Section 56:8-163 – Guide to Disclosure of Breach of Security to Customers
New Jersey Governor Phil Murphy signed P.L.2019, c.95 into law on 10th May 2019. This amendment to the state’s Consumer Fraud Act expands the requirements for data breach notification for organizations that create, store, and handle digital personal information.
The new laws require organizations to notify clients in case their personal information has been breached. Previously, the law considered personal information as a person’s first name, or their first letter and last name connected to any of the following elements:
- Their social security number
- State identification card number
- Driver’s license number
- Debit or credit card number or account number alongside any required access code, password, or security code that’s used to access a person’s financial account.
The new regulations add to these data elements usernames, email addresses, or any other identifying information. It also includes passwords or security questions and answers used to access an online account.
An Overview of the Additional Requirements in Section 56:8-163
The new data breach notification laws come with additional notification requirements. The law requires the following:
- Any public entity that maintains or compiles digital records like personal data and organizations serving New Jersey residents must disclose any security breach of those records. This follows the breach discovery or notification to any client residing in the state whose information has been or is reasonably assumed to have been accessed by an unsanctioned party.
- Disclosure to the client must be without unreasonable delay and in the most convenient time possible, consistent with law enforcement needs. Under this section, the disclosure won’t be a requirement if the public entity or business establishes no reasonable possibility of misuse of this information. Furthermore, determinations must be well documented in written form and stored for five years.
- Any public entity or organization that collects and maintains digital records like personal data on behalf of another shall notify the public entity or organization, which will inform its New Jersey clients of any breach immediately following discovery. This should happen if the personal information has, or is reasonably believed to have, fallen into the hands of unauthorized parties.
- Any public entity or business that must disclose a security breach of their client’s personal information must, before disclosing to their clients, report the incident and its details for handling or investigation by the Department of Law and Public Safety’s State Police division. This may entail referral or dissemination to other relevant law enforcement bodies.
It makes sense to quickly notify customers whenever there’s a compromise in their personal information. This way, they can take the appropriate steps to lower the likelihood of data misuse. For instance, hackers who have gotten away with Social Security numbers and names can use these details to create new accounts using the victims’ names or commit tax identity theft.
Notifying clients early allows them to take action and limit the damage.
Important Considerations During a Data Breach Notification
When notifying clients of a data breach, always have the following in mind:
- Talk to your law enforcement contact regarding the notification timing to avoid impeding the investigation.
- Select a point person in your company to release information. This contact person must have the latest updates on the security breach, your response plan, and how all the affected parties should respond.
- Consider reaching out to the affected people using toll-free numbers, letters, and websites. If there’s no contact information for every affected individual, include a comprehensive PR campaign within your communication plans, such as press releases and other news media notifications.
- Consider providing at least 12 months of support like credit monitoring, identity restoration, and identity theft protection, especially if their Social Security numbers or financial data was exposed.
What Should You Tell Your Customers After a Breach?
The information you have to or don’t have to deliver in your breach notice depends on your state breach notification laws. Generally, unless your jurisdiction laws state otherwise, you’re required to clearly describe what you know regarding the breach, including:
- How the incident occurred
- What information was stolen
- How the cybercriminals have used the data
- The remediation steps you have taken
- How you are protecting the parties involved
- How they should reach the relevant contacts within your company
Speak with your law enforcement contact if you’re unsure of the information to include. This way, you won’t hamper the investigation.
If you serve customers in New Jersey, then it’s important to include the following details.
First, advise them on the next steps, given the nature of the breached data, and offer relevant contact details. For instance, advise a client whose Social Security number has been breached to request credit freezes or fraud alerts from credit bureaus. The appropriate follow-up steps depend on the type of information exposed.
Provide the latest details regarding recovery from identity theft and refer your clients to the government identity theft platform for apt guidance. Also, notify clients which law enforcement agency is working on the case if the agency agrees. Identity theft victims usually serve law enforcement with important information.
It’s also important to encourage anyone who notices that their data has been misappropriated to report it to the Federal Trade Commission via the identity theft platform. The site will develop a personalized recovery plan depending on the information exposed. Furthermore, the reports enter the secure Consumer Sentinel Network, a web-based database for criminal and civil law enforcement agencies.
Finally, you should describe how you’ll reach the customer. For instance, tell them if you’ll only contact them using email or if you’ll never call them to discuss the breach. This information substantially lowers the risk of related phishing scams and protects your company’s reputation. Notably, some companies tell clients to expect the latest updates on their websites.
Other States Are Following Suit, So Don’t Lag
This new development isn’t just limited to New Jersey’s Section 56:8-163. Louisiana breach notification laws are also still pending, while Texas requires organizations to notify the state residents if their data is compromised. Furthermore, Connecticut’s General Statute 36a-70b also has new updates that require notification whether the data was stolen or exposed.
All these state laws define a security breach as the acquisition of or unauthorized access to electronic data with personal information. This covers successful and unsuccessful phishing and ransomware attacks. Notably, the statutes don’t refer to managed service providers, but by providing IT solutions and services, you are responsible.
You’re in Safe Hands
Compliance with all the new breach notification laws begins with the correct data breach prevention measures. For the utmost protection, you should work with a reliable cybersecurity agency conversant with the entire US cybersecurity landscape. This is where Mathe comes in.
As your number one cybersecurity partner, we’ll help you secure and maintain the credibility of your business data. Even better, we offer free consultation, so speak with us today.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.