NJ Releases Annual Statistics on Data Breaches for the First Time

NJOAG Press Contact: Sharon Lauchaire | 609.292.4791

Original Article

njoag.png

TRENTON – Attorney General Christopher S. Porrino and the New Jersey State Police today announced that 676 data breaches were reported to the State Police in 2016 affecting more than 116,000 New Jersey account holders. October is National Cybersecurity Month, and the announcement – the first release of annual statistics on data breaches in the state – was made as New Jersey offered advice and resources to residents to protect their sensitive personal information. The Attorney General’s Office also highlighted legal actions taken this year by the Division of Law and Division of Consumer Affairs to address data breaches.

“Doing business online and on our devices has become so routine that it’s easy to let our guard down. But as these statistics on data breaches highlight, it’s critical that we protect our sensitive personal information from the many who seek to access it for harmful ends,” said Attorney General Christopher Porrino. “The internet touches almost all aspects of our daily life, whether we realize it or not, and Cyber Security Awareness Month is a good time to examine whether our accounts are secure. I urge everyone to take advantage of the great resources New Jersey offers in this area.”

To assist in tackling these security challenges, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) acts as the state’s one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting. Located at the State Police Regional Operations Intelligence Center (ROIC), the NJCCIC brings together analysts and engineers to promote statewide awareness of cyber threats and widespread adoption of best practices.

“Our mission is to help make NJ more resilient to cyber attacks. We encourage all NJ residents and businesses to reach out to the NJCCIC for advice, to subscribe to our alerts, and to report incidents via our website – www.cyber.nj.gov,” said Michael Geraghty, Director of the NJCCIC.

“The statistics compiled present a sobering picture of the challenges that face us when it comes to cyber security,” said Sharon Joyce, Acting Director of the Division of Consumer Affairs. “We urge citizens to use the resources available through the Division of Consumer Affairs in order to protect themselves and their loved ones from identity theft and other forms of cybercrime. In addition, the Division remains committed to protecting consumers from those companies that fail to safeguard or improperly gather personal information.”

The information released by the Attorney General’s Office and the State Police details data breaches in New Jersey occurring in 2016. Data breaches involve the unauthorized access to personal information, which may include a person’s first and last name linked with a social security number, driver’s license number, or account, debit, or credit card number. Under New Jersey law, any business that operates in New Jersey or any public entity that compiles or maintains computerized records that include personal information must disclose any breach of security to customers who are New Jersey residents and whose personal information was or believed to have been accessed by an unauthorized person.

The business sectors most often involved with breaches include finance/banking, health services followed by business services and retail trade. Other areas include education, restaurant, industrial/manufacturing, hotels, non-profits, non-medical insurance, and telecommunications, among others.

The methods used to breach security were led by phishing, a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, instant message or other communication channels, and hacking. Website malware, employee incident, unauthorized email access and ransomware were also utilized.

The New Jersey Attorney General’s Office, through the Division of Law and the Division of Consumer Affairs, has taken action this year in the following cases to protect consumers

  • Vizio: On February 6, 2017, Attorney General Christopher S. Porrino and the Division of Consumer Affairs announced that Smart TV manufacturer VIZIO, Inc. (“VIZIO”) and its subsidiary VIZIO Inscape Services, LLC, (“Inscape”) agreed to pay the State and the Federal Trade Commission (“FTC”) $2.5 million and change their business practices to settle allegations they violated the New Jersey Consumer Fraud Act and the Federal Trade Commission Act by surreptitiously tracking consumers’ television viewing habits and selling the information to marketing companies and data brokers. In a joint Complaint filed in the United States District Court for the District of New Jersey, the State and the FTC alleged that VIZIO and Inscape violated state and federal laws by failing to effectively inform consumers that VIZIO smart televisions were continuously collecting and storing information about their viewing habits, and that the data was being sold to third parties for marketing purposes. Under the terms of the settlement, VIZIO and Inscape paid the State $915,940 in civil penalties and $84,060 in attorney fees and investigative costs. VIZIO and Inscape also agreed to destroy consumer viewing data collected prior to March 1, 2016, prominently disclose to consumers the type of data that will be collected by the “Smart Interactivity” feature, obtain consumers’ affirmative express consent before collecting their viewing information, and implement and maintain a comprehensive privacy program.
  • Horizon: On February 17, 2017, the NJ Division of Consumer Affairs announced a settlement with Horizon Healthcare Services, Inc. (d/b/a Horizon Blue Cross Blue Shield of New Jersey) to resolve claims under the New Jersey Consumer Fraud Act (“CFA”) and the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology For Economic and Clinical Health Act (“HIPAA/HITECH”). In a complaint filed in the United States District Court for the District of New Jersey, the State alleged that Horizon violated the CFA and HIPAA/HITECH by failing to properly protect the privacy of nearly 690,000 New Jersey policyholders whose unencrypted personal information was contained on two laptops stolen from the insurer’s Newark headquarters. Under the terms of the settlement, Horizon agreed to pay the State $1.1 million and to implement a Corrective Action Plan.
  • Target: On May 23, 2017, Attorney General Christopher S. Porrino announced that Target Corp. (“Target”) agreed to pay New Jersey, 46 other states and the District of Columbia a total of more than $18 million to resolve a multi-state investigation into a data breach that compromised the payment card information of more than 41 million shoppers nationwide. New Jersey, which was a member of the multi-state Executive Committee, received a total payout of $680,411 from Target. In addition to the monetary terms, Target agreed to enact a variety of cyber-security reforms designed to prevent similar data breaches in the future, including the creation of an Information Security Program.

