of its Privacy Group. He has been practicing law for 36 years. Over
the years, Richard has successfully represented clients in complex
commercial litigation, including shareholder disputes, real estate
matters, construction claims, trade secrets, restrictive covenants,
general contract matters and matters seeking equitable relief.
155 Prospect Avenue
West Orange, New Jersey 07052
973.736.4600 Phone
973.325.7467 Fax
rsimon@msgld.com
www.msgldlaw.com
enacted laws imposing obligations on
private business to take reasonable
steps to protect unauthorized disclosure
of personally identifiable information
collected and maintained by them. This
ranges from implementation of written
information security programs geared
to reasonably prevent unauthorized
disclosure, to imposing an obligation
on a business to notify the exposed
individuals once a security breach
occurs. This is in response to ever-
increasing incidents of unauthorized
access to millions of computerized
records containing personal information
of individuals, including customers,
employees and others. Currently, 46
states and certain U.S. possessions
have adopted some form of data breach
notification law. There also are presently
numerous federal laws that focus on
specific industries, such as health
and finance, and require notification
of a security breach of personal
information. It is important to note that
the laws of certain jurisdictions, such
records of individuals residing outside
of its jurisdiction and others, like
Massachusetts, apply to security
breaches of personal information
compiled and maintained by businesses
formed and operating outside of the
jurisdiction so long as any of the
personal records relate to residents
within its jurisdiction.
Although the details of each law
regarding notification periods, methods
of disclosure, consequences of failure to
comply with notification requirements,
and exceptions to the requirement for
notification may vary, New Jersey's
Identify Theft Prevention Act ("ITPA",
N.J.S.A 56:8-163 enacted in 2005)
echoes the general purpose and scope of
most state breach notification laws. ITPA
remedially addresses three separate data
security concerns with businesses that
compile and maintain personal records;
namely (1) notification of a security
breach of records containing personal
information, (2) destruction of both paper
and computerized personal information
agency and private entity use of an
individual's Social Security numbers.
Under ITPA, any business conducting
business in New Jersey that compiles or
maintains records that include personal
information must disclose any breach
of security of the personal information
records to all New Jersey customers
whose personal information was, or
is reasonably believed to have been,
accessed by an unauthorized person.
Businesses that compile or maintain
computerized personal information for
another business are required to notify
the other business that must, in turn,
notify the affected New Jersey customers.
Unauthorized access includes access
to personal records by an authorized
employee that accesses the records for
an unauthorized purpose.
Under ITPA, a business shall in the
most expedient time possible and without
unreasonable delay, disclose a breach of
security of protected records to the state
police and then to any customer who is
a New Jersey resident. However, if the
business establishes and documents that
misuse of the personal information is not
reasonably possible, notification is not
required. The written documentation of
the determination must be retained for
five years.
Identity Theft Protection Act