9/16/21
Over the past several months, there have been numerous instances of significant data privacy breaches reported in the news. From Facebook, who experienced a data breach affecting over 540 million users, to Microsoft, Capital One, T-Mobile, and Volkswagon. These are all some of the largest companies in technology, communications, and transportation. If these large companies, with their significant IT budgets and arguably unlimited resources, are unable to protect against data breaches, smaller companies are understandably left wondering when they will be next and whether such a breach will destroy its business.
Following in the footsteps of Ohio and Utah, New Jersey legislators have recently introduced a bill that could provide businesses with protection from the litigation that usually follows these data breaches. In short, if approved, Senate Bill S3062 would provide an affirmative defense for data breaches.
To be able to assert the legal defense, companies have to create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information or restricted information, or both, and that reasonably conforms to an industry recognized cybersecurity framework. A covered entity’s cybersecurity program is to be designed to protect against the following:
Moreover, the bill permits the Director of the Division of Consumer Affairs in the Department of Law and Public Safety (“Director”) to deem a covered entity’s cybersecurity program, required by the bill, to reasonably conform to an industry recognized cybersecurity framework if the covered entity’s cybersecurity program reasonably conforms to any of the cybersecurity frameworks or provisions of law enumerated in the bill. A determination of reasonable conformance by the Director would be considered by a court as evidence in order to determine whether the covered entity is entitled to an affirmative defense. However, a covered entity may raise the affirmative defense in court without the Director’s determination of reasonable conformance. Absent the Director’s determination of reasonable conformance, the court may determine reasonable conformance pursuant to the standards set forth in the bill.
The purpose behind in the bill is to entice businesses to proactively plan ahead and create a cybersecurity program that might otherwise avoid a potential data breach, rather than to be reactive if and once a data breach occurs. As is clear from the framework, however, complying with the requirements of the bill is onerous and expensive, and might scare some companies off from utilizing the legal mechanism. However, if the legislation is enacted, it will provide all companies – from the small local shop to the largest corporations – with an opportunity to shield itself from costly and time-consuming litigation that may result from a data breach.
Please be sure to visit our firm’s blog for updates and other up-to-date news and analysis of data security and privacy issues. If you have questions or would like more information, please contact Zachary Danner at zdanner@fmglaw.com.
Share
Save Print