“Safe Harbor” data breach: Could New Jersey businesses get a stay of onslaught of data breach litigation? – Technology
United States: “Safe Harbor” data breach: Could New Jersey businesses get a stay of onslaught of data breach litigation?
To print this article, simply register or connect to Mondaq.com.
In recent months, numerous cases of significant data privacy breaches have been reported in the media. From Facebook, which suffered a data breach affecting more than 540 million users, to Microsoft, Capital One, T-Mobile and Volkswagen. These are all some of the biggest companies in technology, communications and transportation. While these large enterprises, with their large IT budgets and arguably unlimited resources, are unable to protect themselves against data breaches, small businesses naturally wonder when they will be next and if such a breach will destroy their business.
Following in Ohio and Utah’s footsteps, New Jersey lawmakers recently introduced a bill that could protect businesses from the litigation that typically follows these data breaches. In short, if approved, Senate Bill S3062 would provide a positive defense against data breaches.
To be able to assert legal defense, companies must create, maintain and comply with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information or restricted information, or both, and which is reasonably consistent with an industry recognized cybersecurity framework. A Covered Entity’s cybersecurity program must be designed to protect against the following:
- breaches of the security and privacy of personal information, restricted information, or both;
- any anticipated threat or danger to the security or integrity of Personal Information, Restricted Information, or both; and
- unauthorized access and acquisition of personal information, restricted information or both that could pose a significant risk of identity theft or other fraud to the person to whom the information relates.
The bill further requires that the scale and scope of a Covered Entity’s cybersecurity program be based on all of the following factors:
- the size and complexity of the covered entity;
- the nature and extent of the activities of the covered entity;
- the sensitivity of the information to be protected;
- the cost and availability of tools to improve information security and reduce vulnerabilities; and
- the resources available to the covered entity.
In addition, the bill authorizes the director of the Consumer Affairs Division of the Department of Law and Public Security (âdirectorâ) to consider that a target entity’s cybersecurity program required by the bill, Reasonably complies with an industry-recognized cybersecurity framework if the target entity’s cybersecurity program is reasonably compliant with any of the cybersecurity frameworks or legal provisions listed in the bill. A determination of reasonable compliance by the Director would be considered by a court as evidence in determining whether the covered entity is entitled to an affirmative defense. However, a covered entity may raise the affirmative defense in court without the Director determining reasonable compliance. In the absence of the director’s determination of reasonable compliance, the court may determine reasonable compliance in accordance with the standards set out in the bill.
The purpose of the bill is to get companies to proactively plan and create a cybersecurity program that might otherwise prevent a potential data breach, rather than being reactive if and once a data breach occurs. occurs. As is clear from the framework, however, complying with the requirements of the bill is onerous and costly, and could deter some companies from using the legal mechanism. However, if the legislation is enacted, it will provide all businesses – from small local stores to larger businesses – the opportunity to protect themselves from costly and time-consuming litigation that can result from a data breach.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Technology