Yesterday, I posted a press release from the NJ Assembly Democrats about AB 3146, a bill that would expand the definition of “personal information” that might require breach disclosure to consumers.
While AB 3146 does expand the duty to notify consumers of a breach to include “user names and email addresses, in combination with any password or security question and answer that would permit access to an online account,” the press release makes it sound like all businesses maintaining such information would have a duty to notify consumers in the event of a breach:
The bill requires businesses and public entities that compile or maintain computerized records that include information to permit access to an online account to disclose to consumers if there is a breach of security of that information.
That description appears to be incorrect, as a lawyer kindly pointed out to me on Twitter this morning in a private message. Although AB3146 amends existing law, it does not delete or remove C.56:8-163(b):
That language suggests that there is no direct notification to consumers required for businesses or public entities that maintain records for others; their only duty is to notify the business or public entity for whom they maintain the records. That entity would then have the responsibility to notify consumers.
I tweeted to NJ Assembly Dems to ask them about the apparent contradiction between their press release and the bill, and will update or correct this post if I get a response.
Great thanks to the lawyer who called this to my attention.