, argued that the proposals would have unintended consequences and could undercut many of the products and services that people enjoy.
“Many news sites, online content providers, apps provide those services and products free of charge because they are supported by advertising,” Keegan said. “To force those companies to still provide those services and products to consumers who won’t share identifying information with advertisers is wrong and will possibly lead to those companies' being shut down in the state.”
The future of the bills remains uncertain, but their introduction reflects a growing awareness among residents and lawmakers about how information shared online can be used, abused or stolen.
Asked for her suggestions about how people can improve the security of their personal information, Velasquez, of the Identity Theft Resource Center, emphasized the need to think critically about where to share such information in the first place.
“Once you release data or provide data to an entity, the ball is now in their court to be good stewards of that data,” she said. “Make that decision carefully. Give it the thought and provide it the internal weight that it deserves.”