Breaking NewsLaw.com and associated brands will be offline for scheduled maintenance Friday Feb. 26 9 PM US EST to Saturday Feb. 27 6 AM EST. We apologize for the inconvenience.

 
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Businesses are scrutinizing their record-keeping procedures now that a New Jersey state law, effective Jan. 1, creates a risk of civil liability for failing to safeguard consumers’ personal data. And lawyers on both sides of the aisle are lining up for new business. The Identity Theft Protection Act, P.L. 2005, c.226, sets tough rules for handling records that contain individuals’ names along with Social Security numbers, drivers’ license numbers, state ID card numbers, credit or debit card numbers or any other account number permitting access to individuals’ finances. Most notably, it creates an individual cause of action against violators — with potential awards of treble damages and attorneys’ fees if companies willfully or negligently fail to comply with its requirements. That provision has lawyers predicting a new wave of suits against corporations for breaches of data security. Among its salient provisions: � Social Security numbers, or four or more consecutive digits of those numbers, may not be disseminated or posted publicly, printed on materials sent through the mail or placed on ID cards. Companies may not require Social Security numbers to be transmitted over the Internet unless the connection is encrypted. � Businesses and public entities that compile Social Security numbers must promptly disclose, in writing, any breach of security to any person whose personal data is or may have been accessed by an unauthorized person. If the cost of the disclosure exceeds $250,000, a company can instead make disclosure on its Web site and to the news media. � Security breaches must be reported to the State Police and local police departments must take reports from victims of identity theft, in response to accounts that some departments would not write such reports. � Consumers may place a “security freeze” on their credit reports, requiring credit-reporting agencies to obtain the consumer’s express approval before releasing them. That step, previously available only to persons who already experienced identity theft, would prevent others from fraudulently opening credit accounts in the individual’s name. � Businesses must take reasonable measures to dispose of records in a way that would prevent their interception, such as shredding paper records or erasing or destroying electronic media so the records cannot be read or reconstructed. � Employers who conduct credit checks or background checks on job applicants through outside agencies must provide applicants — rejected based on those reports — a summary of their rights under the act. “I think it has some very wide-ranging implications,” says Wendy Lario, an employment lawyer whose firm, Pitney Hardin in Morristown, N.J., is sending out client advisories about the Identity Theft Protection Act and has put together an information security audit program to help clients comply. “For smaller or mid-sized companies, it may be burdensome to meet these requirements.” Thomas Muccifori, a commercial litigator, says business clients have been nervously calling his firm, Archer & Greiner in Haddonfield, concerned principally about the individual cause of action. The act is broadly worded and leaves unanswered such questions as whether a New Jersey consumer has a claim when a security breach occurs in another state, Muccifori says. Another gray area is what sort of loss could be recovered by claimants. While the statute speaks of damages as ascertainable losses, a claimant probably could recover if a security breach resulted in identity theft and additional lines of credit opened in their name, says Scott Christie, an information technology and intellectual property litigator at McCarter & English in Newark. “I would anticipate there’s going to be a significant amount of litigation,” he says. Litigation is likely to take the form of class action suits, says James Mullaney III, who represents consumers in collection cases. Claims under the new law are well suited to class action treatment because individual damages would tend to be small in most cases, says Mullaney, of the Dimitrios Kolovos law office in Voorhees. Mullaney believes such litigation will ultimately cause businesses to improve their data-management practices and cut down on the number of breaches. “Any time the average consumer is given a new tool to fight corporate misconduct, it’s good news for the plaintiff’s bar,” he says. Christie says the act will require businesses to make tough decisions, such as what level of breach should trigger notification to potential victims — something that would naturally agitate its customer base. For example, should a notice go out if a former employee retains a company’s laptop computer containing customers’ personal information? “A company at its peril refrains from notifying its customers and should err on the side of notification,” Christie says, though he says the obvious best practice is to prevent such a thing from happening in the first instance. Lario says companies and entities should appraise their management of employee and customer records to determine just who in the organization has access to various types of information. Also on the prevention front, since many businesses now allow online job applications, Lario says the company Web site should be secured against hackers seeking Social Security numbers. PANTS DOWN It’s clear that businesses and employers are vulnerable to interception of customer and employee data. In May, Hackensack police broke up a data theft ring that illegally sold information about more than half a million accounts at Bank of America, Wachovia Bank, Commerce Bank and others. In the past year, large retailers such as BJ’s Wholesale Club and DSW Shoe Warehouse have acknowledged that credit card data for hundreds of thousands of customers were intercepted from their computer networks. In October, Montclair State University admitted that it placed names and Social Security numbers of 9,100 students on an unprotected Web server, making the data accessible to anyone. Rutgers — The State University, which is subject to the new law, is updating its policy manual to comply, according to a memo addressed to administrators and posted on the university’s Web site. In the meantime, Rutgers has established a special hotline and e-mail address for reports of data security breaches, according to the undated memo, written by Karen Kavanagh, executive vice president for administrative affairs. Federal legislation may soon supersede New Jersey’s law. Congress is expected to enact its own identity theft protection law in the next term. The bill likely to pass, S-1408, contains many of the same protections as New Jersey’s law but does not confer a private right of action. Industry lobbyists pushed Congress to enact a law because national corporations dislike having to comply with a patchwork of varying state laws, Christie says.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.