NJ A548

Requires businesses and public entities in New Jersey to notify customers of data breaches involving their personal information within five business days of discovery, unless delayed by law enforcement needs or investigation requirements

Mandates that before determining disclosure is unnecessary (because misuse is not reasonably possible), the entity must conduct an appropriate investigation and consult with relevant federal, state, and local law enforcement agencies

Requires documentation of any determination that customer notification is not needed, with records retained for five years

Maintains existing requirements that breaches affecting over 1,000 persons must also be reported to nationwide consumer reporting agencies and that the Division of State Police must be notified before customer disclosure

Takes effect immediately upon enactment