In the event of a data breach, the failure to comply with cybersecurity laws can lead to costly penalties as a recent OAG Consent Order demonstrates…
While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Laws Imposing Cyber Compliance Obligations
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
OAG Enforcement Action
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
Failing to design and implement information safeguards to control the risks identified through risk assessment;
Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
Key Takeaways
Any New Jersey company that obtains personal information of customers/clients must have current identity theft protection and disclosure controls, technology, Qualified Individuals as CISO (and other cybersecurity technical experts).
In light of the attendant exposures to financial and reputational risks, how can any business enterprise in New Jersey (or any other state) not have the necessary cybersecurity program, with systems, technology and qualified individuals ‘at the ready’ to protect against and respond in accordance with the company’s compliance program to data breaches?
New Jersey’s ITPA was initially effective on January 1, 2006, and revised in 2019 and 2020. It covers “any business that conducts business in New Jersey…” must expediently disclose any breach of computerized records of customer personal information. (56:8-163). The media has been “loaded” with disclosures of data breaches on almost a daily basis, and yet some companies haven’t yet implemented a cybersecurity compliance program!
56:8-166 of the ITPA defines an unlawful practice and violation of P.L. 1960 c. 39 (C. 56L8-1 et. seq.) to willfully, knowingly or recklessly violate Sections 10 through 13 of the Act. The New Jersey Legislative found that the crime of identity theft is one of the major law enforcement challenges of the new economy. The sanctions for violation are severe and include: civil penalties, fines, actual damages, attorneys’ fees and costs and injunctive relief. It can be expected that such sanctions could exceed the annual costs of a New Jersey business’ cyber compliance program. (See, New Jersey Cyber Crimes Unit Business E-mail Compromise Statics.)
At least 14 other states have similar laws, which makes conducting business without having developed and implemented a program with policies and procedures that assure compliance a risky proposition.
Weichert’s OAG Consent Order exemplifies that no New Jersey business is exempt from CFA, ITPA and GLBA, and that a risk-based approach to information security is essential.
If you have questions, please contact us
If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
NJ OAG Enforcement Action Highlights Cyber Risks for Real Estate and Financial Companies That Failed to Protect Against Identity Theft
Author: Scarinci Hollenbeck, LLC
In the event of a data breach, the failure to comply with cybersecurity laws can lead to costly penalties as a recent OAG Consent Order demonstrates…
While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Laws Imposing Cyber Compliance Obligations
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
OAG Enforcement Action
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
Failing to design and implement information safeguards to control the risks identified through risk assessment;
Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
Key Takeaways
Any New Jersey company that obtains personal information of customers/clients must have current identity theft protection and disclosure controls, technology, Qualified Individuals as CISO (and other cybersecurity technical experts).
In light of the attendant exposures to financial and reputational risks, how can any business enterprise in New Jersey (or any other state) not have the necessary cybersecurity program, with systems, technology and qualified individuals ‘at the ready’ to protect against and respond in accordance with the company’s compliance program to data breaches?
New Jersey’s ITPA was initially effective on January 1, 2006, and revised in 2019 and 2020. It covers “any business that conducts business in New Jersey…” must expediently disclose any breach of computerized records of customer personal information. (56:8-163). The media has been “loaded” with disclosures of data breaches on almost a daily basis, and yet some companies haven’t yet implemented a cybersecurity compliance program!
56:8-166 of the ITPA defines an unlawful practice and violation of P.L. 1960 c. 39 (C. 56L8-1 et. seq.) to willfully, knowingly or recklessly violate Sections 10 through 13 of the Act. The New Jersey Legislative found that the crime of identity theft is one of the major law enforcement challenges of the new economy. The sanctions for violation are severe and include: civil penalties, fines, actual damages, attorneys’ fees and costs and injunctive relief. It can be expected that such sanctions could exceed the annual costs of a New Jersey business’ cyber compliance program. (See, New Jersey Cyber Crimes Unit Business E-mail Compromise Statics.)
At least 14 other states have similar laws, which makes conducting business without having developed and implemented a program with policies and procedures that assure compliance a risky proposition.
Weichert’s OAG Consent Order exemplifies that no New Jersey business is exempt from CFA, ITPA and GLBA, and that a risk-based approach to information security is essential.
If you have questions, please contact us
If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
