New Jersey’s personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163). I’m not a lawyer, but thankfully the law is written clearly and is easy to follow.
As defined under 56:8-161, when it comes to data, a “breach of security” is
…unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [my emphasis]
Of course, the law being the law, a definition of “personal information” is also required. It’s actually a combination of factors. First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following:
- Social Security number;
- Driver’s license number or State identification card number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
So, What If There Is A Breach?
If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers.
The law does give the company some leeway. According to 56:8-163, disclosure is not necessary if the company “establishes that misuse of the information is not reasonably possible.”
One can see how such a provision could be abused. For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there’s no risk to the customers. Which is why the law also requires that “any determination shall be documented in writing and retained for five years.”
In other words, you may have to justify your conclusions if the law comes knocking around.
OK, so you make the determination that you’ve got announce a data breach and contact those who were affected. How do you do it?
According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a “written notice” or an electronic notice that is consistent with “section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001).”
A substitute notice to the above can be made if:
Notification cost exceeds $250,000; or,
People to be notified exceeds 500,000; or,
There isn’t sufficient contact information to notify all directly
Substitute notices must include
Notification to major statewide media; and,
E-mail notice; and,
Posting on the company’s website
And that’s just for getting in touch with people whose information was exposed. There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues.
I guess the gist of the law is, use encryption programs to secure any sensitive information at your company. Oh, and it goes withouth saying, get yourself a good lawyer…