Dear Associates:
On September 22, 2005, Acting Governor Codey signed A4001/S1914, the New Jersey "Identity Theft Prevention Act" (the "Act"), and bills A2768 and A2769/S2617 which deal with related topics. The provisions of all the bills become effective on January 1, 2006.
The Act provides the following safeguards concerning the personal information of consumers:
-
Requires any company that lawfully collects and maintains computerized record containing consumer's personal information to notify the affected consumers in the event that the personal data is compromised
-
Requires businesses to destroy records containing a customer's personal information that is no longer needed
-
Limits the use of a consumer's Social Security number as an identifier and prohibits public display and usage of the number on printed materials except when required by law
-
Allows consumers to request that the credit reporting agency place a security freeze on their consumer credit report if they believe they have been the victim of identity theft
-
Affirms an individual's right to file and receive a copy of a police report concerning the suspected identity theft, although it does not require the police to investigate
The first three points will affect our business practices most directly.
The Act contains definitions regarding the collection of personal data. "Breach of security" means the unauthorized access to electronic files which have not been encrypted which compromises the security, confidentiality or integrity of personal information. "Customer" means an individual who provides personal information to a business. "Personal information" means in individual's first name or first initial and last name linked with any one or more of the following: (1) Social Security Number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
In the event that a business's computerized records which include personal information are breached, the business must disclose the breach to any customer who is a New Jersey resident whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. The disclosure must be made in the most expedient time frame possible, consistent with the needs of any law enforcement agency. Notice may be provided by written notice (i.e. a letter), electronic notice or substitute notice; the use of each of these methods and its requirements are detailed in the Act.
Any business records containing personal information must be destroyed by shredding, erasing or otherwise modifying the personal information so as to make it unreadable, undecipherable or nonreconstructable through generally available means. If you have documents containing personal information (such as loan applications or approved attorney applications), they must be shredded before they are discarded.
The display or public posting of social security numbers is prohibited, as is the provision of the individual's social security number to the general public. You cannot require an individual to use his or her social security number to access any internet web site unless an additional password is required. If the display of the social security number is required by federal law or certain New Jersey statutes or court rules, it is exempted from this prohibition.
As you are aware, previous legislation gave the county clerks the right to redact social security numbers from document submitted for recording. We suggest that you advise any out-of-state clients who may be unfamiliar with the new rules that they should not require social security numbers to be a part of documents to be recorded.
The two companion acts deal with the criminalization of the use of scanning devices and reencoders and offences relating to false birth certificates, driver's licenses and other identification documents.
This Bulletin provides only a synopsis of the new law. You should review your office procedures and make sure you are in compliance with the new law when it becomes effective on January 1, 2006. Please call the State office if you have any questions or would like a full copy of the Act.