On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey's data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.
The amendment will require businesses subject to the law to notify New Jersey residents of a breach of security affecting a resident's "user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." The amendment specifies that businesses may provide notification of breaches of such information in "electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the business...and all other online accounts for which the customer uses the same user name or email address and password or security question or answer." The amendment further specifies that a business may not provide notification to an individual's email account that has been subject to a security breach, and must instead provide notice by another method specified under the law or "by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an [IP] address or online location from which the business...knows the customer customarily accesses the account."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.