New Jersey Amps Up Focus on Privacy and Cybersecurity
California is not the only state focused on privacy. The New Jersey Attorney General’s Office recently emphasized how the Office is prioritizing its enforcement of such issues. Over its first year, the newly-created Data Privacy & Cybersecurity Section within the New Jersey Division of Law has initiated its own actions and joined several multi-state investigations. Privacy also plays a prominent role in private actions and draft legislation in the Garden State. Companies marketing or selling to New Jersey consumers or otherwise operating in the state should take steps to confirm their privacy compliance. Reported Data Breaches According to statistics released by the New Jersey Attorney General and Division of Consumer Affairs on October 31, 2019, there were 906 separate data breaches reported to the New Jersey State Police in 2018, compared to 958 breaches in 2017. The number of individual residents impacted declined significantly from 2017 to 2018. While over 4 million residents were impacted by 2017 breaches, that number fell to approximately 358,000 in 2018. The 2018 total, however, is still nearly three-times the 116,000 residents impacted in 2016. State Enforcement Actions In response to these breach figures, New Jersey actively enforced against lax privacy practices. Through the first three quarters of 2019, the Attorney General reported $6.4 million in recoveries. Additionally, New Jersey served a leading role in several large-scale, multi-state recoveries for consumers over the last 9 months. For example:
- New Jersey was part of the Leadership Committee pushing the investigation and resolution of claims arising from a 2017 data breach at credit reporting agency Equifax that will result in payment of $575 to $700 million ($6.36 to NJ) as part of a global resolution of claims by the FTC, 50 U.S. states and territories, and individual consumers.
- New Jersey was also one of 30 states to resolve data breach and consumer privacy claims against health insurer Premera Blue Cross Blue Shield. Premera’s network had exposed the Social Security and sensitive health information of 10.4 million consumers, including approximately 40,000 NJ residents. That settlement includes $10 million to the states (including $72,168 to NJ) as well as a $32 million fund for consumers and $42 million in required cybersecurity upgrades at Premera.
- New Jersey was also part of the multi-state resolution of claims against retailer Neiman Marcus in response to a breach involving shoppers’ credit card numbers and other personal information. NJ received $57,465 as part of a $1.5 million settlement, which impacted approximately 17,000 individuals with NJ addresses.
- Take steps to keep privacy and cybersecurity practices, policies, and procedures in line with each state where your customers reside;
- Determine if your compliance program takes into account and reasonably addresses foreseeable risks to the personal information in your control, and whether this risk analysis is documented so you can point to it if needed if there’s a future lawsuit or government investigation;
- Evaluate whether the business has sufficiently invested in adequate privacy and cybersecurity and insurance coverage that takes into account how the business, laws, and potential exposure are evolving; and
- Consult with experienced practitioners in this area that can help guide and counsel your business on options for making practical updates to your compliance program mindful of the changing legal landscape.