Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to triple damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Division of State Police in the Department of Law and Public Safety for investigation or handling, prior to consumer notifications.
  • For breaches involving online account personal information, consumer notification may be provided in electronic form informing consumers of the incident and directing them to change the password/security question/answer that may have been compromised.
  • If a determination is made that consumer notification will not be required, the decision must be documented in writing and maintained for five years.
  • If more than 1,000 persons must be notified about a breach of security, then consumer reporting agencies must be made aware of the breach without unreasonable delay.
  • Specific provisions protect personal information relating to health records and credit card records.
  • Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations and Vendors who conduct business in New Jersey must have measures in place for the secure destruction of records containing personal information so the records are unreadable or undecipherable.
  • Injured persons may be awarded treble damages in addition to other equitable relief received.

Statutes and Laws

  • N.J. Rev. Stat. §§ 56:8-161 – 56:8-166 Security of personal information

    N.J. Rev. Stat. § 56:8-19 Action, Counterclaim By Injured Person; Recovery of Damages, Costs

    N.J. Rev. Stat. §§ 56:8-196 – 56:8-198 Restrictions for health insurance carrier relative to certain computerized records

    N.J. Rev. Stat. §§ 56:11-17 – 56:11-18 Personal identification information not required for credit card transaction

    N.J. Rev. Stat. §§ 56:11-24 – 56:11-27 Credit Card Transactions

    N.J. Rev. Stat. §§ 56:11-42 – 56:11-43 Electronic printing of credit card numbers on sales receipts, regulated

    N.J. Rev. Stat. §§ 56:11-44 – 56:11-50 Identity Theft Prevention Act

    N.J. Rev. Stat. §§ 56:11-53 – 56:11-55 Personal Information and Privacy Protection Act

BAck to map