In the event of a data breach, the failure to comply with cybersecurity laws can lead to costly penalties as a recent OAG Consent Order demonstrates…
While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Laws Imposing Cyber Compliance Obligations
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
OAG Enforcement Action
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
Failing to design and implement information safeguards to control the risks identified through risk assessment;
Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
Key Takeaways
Any New Jersey company that obtains personal information of customers/clients must have current identity theft protection and disclosure controls, technology, Qualified Individuals as CISO (and other cybersecurity technical experts).
In light of the attendant exposures to financial and reputational risks, how can any business enterprise in New Jersey (or any other state) not have the necessary cybersecurity program, with systems, technology and qualified individuals ‘at the ready’ to protect against and respond in accordance with the company’s compliance program to data breaches?
New Jersey’s ITPA was initially effective on January 1, 2006, and revised in 2019 and 2020. It covers “any business that conducts business in New Jersey…” must expediently disclose any breach of computerized records of customer personal information. (56:8-163). The media has been “loaded” with disclosures of data breaches on almost a daily basis, and yet some companies haven’t yet implemented a cybersecurity compliance program!
56:8-166 of the ITPA defines an unlawful practice and violation of P.L. 1960 c. 39 (C. 56L8-1 et. seq.) to willfully, knowingly or recklessly violate Sections 10 through 13 of the Act. The New Jersey Legislative found that the crime of identity theft is one of the major law enforcement challenges of the new economy. The sanctions for violation are severe and include: civil penalties, fines, actual damages, attorneys’ fees and costs and injunctive relief. It can be expected that such sanctions could exceed the annual costs of a New Jersey business’ cyber compliance program. (See, New Jersey Cyber Crimes Unit Business E-mail Compromise Statics.)
At least 14 other states have similar laws, which makes conducting business without having developed and implemented a program with policies and procedures that assure compliance a risky proposition.
Weichert’s OAG Consent Order exemplifies that no New Jersey business is exempt from CFA, ITPA and GLBA, and that a risk-based approach to information security is essential.
If you have questions, please contact us
If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
Breach of Contract Explained: Types and Consequences
Breach of contract disputes are the most common type of business litigation. Therefore, nearly all New York and New Jersey businesses will likely have to deal with a contract dispute at least once. Understanding when to file a breach of contract lawsuit and how long you have to sue for breach of contract is essential […]
How to Dissolve a Corporation in New Jersey: A Step-by-Step Guide
Closing your business can be a difficult and challenging task. For corporations, the process includes formal approval of the dissolution, winding up operations, resolving tax liabilities, and filing all required paperwork. Whether you need to understand how to dissolve a corporation in New York or New Jersey, it’s imperative to take all of the proper […]
Gross Lease vs. Net Lease: Understanding the Key Differences
Commercial leases can take a variety of forms, which is often confusing for both landlords and tenants. Understanding the different types, especially the gross lease structure, is important when selecting the lease that best suits your needs. One key distinction between lease types is how rent is calculated and paid. This article addresses the two […]
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2
Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business
Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
