In the event of a data breach, the failure to comply with cybersecurity laws can lead to costly penalties as a recent OAG Consent Order demonstrates…
While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Laws Imposing Cyber Compliance Obligations
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
OAG Enforcement Action
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
Failing to design and implement information safeguards to control the risks identified through risk assessment;
Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
Key Takeaways
Any New Jersey company that obtains personal information of customers/clients must have current identity theft protection and disclosure controls, technology, Qualified Individuals as CISO (and other cybersecurity technical experts).
In light of the attendant exposures to financial and reputational risks, how can any business enterprise in New Jersey (or any other state) not have the necessary cybersecurity program, with systems, technology and qualified individuals ‘at the ready’ to protect against and respond in accordance with the company’s compliance program to data breaches?
New Jersey’s ITPA was initially effective on January 1, 2006, and revised in 2019 and 2020. It covers “any business that conducts business in New Jersey…” must expediently disclose any breach of computerized records of customer personal information. (56:8-163). The media has been “loaded” with disclosures of data breaches on almost a daily basis, and yet some companies haven’t yet implemented a cybersecurity compliance program!
56:8-166 of the ITPA defines an unlawful practice and violation of P.L. 1960 c. 39 (C. 56L8-1 et. seq.) to willfully, knowingly or recklessly violate Sections 10 through 13 of the Act. The New Jersey Legislative found that the crime of identity theft is one of the major law enforcement challenges of the new economy. The sanctions for violation are severe and include: civil penalties, fines, actual damages, attorneys’ fees and costs and injunctive relief. It can be expected that such sanctions could exceed the annual costs of a New Jersey business’ cyber compliance program. (See, New Jersey Cyber Crimes Unit Business E-mail Compromise Statics.)
At least 14 other states have similar laws, which makes conducting business without having developed and implemented a program with policies and procedures that assure compliance a risky proposition.
Weichert’s OAG Consent Order exemplifies that no New Jersey business is exempt from CFA, ITPA and GLBA, and that a risk-based approach to information security is essential.
If you have questions, please contact us
If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
Are Stay Interviews the Key to Retaining Top Talent?
Retaining top talent continues to be one of the greatest challenges facing employers today. Even in an employer’s market, the loss of a key employee can disrupt operations and result in significant costs. While compensation plays a role, long-term retention often depends on workplace culture, communication, and employee engagement. One increasingly popular strategy for improving […]
Secured transactions form the backbone of a wide range of business dealings, including business loans, mortgages, and inventory financing. Because the stakes are often high and relatively minor oversights can have drastic consequences, lenders and borrowers should thoroughly understand how to form an enforceable security agreement that protects their legal rights. What Is a Secured […]
Don’t Cash a “Paid in Full” Check Without Understanding the Legal Implications
Cashing a check marked “paid in full” can be a risky endeavor, particularly if you don’t fully understanding the legal implications. If you are owed more than the amount of the check you accept and deposit, you may waive your right to collect the full disputed amount. That is why you should consider either rejecting […]
Changes to Qualified Small Business Stock Will Benefit Startup Founders and Investors
The One Big Beautiful Bill Act of 2025 (OBBBA) significantly impacts federal taxes, credits, and deductions. A key change relating to Qualified Small Business Stock (QSBS) allows greater tax-free gains for investments in startups and other qualifying small businesses. Company founders and other investors should understand how the enhanced tax strategy works or risk missing […]
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
Business law plays a critical role in nearly every aspect of running a successful enterprise, from negotiating a commercial lease to drafting employee policies to fulfilling corporate disclosure obligations. Understanding what is business law and your legal obligations can help your business run smoothly and build productive relationships with clients, business partners, regulators, and others. […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
