Suzette Parmley reports that New Jersey is on the verge of expanding its breach notification law as a bill is headed to the Governor’s desk for signature.
A-3245/S-52 would amend the law to include among the information triggering a notification requirement: usernames, email addresses, and any passwords or security questions and answers that would permit access to an online account.
The bill also has an interesting requirement that is not generally incorporated in state breach notification laws. As Parmley explains:
The legislation also seeks to prohibit any business or public entity that furnishes an email account from providing notice of a security breach to the email account being affected. Instead it would have to notify the user through another method or “provide a clear and conspicuous notice delivered to the consumer online while he or she is connected to the online account” from an IP address or location the business knows the consumer connects from regularly.
Then-Governor Christie never signed the bill into law when he had the chance last year, but it is expected to be signed into law now.
Read more on Law.com.
Related: Bill history and text.