Amendments to state’s definition of ‘personal data’ expected to pass

New Jersey has become the latest state to call for an expansion of its data breach notification law, adding to the smorgasbord of privacy legislation erupting throughout the US.

The proposed changes would broaden the definition of personal information, already defined under the north-eastern state’s 2005 law, which requires businesses to notify consumers when a breach occurs.

A notification would now additionally be required if disclosure occurs to a “username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account”, the amendment reads.

Information such as social security numbers, driver’s license information, and payment card details will remain included in the law’s definition.

The bill, Assembly No. 3245, is expected to pass, and will follow similar moves taken by other states to update legislation in order to fall more in line with the current realities of our information economy.

This has included broadening what defines our digital identity, whether that’s medical information, a financial account number, or a mother’s maiden name.

“Over the years certain states have expanded the definition of person information in different ways,” Joseph Lazzarotti, an attorney at Jackson Lewis P.C, told The Daily Swig.

“I think it’s driven by incidents that have affected the state, like a huge healthcare breach, and a state attorney tends to react to that.”

Lazzarotti, who leads his firm’s data privacy and cybersecurity practice group, explained that a lot of US states will operate under their own plan according to the constantly-evolving area of online data protection and endless pile of security incidents.

California, the first state to enact a data breach notification law in 2002, and one generally regarded as more stringent towards regulating business, recently proposed strengthening its rules following the Marriott cyber-attack which affected a tremendous 500 million people.

“I also think that GDPR has influenced states to start looking at this [data protection] now,” said Lazzarotti.

“People are beginning to become savvier and more aware of their data and how it’s being used.”

The result of that has been talk of the US finally adopting a federal consumer privacy statue and nationwide consumer data protection, with states, individually, beginning to enact their own safeguard mandates on business cybersecurity standards.

“There are really two parts to this,” Lazzarotti said. “What are you doing to safeguard the information in the first place so that it doesn’t get breached, and when it does get breached, what are you doing to mitigate harm. Breach notification statue is only dealing with one part – informing, not preventing.”

One huge area of contention when it comes to replacing data breach notification laws with a federal legislation, however, is enforcement – the Consumer Fraud Act currently enforces the data breach notification law in New Jersey.

New Jersey has also introduced other bills related to enhancing user privacy protections, requiring both websites and those collecting GPS data to notify consumers when and how their data is used.

RELATED Washington state proposes privacy legislation as data debate heats up