The NJCCIC this month launched a statewide campaign

“2FA for New Jersey” or “#2FA4NJ” – to promote awareness of two-factor authentication (2FA). From securing email accounts to remote access tools and online banking, 2FA is a simple but highly effective best practice for protecting against identity theft and bolstering privacy. For more information, visit the NJCCIC website: www.cyber.nj.gov. The website allows individuals to directly report data breaches or cyber incidents, and allows residents to register to receive alerts, advisories, bulletins and training information.

The Division of Consumer Affairs has also engaged in the following outreach:

  • Outreach to Consumers - DCA’s Cyber Fraud Unit safeguards New Jersey consumers' constitutional right to privacy in the digital age. Data security and data privacy are among the fastest-growing economic and personal concerns facing New Jersey consumers. The Unit enforces the New Jersey Consumer Fraud Act, which prohibits certain commercial practices, including tracking consumers' online behavior and/or downloading malware onto consumers' computers without providing adequate notice to, and obtaining meaningful consent from, consumers. The Unit also enforces the New Jersey Computer Related Offenses Act (CROA), which prohibits, among other things, the purposeful or knowing and unauthorized access of New Jersey consumers' data, database, computer program, computer software or computer equipment; the federal Children's Online Privacy Protection Act of 1998 and regulations (COPPA) ; the New Jersey Identity Theft Protection Act; the Health Information Technology for Economic and Clinical Health Act (HITECH); and the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The Unit's investigators take an active role in educating consumers concerning how they can protect their personal information when using Internet-based technologies.
  • Professional Boards Outreach - Board of Accountancy. In response to reports of e-mail phishing schemes and other computer intrusions targeting tax preparers, the Board of Accountancy issued a bulletin that provided recommendations for providers of accounting servicers who handle personally identifiable information.

The Division of Consumer Affairs offers the following Tips to Consumers:

  • Avoid clicking on e-mail links or attachments from unknown individuals, financial institutions, computer services or government agencies. To check out the message, go to the sender's legitimate public website, and use the contact information provided.

  • Adjust device privacy settings to control sharing of data between applications, software and address books.

  • Choose a strong password containing letters, numbers and symbols. If a website offers two-factor authentication security, use it.

  • To protect your device from unauthorized access and malware software, install security software, often available from your internet provider, and ensure that firewall and anti-virus protections are updated continually.

  • Before disposing of any electronic device, wipe the hard drive using specialized software that will overwrite your information; or donate the device to a certified recycling facility that follows government standards for the destruction of data.

  • Avoid free Wi-Fi, especially for health, financial, and other personal transactions.

  • Before giving up your personal information to win a contest or participate in a survey, read the "Terms and Conditions" and "Privacy Policy" within the website or app. These sections should clearly lay out how the website will use and share your information.

  • Under federal law, consumers can get three free credit reports per year through www.annualcreditreport.com. New Jersey law entitles consumers to an additional three free credit reports annually – one from each of the national credit reporting agencies. Scrupulous checking of credit reports, bank and credit card statements, and subscription services can catch identity theft at its earliest stages.

  • Parents can report concerns about websites directed to children to the Division of Consumer Affairs, which enforces the federal Children’s Online Privacy Protection Act (COPPA). Parents should take advantage of parental control software offered by their internet service provider, adjust browser settings to limit children's access, and review history logs to monitor usage.

Cybersecurity Resources:

Follow the New Jersey Attorney General’s Office online at TwitterFacebookInstagram & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

####