|Breach Disclosure Act|
|CITATION||N.J. Stat. 56:8-163|
|SUMMARY||The law requires that if an individual or a commercial entity that conducts business in New Jersey and that owns or licenses computerized data that includes personal information about a resident of New Jersey becomes aware of a breach of the security of their computer system, the business or entity must conduct a prompt investigation to determine if personal information has been compromised and assess the risk of misuse. The law also requires the individual or the commercial entity provide notice as soon as possible to the affected New Jersey resident unless the investigation determines that the misuse of information about a New Jersey resident has not occurred and is not reasonably likely to occur.|
The law covers first name or initial and last name in combination with any one of the following:
Excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.
The law provides that dissociated data, if linked, would constitute ‘Personal Information’ if the means to link the dissociated data were accessed in connection with access to the dissociated data. Does not include publicly available info that is lawfully made available to the general public from federal, state or local government records or widely distributed media
|INDUSTRY||Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that includes Personal Information or any business or public entity that compiles or maintains such records.|
|PENALTIES||A fine of up to ten thousand dollars ($10,000) if the violator knew or should have known that the victim is a senior citizen or a disabled person. A fine of up to thirty thousand dollars ($30,000) if the violation was part of a scheme that targeted senior citizens and/or the disabled.|