New Jersey Passes Updated Data Breach Law

On May 10, 2019, New Jersey enacted Assembly Bill 3245, expanding the definition of personal information under the state’s data breach notification requirement. New Jersey joins a growing number of states that have recently updated their breach notification rules. Effective September 1, 2019, A.B. 3245 will add usernames, email addresses, or “any other account holder identifying information in combination with any password or security question and answer that would permit access to an online account” to New Jersey’s definition of “personal information” – and correspondingly expand the circumstances in which companies may be required to report a breach to both individuals and state authorities. Previously, New Jersey’s definition required notification only if a breach involved information such as Social Security numbers, driver’s license numbers, or credit and debit card information in combination with any required security or access code.

Several other states have also recently updated their data breach laws, including Washington’s enactment of its own H.B. 1071 on May 7, 2019. The National Conference of State Legislatures now reports that at least 19 states are considering legislation that will alter or expand their breach notification rules in some way, typically to (1) expand the definition of personal information; (2) establish or shorten the timeline for breach reporting; (3) establish a requirement to report to the attorney general; or (4) require free credit freezes for victims of breaches.