Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to triple damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Division of State Police in the Department of Law and Public Safety for investigation or handling, prior to consumer notifications.
  • For breaches involving online account personal information, consumer notification may be provided in electronic form informing consumers of the incident and directing them to change the password/security question/answer that may have been compromised. (Effective 9/1/2019)
  • If a determination is made that notification will not be required, the decision must be documented in writing and maintained for five years.
  • If more than 1,000 persons must be notified about a breach of security, then consumer reporting agencies should be made aware of the breach without unreasonable delay.
  • Specific provisions protect personal information relating to health records and credit card records.
  • Laws cover data protection and data disposal to prevent breaches.
  • Vendors who compile or maintain computerized records must notify the data owners of any breach of personal information immediately following discovery. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

Statutes and Laws

  • N.J. Rev. Stat. §§ 56:8-161 – 56:8-166 Security of personal information

    N.J. Rev. Stat. §§ 56:8-196 – 56:8-198 Restrictions for health insurance carrier relative to certain computerized records

    N.J. Rev. Stat. §§ 56:11-17 – 56:11-18 Personal identification information not required for credit card transaction

    N.J. Rev. Stat. §§ 56:11-24 – 56:11-27 Credit Card Transactions

    N.J. Rev. Stat. §§ 56:11-42 – 56:11-43 Electronic printing of credit card numbers on sales receipts, regulated

    N.J. Rev. Stat. §§ 56:11-44 – 56:11-50 Identity Theft Prevention Act

    N.J. Rev. Stat. §§ 56:11-53 – 56:11-55 Personal Information and Privacy Protection Act

BAck to map