Earlier this month, New Jersey joined a growing list of states which require companies to provide notification under their respective data breach laws where non-traditional personal informational is compromised. In particular, New Jersey expanded the definition of “Personal Information” to include “user name, email address or any other account holder identifying information” when that information is combined with any password, or security question and answer. While a small change, it will likely prove to be an impactful one, especially for companies which require a username and password for login purposes. Under the amendment, disclosure of this information alone, even absent traditional personal information, would trigger the law’s notification requirements. The amendment takes effect on September 1, 2019.
New Jersey’s amendment follows a nationwide trend to expand the definition of “Personal Information” in order to broaden the scope of data breach notification laws. For example, just three days before the enactment of New Jersey’s amendment, Washington expanded the definition of “Personal Information” in its data breach notification law to include username-password combinations, biometric data, passport ID number, and medical information. Washington’s amendment went a step further by shortening the time period companies have to provide notification in the event of a breach from 45 days to 30 days.
Companies that conduct business in New Jersey or Washington, or collect personal information from residents of those states, should reevaluate their data breach incident response plans to incorporate these new amendments. For questions on these amendments, data breach notifications laws, or cybersecurity and incident response programs, please contact John Landolfi, Chris Ingram, Chris LaRocco, or your Vorys attorney.