In response to the growing problems of identity theft, the New Jersey Division of Consumer Affairs has published proposed regulations implementing provisions of the New Jersey Identify Theft Prevention Act (ITPA), N.J.S.A. 56:11-44. The proposed regulations establish the duties of New Jersey businesses and public entities that possess computerized personal information (social security numbers, driver’s license numbers, credit or debit card numbers) of New Jersey residents to prevent unauthorized access to electronic files containing personal information. The regulations also impose disclosure and notification requirements in the event of a breach.
The proposed regulations require New Jersey businesses that maintain personal information on any New Jersey residents (including employees and customers) to establish a comprehensive written information security program designed to protect the personal information. The protection program must be appropriate to the size and complexity of the business and the nature and scope of its activities. The program must be designed to: (1) ensure the security and confidentiality of personal information; (2) protect against any anticipated threats to security of the information; and (3) protect against unauthorized access to or use of the customer’s personal information that could result in substantial harm or inconvenience. Regular testing and monitoring of the key controls, systems and procedures of the security program must be conducted and businesses will be required to confirm that their service providers are taking appropriate steps to ensure the security of the information as well. Businesses would be required to implement the comprehensive written information security program within one year of the adoption of the regulations.
The proposed regulations require that businesses disclose and notify the New Jersey State Police and the affected individual in the event of a breach of security. The notification must include information regarding the type of data believed to have been improperly accessed and information regarding how the affected individuals can protect themselves against damage from identity theft.
If adopted, the willful failure to comply with these regulations may subject a business to liability under the New Jersey Consumer Fraud Act. Written comments on the pre-proposed regulations can be submitted to the Division of Consumer Affairs until February 13, 2009.