New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019.

Should a company find that online account credentials have been breached, it can provide notice to the impacted individuals through an electronic notice or other format that directs the individual to update their password and security question or answer, as well as advising the individual to take other appropriate steps to protect their online accounts. If an email account has been breached, notice must be provided in a form of communication other than by email to the impacted email account.

Putting it Into Practice: Companies should keep in mind that beginning September 1, breaches to online account credentials (username or email address and password) will require notice in New Jersey.