(TRENTON) – Legislation sponsored by Assemblyman James Kennedy and Assemblywoman Valerie Vainieri Huttle requiring businesses and public entities to notify customers following a breach of security that contains personal information of the customers, and to encrypt the personal information of consumers held by or transferred by the consumer reporting agency was advanced by an Assembly panel on Monday.
The first bill (A-1360), sponsored by Kennedy, provides that the notice must be either written or electronic and must contain contact information, including a toll free telephone number, of a customer representative of the business or public entity who is available to give the customer information on:
• what information has been compromised and potential consequences of the breach of security;
• how the company or public entity is addressing the breach;
• what steps the customer may take to safeguard the customer’s information; and
• notification that the customer has access to free credit reports.
The business or public entity must also provide the customer with access to independent credit reports from a consumer reporting agency 6 months following notification of a security breach.
If a business or public entity compiles or maintains computerized personal records on behalf of another business or public entity, the business which suffered the breach will be the party responsible for the cost of providing access to independent credit reports and for reimbursing the notifying entity for their costs incurred.
Under current law, following a security breach, a business or public entity has the option to provide notification to compromised consumers through substitute notice, and doesn’t require businesses or public entities to provide consumers with an independent credit report. This bill would change this.
“It is only fair that consumers have as much information as possible regarding a breach of their personal information, including how to monitor their accounts following a breach,” said Kennedy (D-Middlesex/Somerset/Union). “Security breaches are virtually never the consumer’s fault, and our primary responsibility is to protect consumers.”
The second bill (A-3043), sponsored by Vainieri Huttle, requires consumer reporting agencies to encrypt the personal information held by or transferred by the consumer reporting agency, to whatever extent is feasible.
To whatever extent it is not feasible to encrypt the information, the consumer reporting agency is required to implement and maintain alternative compensating controls consistent with industry standards and the consumer reporting agency’s assessment of risk, to protect the security, confidentiality and integrity of the personal information.
Under the bill, the consumer reporting agency is required to offer to provide appropriate identity theft prevention and mitigation services at no cost to the consumer for no less than 60 months, The consumer reporting agency must notify the consumer of this offer and is prohibited from placing any further conditions on the consumer, or otherwise requiring the consumer to waive any of their rights, by accepting the offer.
“We must do everything we can to protect people from and mitigate the damage of identity theft,” said Vainieri Huttle (D-Bergen). “Identity theft can ruin people’s chances of getting a house, car, or any kind of loan, and it is our duty to consumers to protect their identities, no matter what.”
The bill also provides that, upon request of the compromised individual, the consumer reporting agency must provide a free credit report to the consumer 3 times during any 12-month period. This would amend current law which only requires 1 free credit report during any 12 month period.
The bills cleared the Assembly Consumer Affairs Committee.