After receiving a deluge of criticism following the April 2007 release of proposed data privacy rules pursuant to the state's Identity Theft Prevention Act, the N.J. Division of Consumer Affairs released revised "pre-proposal" data security regulations on December 15, 2008. The pre-proposal rules impose less of a burden on regulated entities than the previous incarnation.
Like the previous draft, the new pre-proposal would require entities that do business in N.J. or possess personal information pertaining to N.J. residents to implement a comprehensive written data security program. The newly proposed rules would eliminate a number of previously suggested security requirements (i.e.: mandating the use encryption that conforms to the Federal Information Processing Standard; installation/updating anti-virus software within specific timeframes, passwords that are seven characters in length or greater, etc.) that were considered unreasonably onerous as applied to many regulated businesses. In their place, the pre-proposal regulations provide a general list of "non-exclusive illustrations" that covered entities would be encouraged, but not required, to use in developing a compliant data security policy.
The new proposal also contains significant amendments to the breach notification requirements. Whereas the prior proposal required entities to notify the state police within 6 hours of when a breach is discovered and notification of affected consumers within 24 hours after the police have authorized such notification, the new rules do not require disclosure if the "misuse of personal information accessed is not reasonably possible." Even if misuse of the exposed data is possible, the 6 hour deadline for notifying the police has been eliminated and the 24 hour deadline for notifying consumers of the breach has been replaced with a more flexible "as expeditiously as possible" standard. It is also notable that the new proposal has replaced language that would have created "a duty to mitigate any damage created by the breach of security" with a requirement that regulated entities "make all reasonable efforts...to prevent further release of or access to the personal information that has been accessed."
Comments on the pre-proposal are due February 13, 2009, and should be directed to David Szuchman, Director of the Division of Consumer Affairs, 124 Halsey Street, P.O. Box 45027, Newark, NJ 07101.