NJ OAG Enforcement Action Highlights Cyber Risks for Real Estate and Financial Companies That Failed to Protect Against Identity Theft

In the event of a data breach, the failure to comply with cybersecurity laws can lead to costly penalties as a recent OAG Consent Order demonstrates…

While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.

On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.

“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”

Laws Imposing Cyber Compliance Obligations

Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”

A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).

The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. 

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.

OAG Enforcement Action

As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access.  Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees. 

Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:

• Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
• Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
• Failing to design and implement information safeguards to control the risks identified through risk assessment;
• Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
• Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.

Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program.  The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.

Key Takeaways

• Any New Jersey company that obtains personal information of customers/clients must have current identity theft protection and disclosure controls, technology, Qualified Individuals as CISO (and other cybersecurity technical experts).
• In light of the attendant exposures to financial and reputational risks, how can any business enterprise in New Jersey (or any other state) not have the necessary cybersecurity program, with systems, technology and qualified individuals ‘at the ready’ to protect against and respond in accordance with the company’s compliance program to data breaches?
• New Jersey’s ITPA was initially effective on January 1, 2006, and revised in 2019 and 2020.  It covers “any business that conducts business in New Jersey…” must expediently disclose any breach of computerized records of customer personal information. (56:8-163).  The media has been “loaded” with disclosures of data breaches on almost a daily basis, and yet some companies haven’t yet implemented a cybersecurity compliance program!
• 56:8-166 of the ITPA defines an unlawful practice and violation of P.L. 1960 c. 39 (C. 56L8-1 et. seq.) to willfully, knowingly or recklessly violate Sections 10 through 13 of the Act.  The New Jersey Legislative found that the crime of identity theft is one of the major law enforcement challenges of the new economy.  The sanctions for violation are severe and include:  civil penalties, fines, actual damages, attorneys’ fees and costs and injunctive relief.  It can be expected that such sanctions could exceed the annual costs of a New Jersey business’ cyber compliance program.  (See, New Jersey Cyber Crimes Unit Business E-mail Compromise Statics.) 
• At least 14 other states have similar laws, which makes conducting business without having developed and implemented a program with policies and procedures that assure compliance a risky proposition.
• Weichert’s OAG Consent Order exemplifies that no New Jersey business is exempt from CFA, ITPA and GLBA, and that a risk-based approach to information security is essential.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.