–Background–
On January 1, 2006, the New Jersey Identity Theft Prevention Act (ITPA) took effect. This state law aims to reduce identity theft in New Jersey. The law imposes strict requirements on all companies that conduct business in New Jersey, regardless of size or corporate structure. The ITPA contains requirements regarding:
- the use and display of Social Security numbers,
- the destruction of documents containing personal information, and
- the notification of persons affected by any unauthorized access to personal information.
Social Security Numbers
The ITPA prohibits any person, including any public or private entity from:
- publicly posting or displaying an individual’s Social Security number;
- printing an individual’s Social Security number on materials that are mailed;
- printing an individual’s Social Security number on any card required for the individual to access products or services;
- requiring an individual to transmit his or her Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; and
- requiring an individual to use a Social Security number to access an Internet website, unless a password or other authentication device is also required to access that website.
When “Personal Information” Is Discarded
When businesses decide to discard records that contain “personal information,” the ITPA requires those records to be destroyed. The destruction-of-records requirement includes all documents, paper and electronic, that contain an individual’s first name or first initial and last name combined with the person’s: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) credit or debit card account number in combination with any required security code, access code, or password permitting access to the individual’s financial account.
Notice Requirements
The ITPA also requires any business that compiles or maintains computerized records containing personal information to notify any person whose personal information was accessed by an unauthorized person. Therefore, if any file, database, or other electronic record containing a person’s name and Social Security number is compromised, that person must be advised, as must the New Jersey State Police.
What Does This Mean To You?
All companies doing business in New Jersey must take steps to comply with the ITPA by preventing the display of Social Security numbers, limiting access to records containing personal information, and maintaining specific destruction procedures for all records containing personal information. Businesses may want to contact legal counsel to assist in training and reviewing existing procedures and document- destruction policies, both paper and electronic, and to create response plans in the event of a breach of security to ensure compliance with the ITPA and its federal counterparts.
—For More Information—
For the New Jersey Division of Consumer Affairs informative website on Identity Theft, including a “Guide for Businesses,” visit http://www.njconsumeraffairs.gov/ocp/Pages/identitytheft.aspx
For the Federal Trade Commission’s “Information Compromise and the Risk of Identity Theft: Guidance for Your Business,” visit https://www.ftc.gov/tips-advice/business-center
If you need additional information, please contact Chrissy Buteas at cbuteas@njbia.org or 609-858-9510.
Updated: November 3, 2016
This information should not be construed as constituting specific legal advice. It is intended to provide general information about this subject and general compliance strategies. For specific legal advice, NJBIA strongly recommends members consult with their attorney.
