Data security and privacy are two of the most pressing economic and personal concerns for New Jersey residents. In 2016 alone, there were over 116,000 accounts affected by data theft in New Jersey alone.
Consumers now give sensitive personal information to businesses on a daily basis, with the assumption that the retailer will keep this information secure. Yes, in some cases, businesses can be sued if their failure to protect customer's information from theft causes harm to their customers.
While the vast majority of merchants operate legally, there are occasionally individuals that want to profit by misusing, illegally collecting, or illegally selling consumers' personal information.
Please read on to understand data breach laws in NJ, legal actions in case of a breach how to ensure you are safe from data breach charges.
What’s a Data Breach?
A data breach is an illegal action whereby sensitive, confidential, and/or protected data is improperly acquired and/or disclosed. Data breaches are a risk for any business that accepts credit cards or stores client information.
Client information susceptible to theft includes:
- Account number, debit or credit card details, including security code, access code or password.
- Username, email address, passwords, security questions.
- Driver’s license or state ID number.
Best Action After Data Breach
The Identity Theft Prevention Act of New Jersey specifies when and how firms must respond to a security breach. In case the personal information of a state resident is accessed or is suspected of being obtained by an unauthorized person, New Jersey firms must respond.
Businesses must report a data breach "as soon as practicable and without unnecessary delay." Delays are only authorized if a notification might interfere with a criminal or civil inquiry. Companies must contact the New Jersey Department of State Police in the Department of Law and Public Safety prior to disclosure for investigation, which might include reporting to other law enforcement agencies.
Businesses who fail to notify residents immediately may face civil action litigation, which can result in paying three times the actual damages suffered by an affected party, plus legal expenses and costs.
Furthermore, firms may be required to destroy data, pay significant fines to the state of New Jersey, and develop Corrective Action Plans, including cybersecurity reforms.
Businesses must design, maintain, and conform with a documented cybersecurity program that includes managerial, technical, and physical protections for the privacy and security of customer data or restricted information, or both, in order to uphold their legal defense.
Strong passwords, security questions, two-step authentication, and one-time passwords can provide reasonable protection for your organization and any employees who access the data, lowering the possibility of unwanted data acquisition.
A security audit of the various forms of personal information, unique identifiers, and other data elements in your data systems is a great idea for personal clients’ data safety.
Additionally, your business should design its cybersecurity program to protect sensitive personal data from:
- Violations of personal information data confidentiality;
- Any foreseeable threats to the security or integrity of personal information, restricted information; and
- Illegal access or purchase of personal information.
Get a Liability Insurance
A cyber attack may be costly, which is why cyber liability insurance is essential for organizations that handle personal information.
It might be costly to notify those affected and to pay for credit monitoring. You'll have to examine and remedy your security flaws while potentially losing income, dealing with a ransomware attack, and paying government fines.
Although this guide does not cover every cyber security law that applies to US organizations, it's a good basic understanding of New Jersey’s requirements. Lastly, when organizations guarantee that they have numerous layers of cyber security in place, they are safe against hackers and less likely to lose a data breach lawsuit due to a lack of precautionary steps.