New Jersey Statutes §56:8-161 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of security” means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement....or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." Prior to reporting to residents, disclosure must be made to Division of State Police for investigation, which could cause delays in reporting. Notice to residents may be written, electronic, or via "substitute notice" procedures, depending on circumstances. If over 1,000 residents are affected then notice must be given to credit reporting agencies as well.
What are the penalties for non-compliance?
Violations are treated as unlawful practices and are prosecuted under in accordance with those rules as stipulated in § 56:8-166, which reads as follows:
"It shall be an unlawful practice and a violation of P.L. 1960, c. 39 (C. 56:8-1 et seq.) to willfully, knowingly or recklessly violate sections 10 through 13 [C.56:8-161 through 56:8-164] of this amendatory and supplementary act."