Over the past several months, there have been numerous instances of significant data privacy breaches reported in the news. From Facebook, who experienced a data breach affecting over 540 million users, to Microsoft, Capital One, T-Mobile, and Volkswagon. These are all some of the largest companies in technology, communications, and transportation. If these large companies, with their significant IT budgets and arguably unlimited resources, are unable to protect against data breaches, smaller companies are understandably left wondering when they will be next and whether such a breach will destroy its business.
Following in the footsteps of Ohio and Utah, New Jersey legislators have recently introduced a bill that could provide businesses with protection from the litigation that usually follows these data breaches. In short, if approved, Senate Bill S3062 would provide an affirmative defense for data breaches.
To be able to assert the legal defense, companies have to create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information or restricted information, or both, and that reasonably conforms to an industry recognized cybersecurity framework. A covered entity's cybersecurity program is to be designed to protect against the following:
- breaches of the security and confidentiality of personal information, restricted information, or both;
- any anticipated threats or hazards to the security or integrity of personal information, restricted information, or both; and
- unauthorized access to and acquisition of personal information, restricted information, or both that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The bill further requires that the scale and scope of a covered entity's cybersecurity program is to be based on all of the following factors:
- the size and complexity of the covered entity;
- the nature and scope of the activities of the covered entity;
- the sensitivity of the information to be protected;
- the cost and availability of tools to improve information security and reduce vulnerabilities; and
- the resources available to the covered entity.
Moreover, the bill permits the Director of the Division of Consumer Affairs in the Department of Law and Public Safety ("Director") to deem a covered entity's cybersecurity program, required by the bill, to reasonably conform to an industry recognized cybersecurity framework if the covered entity's cybersecurity program reasonably conforms to any of the cybersecurity frameworks or provisions of law enumerated in the bill. A determination of reasonable conformance by the Director would be considered by a court as evidence in order to determine whether the covered entity is entitled to an affirmative defense. However, a covered entity may raise the affirmative defense in court without the Director's determination of reasonable conformance. Absent the Director's determination of reasonable conformance, the court may determine reasonable conformance pursuant to the standards set forth in the bill.
The purpose behind in the bill is to entice businesses to proactively plan ahead and create a cybersecurity program that might otherwise avoid a potential data breach, rather than to be reactive if and once a data breach occurs. As is clear from the framework, however, complying with the requirements of the bill is onerous and expensive, and might scare some companies off from utilizing the legal mechanism. However, if the legislation is enacted, it will provide all companies – from the small local shop to the largest corporations – with an opportunity to shield itself from costly and time-consuming litigation that may result from a data breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.