The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program.
The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include:
- Designating one or more employees to be in charge of the ISP;
- Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules;
- Obligating a company to conduct due diligence when engaging third-party service providers with access to the company’s records containing personal information to ensure appropriate security measures exist;
- Reviewing – at least annually – the scope of the security measures implemented by the ISP;
- Mandatory documentation of responsive actions relating to data breaches and security incidents; and
- In-transit encryption of records containing personal information across public networks or via wireless networks, as well as at-rest encryption of records containing personal information on laptops and portable devices.
The bill also makes it an unlawful practice under the New Jersey Consumer Fraud Act to willfully, knowingly, or recklessly violate the provisions of the bill. Such “unlawful practices” will be punishable by a fine up to $10,000 for the first offense and up to $20,000 for each subsequent offense. In addition, the Attorney General can send violators a cease and desist order, requiring them to stop the collection, processing, or use of personal information. Further, violators may also be subject to punitive damages, treble damages, and costs to injured parties.
The proposed legislation represents yet another step in the continuing march of state and federal authorities to require all individuals and businesses that acquire, own, or license personal information of customers and employees to implement baseline data security measures. As a result, individuals and businesses that acquire, own, or license personal information on New Jersey residents are well served to begin addressing the legal, policy, and technology considerations included in A-5206 now. Gibbons’ experience in drafting ISPs and counseling clients on program execution confirms that it takes time to assemble internal stakeholders, educate leadership, and dedicate appropriate resources to create an ISP and effectively implement its policies and practices.
Gibbons will be closely tracking developments on this bill and will provide periodic status updates on this blog.