Scarinci Hollenbeck, LLC
The Firm
201-896-4100 info@sh-law.comAuthor: Scarinci Hollenbeck, LLC|June 13, 2022
While all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
The Firm
201-896-4100 info@sh-law.comWhile all companies should have robust cybersecurity programs with up-to-date technology and qualified Chief Information Security Officers (CISO), New Jersey financial companies, as well as certain real estate companies, have specific obligations under several state and federal laws, including the Gramm-Leach-Bliley Act (GLBA), New Jersey Identity Theft Prevention Act (ITPA), and the New Jersey Consumer Fraud Act (CFA). In the event of a data breach, the failure to comply with these laws can lead to costly penalties as a recent OAG Consent Order demonstrates.
On May 18, 2022, Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. Weichert Co. and its affiliates (Weichert) agreed to pay $1.2 million to resolve allegations that they violated the CFA, ITPA, and GLBA in their handling of sensitive client information.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Acting Attorney General Platkin said in a press statement. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
Depending on the nature of the business and the types of customer data collected, New Jersey financial and real estate companies may be subject to several cybersecurity regulations. On the state level, the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:8-163) requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.”
A “breach of security” is broadly defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. The CFA enforces data breach notification statutes in New Jersey. A business that willfully, knowingly, or recklessly violates the CFA may have to pay the injured party three times the damages (plus attorney fees and court costs).
The Safeguards Rule under the GLBA requires covered financial institutions to implement safeguards to ensure the security and confidentiality of certain nonpublic personal information (NPI) that is obtained when offering or delivering a financial product or service to an individual for personal, family, or household purposes. The Safeguards Rule applies to financial institutions subject to the Federal Trade Commission’s (FTC) jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the GLBA, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule was amended in 2021 to require specific cyber safeguards, including written risk assessments, written incident response plan, penetration testing, and access controls covering all customer information. The Safeguards Rule also now requires covered entities to have a single “Qualified Individual” be solely responsible for overseeing and implementing their information security program.
As set forth in the OAG’s Consent Order, the Division of Consumer Affairs alleged that Weichert suffered three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents. The Division further alleged that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Weichert agreed to pay civil penalties of $1,074,350 and $125,600 for investigative costs and attorneys’ fees.
Specifically, Weichert allegedly violated provisions of the CFA, ITPA, and GLBA by:
Under the terms of the settlement, Weichert agreed to implement measures designed to strengthen its data security program. The security measures required under the settlement include, but are not limited to: maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats; retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; maintaining an appointed Qualified Individual as Chief Information Security Officer (CISO); encrypting all sensitive customer information held or transmitted by the company; implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman, Ashley Brinn Levy, or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.