On June 22, 2017, the New Jersey Senate passed the Personal Information and Privacy Protection Act (“the Act”), now awaiting Governor Christie’s handling. The Act permits retailers to scan a person’s identity card (“I.D. card”) for specified purposes and limits the type of information that may be collected to the name, address, date of birth, state issuing the I.D. card, and I.D. card number.
Scanning of I.D. cards, like a drivers’ license, by a retailer is permitted only to:
- Verify authenticity of the I.D. card or identity of the person (1) if the person is paying for goods or services in a method other than cash, or (2) if the person is returning an item or (3) if the person requests a refund or exchange;
- Verify the person’s age when providing age-restricted goods or services;
- Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service;
- Prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
- Establish or maintain a contractual relationship;
- Record, retain, or transmit information as required by State or federal law;
- Transmit information to a consumer reporting agency, financial institution, or debt collector, to be used as permitted by the Fair Credit Reporting Act, Gramm Leach Bliley Act, or the Fair Debt Collections Practices Act; or
- Record, retain or transmit information by a covered entity governed by HIPAA.
A retailer may not save any of the scanned information when the scanned information is used solely to (1) verify the authenticity of the I.D. card, (2) verify the identity of a person who is making a non-cash payment, is returning an item, or is seeking a refund or exchange, or (3) verify a person’s age in an age-restricted transaction.
If a retailer saves the scanned information arising from any of the other permitted purposes, the scanned information must be “securely stored.” Though the Act does not itself define what “secure” storage is, the N.J. Identity Theft Prevention Act (N.J.S.A. 56:8-161 et seq.) (“N.J. I.D. Theft Law”) gives us some guidance. Excepted from the N.J. I.D. Theft Law’s definition of breach is personal information that is encrypted or rendered unreadable. (N.J.S.A. 56:8-161). This suggests that at minimum, secure storage might require encrypting or using some other technology to render the scanned information unreadable, or anonymizing it to be disassociated with any person.
The Act also requires retailers to “promptly” report any breach of the security of the scanned information to the N.J. State Police and any “affected persons” in accordance with the N.J. I.D. Theft Law, which already includes a reporting obligation to the State Police any time a business must notify a New Jersey resident of a breach of its personal information. While the new Act does not define “prompt” reporting, timing for reporting breaches of scanned information under the new Act are probably governed by the same time frames as under the N.J. I.D. Theft Law — the most expedient time possible without unreasonable delay. (N.J.S.A. 56:8-163).
Further, the new Act expands the scope information subject to breach reporting obligations. The existing N.J. I.D. Theft Law defines Personal Information which triggers reporting obligations, if breached, as “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.” (N.J.S.A. 56:8-161). The new Act maintains some of the same elements of personal information including name, state issuing the I.D. card, and I.D. card number, however, two new data elements have been added — address and date of birth — provided the source of this data is scanning an I.D. card.
Finally, the Act prohibits the sale or dissemination of information obtained by a retailer from scanning I.D. cards to any third party for any purpose, including marketing, advertising or promotional activities, but with one exception — the Act does not bar an automated return fraud system from issuing a reward coupon to a loyal customer.
We also note the penalties provided by the Act are $2,500 for the first violation and $5,000 for any subsequent action and the Act permits a private right of action.
While the governor’s action with regard to the Act is uncertain, the passing of the Act suggests regulators are trending towards broadening the scope of information subject to breach reporting obligations and expanding the scope of information to which security-related regulations will be imposed. Retailers should (1) check their incident response programs to evaluate them for expansion of breach reporting obligations, particularly in light of the potentially expanded scope of personal information imposed by New Jersey and (2) evaluate the security used (including encryption, redaction, anonymization, and other physical, technical and administrative safeguards) to protect their customer’s information, if retailers collect or plan to collect their customer’s personal information.
If you have questions about your incident response plan or how to evaluate your business’s security programs and procedures, please contact Cindy Motley, 312-849-1972, firstname.lastname@example.org or Nora Wetzel, 415-627-3478, nora.wetzel@sedgwicklaw.