On December 15, 2008, the New Jersey Division of Consumer Affairs proposed rules to the Identity Theft Prevention Act that will apply to every entity doing business in New Jersey and every New Jersey public entity that possesses computerized personal information, holds records containing personal information that are to be destroyed, or has access to the Social Security numbers of New Jersey residents. The Act defines personal information as information that links an individual’s first name or initial and last name with a Social Security number, a driver’s license or state identification card number, or an account, credit card, or debit card number in combination with any required security or access code, password security question or authentication device. The proposed rules require every business or public entity to maintain a written information security program. In addition, a business or public entity is required to report a breach of security to the Division of State Police before notifying the affected individual of the disclosure. Disclosure is not required if a determination is made that misuse of the personal information is not reasonably possible. However, a written record that includes how and by whom the investigation was performed and a brief description of the facts that formed the basis for the decision not to disclose the security breach must be maintained by the entity.