Data Breach Notifications
According to the NJ Identity Theft Prevention Act:
Any business or public entity required under this section to disclose a breach of security of a customer's personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.
What to report?
Please provide the following additional information to the NJCCIC, if known:
- How the breach occurred?
- How many New Jersey residents affected?
- A sample notification letter
Report security breaches to firstname.lastname@example.org. Submitted notifications will be reviewed and processed by NJSP personnel assigned to the NJCCIC fulfilling the statutory requirement.
For further information, please contact the NJCCIC at 609-963-6900 x7865.
What is a breach?
The State of New Jersey defines a breach as unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
The NJCCIC currently tracks seven categories of data loss methods:
- Insider Theft
- Hacking / Computer Intrusion (also includes Phishing/Skimming/Ransomware/Malware)
- Data on the Move
- Physical Theft
- Subcontractor/Third Party/Business Associate
- Employee Error / Negligence / Improper Disposal / Lost
- Accidental Web/Internet Exposure
The NJCCIC currently tracks various types of information compromised:
- Social Security number
- Credit/Debit Card number
- Email/Password/User Name
- Protected Health Information (PHI)
- Driver's License
- Financial Accounts
- Other/Undefined type of records