Attorney General Grewal Confronts Data Breach Threats, Creates New Civil Enforcement Unit

July 2, 2018 in Tech Law

By: Peter J. Pizzi

To facilitate more effective governmental response to data security threats against New Jersey residents, the State’s Attorney General Gurbir Grewal revealed on May 7, 2018 his plan to establish the Data Privacy & Cybersecurity (“DPC”) Section within his office. The DPC Section, composed of attorneys, is tasked with managing data privacy-related investigations and will act in concert with state agencies such as the State Police and the Division of Consumer Affairs.  In cases where the personal information of New Jersey residents has been collected without authorization and distributed or used, the DPC Section will pursue civil litigation. Under the state’s current breach notification law, and in line with breach notification protocol in virtually every other state, there is no private right of action, meaning that New Jersey residents victimized by a breach do not possess a civil cause of action against the entity which suffered the breach. Attorney General Grewal’s proposal, then, reflects a plan to protect the interests of New Jersey citizens by asserting claims on their behalf.

On his decision, Attorney General Grewal explained, “The Attorney General’s Office has long played a role in protecting our residents from cyber threats, but given recent developments, we realized that we needed to double down on those efforts. That’s why we are creating a new unit of attorneys dedicated to enforcing data privacy and cybersecurity laws. This unit will be tasked with making sure that we’re looking out for the interests of New Jersey’s residents whenever there’s a major data breach or improper use of customers’ online information.”

The announcement comes in the wake of the Facebook/Cambridge Analytica scandal, which affected an estimated 1.6 million Facebook users in New Jersey. With the hopes of compiling detailed voter profiles and selling this voter data to political campaigns, Cambridge Analytica in 2014 acquired private Facebook data on tens of millions of users and allegedly then used that data for purposes not permitted under the application program interface (API) agreement pursuant to which it obtained access to Facebook user data. Mark Zuckerberg, Facebook CEO, testified before Congress in April of 2018, fielding the ensuing questions surrounding Facebook’s lost control of colossal quantities of data. Since that time, many have grown disappointed with the company’s response, though its stock continues to reach new highs. In light of such recent events, New Jersey opted to create this new DPC Section within the Attorney General’s Office, and this group will assume responsibility for the Office’s current Facebook/Cambridge Analytica investigation.

Other states have felt the pressure mounting to address citizens’ growing privacy concerns post-Cambridge Analytica scandal and other large data breaches. For instance, the California legislature recently passed a bill that empowers internet users by requiring that users have the right to opt-out of the sale of their private information to third-parties. This bill has now become law, to be effective in January 2020. Other states may soon follow the lead of New Jersey and California.

The N.J. Attorney General’s Office reports successes in reaching settlements upon pursuit of N.J. residents’ data privacy rights. In the last five years, the Office has disclosed settlements relating to data incidents involving Horizon Health Care Services, app-developer Dokogeo, Inc., and Target, Inc. Hoping to build upon this record, the DPC Section intends to continue to enforce data privacy laws by holding violators responsible through affirmative civil litigation. Additionally, the DPC Section will also provide State Executive Branch agencies with legal advice surrounding cyber-related compliance.

Seeking to protect the personal information with which they have been entrusted and adhere to current regulatory laws, N.J. businesses must understand the consequences of a breach and how to comply with state and federal legislation. To implement suitable compliance practices, companies must first understand the types of personally identifiable information collected from their clients (e.g. individual’s name and Social Security Number, driver’s license number, and/or financial account number) and what needs to be protected. Internal policies, such as robust passwords, usage policies for laptops and mobile phones, secure disposal policies, and data encryption, should be enforced. Further, companies must comply with promises made to consumers or employees regarding privacy and security of personal information, and disclosures about collection, maintenance, use and dissemination of personal information must be accurate and complete.

The United States has no national uniform data breach notification standard, but 47 states, including New Jersey, have breach notification laws. New Jersey law mandates that all entities conducting business in the state with computerized “personal information” must disclose any breach to any residents whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. At the federal level, however, the Federal Trade Commission enforces privacy policies and challenges data security practices deemed “deceptive” or “unfair” to protect consumers’ personal information. Since 2002, the FTC has brought over 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. Consumers and employees often pursue individual or class actions, but the challenge is to prove standing or “injury in fact” to sustain such suits.  While many theories are advanced –negligence, breach of contract, breach of implied covenant, breach of fiduciary duty, or alleging violations of state consumer protection statutes or the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, or Stored Communications Act – a plaintiff has standing only if she can substantiate allegations of (1) injury, (2) causation, and (3) redressability.

While no company is immune from the threat of a breach, the coup de grâce is not a data breach itself, but rather the mishandling of a breach once it occurs. In the worst-case scenario, the company should execute a pre-determined action plan prepared with the assistance of outside counsel to advise as to state and federal laws and litigation updates.

Author’s note:  Walsh 2018 Summer Intern Sabrina Solow contributed to this article.

For more information, please contact Peter Pizzi at (973)757-1100 or [email protected]. Walsh Pizzi O’Reilly Falanga LLP’s attorneys are available to discuss data breach preparedness, compliance, current law, and litigation, as well as related data-privacy topics. Firms are encouraged to evaluate their current cyber policies and applicable law to ensure that all sensitive information is kept secure and that a suitable action plan is in place in the event of a breach.