New Jersey recently signed into law Senate No. 52, which amends the state’s data breach notification provisions with regard to online account information. The amendments expand the definition of “personal information”—which comprises an individual’s first name or first initial and last name linked with one or more data elements specified in the statute—revised to include username, email address, or any other account holder identifying information, combined with any password or security question and answer that would allow access to an online account. In addition, while maintaining the current general security breach customer disclosure provisions, the new provisions add that, notwithstanding the existing notice methods, if there were a security breach involving a username or password combined with any password or security question and answer that would permit access to an online account (and no other personal information was involved), businesses or public entities experiencing such a breach may notify affected customers via electronic or other form that directs the customer whose personal information has been breached in this context to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the businesses or public entities and all other online accounts for which the customer uses the same username or email address and password or security question or answer.
Further, for breaches involving an email account, a business or public entity may not provide notice of the breach via the compromised email account. Instead, notice must be provided by one of the other methods described in the law, or by clear and conspicuous notice delivered online to the customer when the customer is connected to the online account from an IP address or online location from which the entity knows the customer customarily accesses the account.
The amendments take effect on September 1, 2019.