New requirements effective January 1, 2006

Acting Governor Richard J. Codey signed into law the New Jersey Identity Theft Prevention Act ("Act") on September 22, 2005. The Act, which takes effect on January 1, 2006, amends and supplements the New Jersey Fair Credit Reporting Act to affirmatively obligate New Jersey businesses to safeguard against identity theft. According to Codey, it is one of the most expansive identity theft laws in the United States. The Act provides for civil remedies, including the payment of fines, actual damages, attorneys fees, costs and injunctive relief for violations of the law.

As of January 1, 2006, all New Jersey businesses will be required to take steps to protect personal information relating to any individual, including customers and employees. The Act broadly defines "personal information" to include any information that identifies, relates to, describes or is capable of being associated with an individual — including, but not limited to, the individual’s first and last name, Social Security number, driver’s license number, signature, image, date of birth, medical information, account number, account password or PIN.

Furthermore, the Act limits New Jersey businesses in how they may use and display Social Security numbers on printed material. It also requires that any New Jersey business handling personal information "take all reasonable measures to protect against unauthorized access to or use of [personal] information." "Reasonable measures" include implementing procedures to burn, pulverize or shred paper and render electronic information unreadable. If an individual’s personal information has been compromised, the business must notify that person within 15 days of the occurrence. In addition to destroying personal records as defined by the Act, businesses must maintain and monitor document destruction policies and procedures.

The new legislation has direct impact on New Jersey employers. Policies and procedures governing document access, retention and destruction must be in writing, and they must be comprehensive and described as "official policy" in employee handbooks and corporate documents. Additionally, New Jersey employers performing employee background checks must provide current and prospective employees with a specific statement regarding the organization’s newly created mechanism for placing a security freeze on an individual’s consumer credit report.

The Act governs background checks of prospective or current employees more broadly than existing federal regulations promulgated by the Federal Trade Commission ("FTC") under the Fair and Accurate Credit Transactions Act of 2003 (aka the "FACT Act" or "FACTA"). The FACT Act, which was signed into law on December 4, 2003, amended the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. 1681 et seq. The FTC Employer Alert: Identity Theft Issues Enter the Workplace New requirements effective January 1, 2006 requires that credit reports and information derived from credit reports be properly disposed of through "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The FTC intended small businesses to have some flexibility in determining what measures are reasonable: "What is considered ‘reasonable’ will vary according to an entity’s nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved." This flexible approach in handling personal information is not reflected in the New Jersey law. Moreover, the latter applies to all New Jersey businesses, while the FACT Act applies only to information derived from a consumer report as defined by the FACT Act.

All New Jersey businesses should now revise and strengthen existing policies and procedures governing confidential information relating to employees, vendors, suppliers and customers. In addition, New Jersey businesses should perform an internal audit of their background check procedures, confidentiality and privacy policies and document access, retention and destruction policies. At a minimum, businesses would do well to take the following steps:

1. Implement, enforce and monitor document destruction policies and procedures. Appropriate document destruction policies and procedures should be drafted and implemented after consulting counsel experienced in this area of law. These policies and procedures must then be enforced. Simply placing personal information in the trash is no longer acceptable. Rather, documents should be shredded or otherwise destroyed so that the information cannot be read or reconstructed. A business that contracts with a disposal company to destroy records must have some assurance that their records — paper and electronic — will be handled confidentially and properly destroyed.

2. Research, monitor and manage relationships with suppliers, vendors and other third parties. Take measures to ensure that suppliers, vendors and other third parties with access to personal information are reputable. Have them sign an appropriate confidentiality agreement that includes a commitment to comply with the law and an indemnification agreement for noncompliance.

3. Limit access to personal information. Restrict access to personal information only to employees who have a legitimate business need for the information, and ensure that those employees sign an appropriate confidentiality agreement.

4. Train employees to handle personal information confidentially. Employees privy to personal information should receive training on how to maintain confidentiality.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.