Creates affirmative defense for certain breaches of security.
Impact
The implications of S1860 could reshape the legal landscape for businesses handling personal information across New Jersey. By granting an affirmative defense, the bill aims to reduce the liability exposure of businesses regarding data breaches. However, this might lead to uneven protection of consumer rights if businesses are left to self-regulate their security measures without consistent oversight. Moreover, the bill does not create a private right of action for consumers, meaning individuals may have limited recourse in the event of a data breach. This has raised concerns among consumer advocacy groups about the adequacy of protection for personal data and the potential for entities to evade responsibility in the event of mishandling personal information.
Summary
Bill S1860, introduced in the New Jersey legislature, seeks to create an affirmative defense for certain breaches of security concerning personal and restricted information. The bill stipulates that a covered entity—a business or government unit that handles such information—may claim an affirmative defense if it can demonstrate that it has developed and adhered to a comprehensive written cybersecurity program. This program must include various administrative, technical, and physical safeguards that align with recognized cybersecurity frameworks, thereby ensuring that vulnerabilities are minimized and personal data is adequately protected. Notably, the bill emphasizes the importance of conformity with industry standards such as those set forth by NIST and other federal guidelines.
Contention
There are points of contention surrounding the bill, especially regarding the lack of a private right of action. Opponents argue that this could undermine consumer protection by preventing individuals from seeking compensation in the event of data breaches. Additionally, the reliance on covered entities to establish and maintain cybersecurity programs, without external validation or minimum mandated standards, raises questions about the effectiveness of the bill in genuinely enhancing data security. Supporters argue that the bill will encourage businesses to invest in stronger cybersecurity measures in exchange for a shield from certain liabilities, striking a balance between protecting consumer data and fostering economic growth.
A bill for an act relating to affirmative defenses for entities using cybersecurity programs and electronic transactions recorded by blockchain technology.(See SF 495.)
A bill for an act relating to the use of certain technology, including the legal effect of the use of distributed ledger technology or smart contracts and affirmative defenses associated with the use of cybersecurity programs.(See HF 553.)
Requests the Dept. of Economic Development to study cybersecurity issues faced by businesses in compliance with the Cybersecurity Framework Standards promulgated by the National Institute of Standards and Technology