NJ A4093

Requires any person or business entity that owns or licenses personal information of New Jersey residents to develop, implement, and maintain a written comprehensive information security program with administrative, technical, and physical safeguards.

Security programs must designate employees to maintain the program, identify and assess internal and external risks, provide ongoing employee training, and review security measures at least annually.

Entities that electronically store or transmit personal information must implement secure user authentication protocols, encryption of transmitted and stored data, firewall protection, malware protection, and access controls limiting information to employees who need it.

Personal information covered includes names combined with Social Security numbers, driver's license numbers, state ID numbers, or financial account and credit/debit card numbers.

Willful, knowing, or reckless violations constitute unlawful practices under the consumer fraud act, punishable by up to $10,000 for first offenses and $20,000 for subsequent offenses, plus potential cease and desist orders, punitive damages, and treble damages.