March 5, 2009

by Ronald Perl, Esquire

The New Jersey Identity Theft Prevention Act, P.L. 2005, c.226, took effect on January 1, 2006 and effects all businesses and corporate entities within the state. The Act is an attempt to safeguard individuals' personal information with an emphasis on social security numbers. It contains three primary provisions, which will affect the entire corporate and business community. First, if a business or corporate entity maintains computer records that include personal information such as social security numbers, driver's license numbers, state identity card numbers, and credit or debit card numbers including password information, any breach of security of the information must first be reported to the Division of State Police and then to the effected individual. Second, if an entity intends to discard information, it must be modified in a manner which ensures that it will no longer be readable. Finally, the Act limits how and when a social security number may be displayed or transmitted. These provisions affect all business and corporate entities and may have a wide yielding effect upon how they disclose and retain individuals' personal information.

The Act contains two primary sections. The first solely affects consumer reporting agencies, meaning an entity which collects and compiles consumer information for the purpose of creating and disseminating a consumer report to a third party. This section provides that an individual may place a security freeze on his or her consumer report by making a request via certified mail or secured electronic mail. Upon a security freeze being implemented, an individual's consumer report will not be released to third parties. The freeze will be maintained until the consumer requests that it be lifted. Furthermore, whenever a consumer is entitled to receive a summary of his or her rights under Section 609 of the Federal Fair Credit Reporting Act, a specified notice recited in the legislation must be included which sets forth a consumers right to obtain a security freeze. Most notably, a person who willfully or negligently fails to comply with this portion of the Act is liable to the consumer.

This portion of the Act is limited and will only affect a limited number of companies whose business it is to deal with consumer information. However, consumers should be aware of the security freeze option as it provides a way in which consumers who are effected by identity theft may ensure there credit is not diminished by the acts of a third party. In fact, the intent of the security freeze is to permit the consumer the opportunity to deal an identity theft problem while ensuring further damage is not incurred.

The second, and farther-reaching, portion of the Act deals with the security of personal information. This portion of the Act regulates all businesses and corporate entities, including non-profit entities. The first significant section governs the methods of destruction of customer records. It requires that if an entity intends on discarding an individuals records that they be destroyed ensuring the personal information is unreadable. Personal information is defined by the Act to mean an individuals first name or first initial with last name linked with one or more of the following: "(1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." In addition, the term includes accessed dissociated data that if linked with other accessed dissociated data it would constitute personal information.

The impact of this section upon a corporation or business entity may carry a heavy burden. Although most companies have a policy of discarding data and files after a certain period of time, they may not have a requirement that the information is destroyed. Companies must now incorporate a procedure into the discarding process, which will guarantee that personal information will be discarded in a manner which will ensure it cannot be read. The simple solution to this requirement is to shred all documents that are discarded and thoroughly erase all computer records. Although the cost of shredding all documents may seem daunting for a smaller corporation, it will be significantly cheaper and less time consuming than determining which documents contain personal information and which do not. Moreover, having a simple procedure such as shredding all documents will ensure fewer opportunities for an employee to mistakenly permit personal information to be discarded without being properly destroyed. Accordingly, although the impact of this section may be a burden, there is a simple solution that may be effectively instituted.

The second section governs the disclosure of a breach of security to the police and individuals. It requires that when an entity which conducts business in New Jersey maintains computerized records, and security of those records were breached, the individuals whose records were breached and who are residents of New Jersey must be notified of the breach after the Division of State Police has been notified and has determined that its disclosure will not impede or comprise an investigation. However, disclosure of the breach is not necessary if it can be established that misuse of the information is not reasonably possible. If the entity chooses not to disclose the breach, the decision must be documented and retained for a period of five years. Furthermore, any entity which compiles or maintains computerized records for another entity shall notify that entity who shall then notify individuals who reside in New Jersey. To the extent notice is required the Act sets forth the manner in which the notice will be provided, which depends on the cost of the notice and the amount of individuals to be notified.

The requirements under this section can be both costly and a source of potential liability. For instance, the statute permits the corporation to determine when it is not required to inform individuals of the breach. However, this is predicated upon establishing that misuse of the information is not reasonably possible. If determined that the individual should not be informed of the breach and the information is misused the corporation faces a potential liability. If litigated, a court will determine if the corporation reasonably acted in not informing the individual of the breach. Ultimately the courts will determine what is "Reasonable". As a result, to avoid liability and potential litigation a corporation may choose to disclose all breaches. However, this must be weighed against the overall monetary and political cost of informing the individuals. A large-scale disclosure of a breach may be time consuming, a monetary drain and cost the corporation a reduction in good will.

Finally, the third section sets forth prohibits actions that relate to the display of social security numbers. In particular an entity may not: (1) post or publicly display a social security number or any four or more consecutive numbers of a social security number; (2) print a social security number on materials sent to an individual, unless required by law; (3) print a social security number on any card used to access products or services; (4) intentionally communicate or make available an individuals social security number to the general public; (5) require an individual to transmit an unencrypted social security number over an unsecured internet connection; and (6) require an individual to use a social security number to access an internet website, unless another authentication device is also required to access the web site. Notwithstanding these provisions, they do not apply to documents which are recorded or are required to be open by law.

The impact of this section is abundantly clear. It sets forth how information may not be displayed. To avoid violating the section, a corporation may consider not using an individual's social security number as an identifying method. For those entities which are required by law to use a social security number and provide that information to the public, this section does not apply. Moreover, if you record documents such as deeds, mortgages or court judgments, you may still use an individual's social security number on the document. Accordingly, although this section clearly sets forth limits as to when you may display a social security number, it does provide for the appropriate necessary exceptions.

In conclusion, a corporation or business entity must now take into consideration this new statute when conducting business. Although placing a heavy burden upon the corporate and business community, the burden is manageable by implementing a few specified procedures. You are encouraged to seek counsel to assist in creating and or reviewing existing procedures, policies and plans of response, as they relate to security breaches, personal information and social security numbers.

This article provides information of general interest and is not intended, and should not be used, as a substitute for consultation with legal counsel. Any questions regarding the specific issues raised in this article should be directed to Ronald L. Perl, Esq. (609) 734-6349 or by email: info@hillwallack.com