A new Bill has been introduced in the New Jersey State Assembly which would require businesses to implement systems that better protect any personal data they use or collect. This Bill would apply to any person, corporation, association, partnership or other legal entity that owns or licenses personal information about a resident of the State of New Jersey. Once enacted anyone found to be knowingly or recklessly violating the provisions of the Bill would practicing unlawfully under the Consumer Fraud Act.
Information Security Program
Any entity that owns or licenses personal information will be required to develop, implement and maintain a comprehensive Information Security Program (ISP). This will add administrative, technical and physical safeguards to any data. These safeguards must be appropriate for the organization based on:
- Amount of stored data
- Size, scope and type of business
- Amount of resources available
- Need for security and confidentiality of customer and employee information.
The ISP must also include the identification and assessment of any potential internal or external risks to the security or integrity of any records containing personal information. There will need to be restrictions on access of files whether physical or electronic. So, only those in need of the information will be able access to the necessary documents.
Third-parties are vital for businesses to be able to operate effectively. But it will be imperative that it is ensured that any third-party partners are also compliant. It will be necessary to take reasonable steps to ensure they are also capable of maintaining the necessary security measures.
The system will need to be regularly monitored to ensure that the ISP is operating as it should and it should be reviewed at lest annually. This review will determine whether the ISP is still optimal and that it conforms to any relevant regulations. If there was a change in business practices that may implicate the security or integrity of records then this must also trigger a review of the program.
An important aspect of the ISP will be documenting actions taken in connection with any incidents that take place. If there was a breach of security there will need to be a post incident review of the events and what actions were taken.
For any entity who stores and works with personal information electronically there are additional factors that must be accounted for. There must be a system for the maintenance of all computers and any wireless systems that are part of the working environment. Where feasible it is necessary to have:
- Secure user authentication, including:
- Control of user IDs or other identifiers
- A secure method of choosing passwords or use of other identifier technologies (e.g. biometrics)
- Restricting access to active users only
- Blocking access after multiple unsuccessful attempts to gain access
- Encryption of all transmitted records and files containing personal information
- Reasonable monitoring of systems for unauthorized use of or access to personal information
- Up-to-date firewall protection and operating system security patches.
Employee Awareness and Training
There will need to be a designated employee or group of employees that will maintain the ISP and will need to include employee training even for temporary and contract employees. If your organization doesn’t already have security policies then these will need to be created and implemented. These will cover the storage, access and transportation of records with personal information in them. When employees contracts are terminated then their access will need to be prevented as quickly as possible. Any violations of the ISP rules will need to result in disciplinary measures.
Value Privacy are here to make privacy simple. With more and more States cracking down on privacy and data security it’s better to get ahead. Find out how you stack up now before you get caught out. Contact us today to find out how Value Privacy can help you.