Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible and without unreasonable delay
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to entities that conduct business in the state and that compile or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if entity established that misuse of the covered info is not reasonably possible. Any determination must be documented in writing and retained for five years.
Unauthorized access that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or secured by any other method or technology that renders it unreadable or unusable.
Form of Covered Info
- An individual's first name or first initial and last name linked with any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
- Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
Consumer Notice Timing
Must be made in the most expedient time possible and without unreasonable delay and consistent with any measures necessary to determine the scope of the breach and to restore the integrity of the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice if only a username and password were breached, notification can be in electronic or other form that directs the individual to promptly secure their account(s). A business that provides email accounts shall not send notification to email accounts that were breached but must use other specified methods of notification. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Content requirements are not specified.
Notification may be delayed if law enforcement determines that notification will impede a criminal or civil investigation and requests that notification be delayed.
In advance of any disclosure to the consumers, must report breach and any information pertaining to it to the Division of State Police in the Department of Law and Public Safety. The notice must include any information pertaining to the breach.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
The New Jersey general breach notification statute allows for a private right of action.
Violations may result in civil penalties.