New Jersey Enacts Identity Theft Prevention Act
Effective January 1, 2006, individuals and entities conducting business in New Jersey, whether or not organized under the laws of New Jersey, face tough new privacy laws regarding the handling and disclosure of customer (and employee) personal information. By enacting the Identity Theft Prevention Act, P.L. 2005, c.226, New Jersey joins a growing number of states that have adopted stringent consumer privacy and anti-identity theft laws. Under the Act, an entity that “willfully, knowingly, or recklessly” (1) discloses customer personal information, (2) fails to notify its New Jersey customers of a breach of security, or (3) does not appropriately destroy customer personal information is now subject to penalties of up to $20,000 per offense and may be liable in a civil action by the customer for treble damages and attorneys’ fees. The Act also allows consumers to place a “security freeze” on their credit reports. In considering the scope of the statute it is important to realize that the statutory definition of “customer” is likely to sweep in persons, such as employees, who would not ordinarily be considered a “customer.”
What Businesses Need to Know
Who Does the Act Apply To?
Relative to the security of “personal information,” the Act applies to any “sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of [New Jersey], any other state, the United States, or of any other country, or the parent or subsidiary of a financial institution.”
What Constitutes “Personal Information”?
“Personal Information” means an individual’s first name (or first initial) and last name that is linked with one or more of the following:
- the individual’s Social Security number (SSN)
- the individual’s driver’s license number or state identification number
- the individual’s account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial account
Examples of affected data may include: health benefit cards, retirement/401k account cards, I-9 Employment Eligibility Verification forms, direct deposit authorization forms, etc.
Disassociated data that, if linked, would constitute personal information is personal information (as defined by the statute), if the means to link the data are available in the accessed data.
What Is Prohibited?
No person or entity, private or public, shall:
- publicly post or display an individual’s SSN, or any four or more consecutive numbers from an individual’s SSN
- print an individual’s SSN on any materials mailed to the individual (unless required by State or federal law)
- print an individual’s SSN on any card required for the individual to access products or services provided by the entity
- intentionally communicate or otherwise make available to the general public an individual’s SSN
- require an individual to transmit his/her SSN over the Internet, unless the connection is secure or the SSN is encrypted
- require an individual to use his/her SSN to access an Internet Web site, unless a password or other authorization device is also required to access the site
What Are the Customer Record Destruction Requirements?
Under the Act, every business or public entity must destroy (shred, erase, or otherwise make undecipherable) all customer records that contain personal information once the record is no longer to be retained by the business or public entity.
Since the Act defines “customer” as “any individual who provides personal information to a business,” most employees of a company are likely to fall into the category of “customer,” which means that companies will also need to ensure employee records are also destroyed appropriately.
The Act’s records destruction requirements are in addition to the federal law requirements stated in the Fair and Accurate Credit Transactions Act (FACT), which require the destruction of consumer information derived from credit reports. Since the Act is more expansive with regard to the destruction of personal information, compliance with the Act’s destruction requirements should also satisfy the FACT record destruction provisions. However, in addition to any penalties and damages allowed under the Act (see below), failure to comply with the FACT requirements could expose the business to nationwide class actions for actual damages and statutory damages of $1,000 for each separate violation. Moreover, federal and state authorities may bring legal enforcement actions for each violation of the FACT disposal regulations.
What Is Required if There Is a “Breach of Security”?
If there is an unauthorized access to electronic files, media, or data containing personal information maintained by any business that conducts business in New Jersey, then that business must disclose the breach to any affected “customers” as broadly defined, including in all likelihood employees, who reside in New Jersey. Any business or public entity that compiles or maintains computerized records that include personal information on behalf of another business or public entity must notify that business or public entity, who must then notify its New Jersey customers/employees of any breach of security. However, disclosure of a breach of security to a customer/employee is not required if the business or public entity establishes that misuse of the information is not reasonably possible (any such determination must be documented in writing and retained for five years.)
Customer/employee notification must be made in the most expedient method possible and without unreasonable delay. In advance of the disclosure to the customer, the breach must be reported to the State Police for investigation or handling.
Customer/employee notification may be made by one of the following methods:
- written notice
- electronic notice (in accordance with the Electronic Signatures in Global and National Commerce Act (15 U.S.C. §7001)
- substitute notice, if the business or public entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business or public entity does not have sufficient contact information; substitute notice shall consist of all of the following:
- e-mail notice when the business or public entity has an e-mail address
- conspicuous posting of the notice on the Internet web site page of the business or public entity, if the business or public entity maintains one
- notification to major statewide media
However, a business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information may be considered in compliance with the notification requirements of the Act if the business or public entity notifies the subject customers in accordance with its notification procedures.
In addition to these requirements, if a breach of security requires the notification of more than 1,000 persons, the business or public entity must also notify, without unreasonable delay, all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis.
What Are the Possible Damages for a Violation?
Under the Act, an entity that “willfully, knowingly, or recklessly” (1) discloses customer/employee personal information as discussed above, (2) fails to notify its New Jersey customers/employees of a breach of security as discussed above, or (3) does not appropriately destroy customer/employee personal information as discussed, could be subject to civil penalties up to $20,000 per offense (even more if senior citizens are involved) and may be liable in customers’ civil action for treble damages and attorneys’ fees.
What Businesses Need To Do
All businesses doing business in New Jersey or having customers or employees in New Jersey will need to take great care in the security and destruction of information bearing an individual’s name and social security number (e.g., benefits and tax information), driver’s license information (e.g., I9 forms), bank account information (e.g., direct deposit authorization forms), and any other personal information covered by the Act. Businesses will also need to reevaluate their data security, retention and destruction policies to ensure they are in compliance with the Act and that they can adequately protect against an unauthorized disclosure of personal information. (i.e., a breach of security). Further, companies will need to work with their information technology and security (and possibly public relations/media) departments, or work with outside vendors, to develop proper protocols for the notification of New Jersey customers and employees of any breach of security. Additionally, businesses will have to restrict the use of individuals’ social security numbers, driver’s licenses, or other financial account data, by, for example, ceasing to use them with respect to employee benefits (e.g., health care benefit cards, 401(k) accounts, etc.). Of course, proper documentation of the company’s actions will be necessary in the event of any claims.
New Jersey is just one of a growing number of states (Arkansas, California, Delaware, Florida, Georgia, Illinois, Indiana, Maine, Maryland, Massachusetts, Minnesota, Montana, North Dakota and Washington) that have enacted some form of identity theft protection legislation. As a result, businesses must ensure they are familiar with the state laws of each state in which they do business or have customers and employees to ensure they are in compliance with that state’s law. Eventually, federal identity theft legislation, which is currently pending in both the House and the Senate, may preempt all state law in this area. Until then, businesses need to be aware of the numerous, often onerous, and possibly quite costly state consumer identity theft laws in place and ensure compliance with the applicable laws.