Organizations and Vendors who conduct business in New Jersey must have measures in place for the secure destruction of records containing personal information so the records are unreadable or undecipherable.

For breaches involving online account personal information, consumer notification may be provided in electronic form informing consumers of the incident and directing them to change the password/security question/answer that may have been compromised. Breach reporting must be made to the Division of State Police in the Department of Law and Public Safety for investigation or handling, prior to consumer notifications. If more than 1,000 persons must be notified about a breach of security, then consumer reporting agencies must be made aware of the breach without unreasonable delay.

If a determination is made that consumer notification will not be required, the decision must be documented in writing and maintained for five years. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors must notify Organizations immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

Specific provisions protect personal information relating to health records and credit card records.

Injured persons may be awarded treble damages in addition to other equitable relief received.