The New Jersey Public Interest Research Group (NJPIRG),
appreciates this opportunity to comment on the proposed regulations for the
Identity Theft Prevention Act at N.J.S.A. 56:8-161 to 166 and 56:11-44 to
50. We respectfully submit these
comments to help ensure that consumers in New Jersey will gain, via the final
regulations, the strong identity theft protections intended by the 2005
statute.
13:45F-1.3 Definitions
Definition of “customer”
This definition should be expanded to protect a consumer’s
information when it has been provided by a third party, not the consumer.
In today’s economy, consumers’ information is a hot commodity,
so much so that some companies compile reports on consumers they’ve never done
business with using public records and other databases. For example, ChoicePoint, which was involved
in one of the most disturbing data breaches to date, generally gathers its
consumer information on its own, rather than receiving it from consumers, and
ChoicePoint’s clients are even more remote from the consumer, so much so it
would be hard to argue a consumer even “indirectly” provided his information to
ChoicePoint’s clients.
Definition of “Breach of Security”
This definition is flawed, because it replicates a latent
ambiguity in the statute and arguably creates an excessive safe harbor. The definition should be re-written eliminate
all ambiguity. Doing so would be
consistent with the intent of the statute, notwithstanding the similar language
in the statute’s breach of security definition, because in a related section
the statute addresses a similar ambiguity squarely and eliminates it.
Specifically, the proposed regulatory definition:
"Breach of security" means
unauthorized access to … personal information that compromises the security, confidentiality, integrity or availability of personal information when access to personal information has not
been secured by security measures at least meeting the standards set forth in
N.J.A.C. 13:45F-3.2 or by any other
method or technology that renders the personal information unreadable or
unusable. Good faith acquisition of personal information …” (Italics added)
arguably creates an absolute safe harbor; follow the
prescriptions in N.J.A.C. 13:45F-3.2, or use another approach to render
personal information unreadable or unusable, and unauthorized access is per se
not a breach. But imagine a business
employs the system at N.J.A.C. 13:5F-3.2, but an information technology
employee, with the ability to bypass the system, steals the data and traffics
in it. Is that a breach? Or imagine a sophisticated hacker defeating
the system and stealing the data in usable form. Is that a breach? In both cases, the answer should be clearly
yes, but in both cases, the answer is not obvious.
On the one hand, the personal information in those situations
is not “secured” by the security measures, and thus a breach occurs. On the other hand, the information was secured
by the methods, and the security was simply violated, and a breach did not
occur.
Admittedly, this exact ambiguity exists in the statute:
“"Breach of security" means unauthorized access to electronic
files, media or data containing personal information that compromises the
security, confidentiality or integrity of personal information when access to the personal information has
not been secured by encryption or by any other method or technology that
renders the personal information unreadable or unusable.”
However, the statute’s clear intent to protect New Jerseyans
from identity theft would be defeated if the ambiguity regarding the breach
safe harbor were allowed to persist unresolved and an unscrupulous business
relied on it in choosing not to notify victims of a breach. Indeed, in the situations where the ambiguity
becomes relevant, such as the examples above, the risk of identity theft as a
result of the breach are extremely high.
In a related section, the statute’s definition of “Personal
Information,” this type of ambiguity is directly addressed in a manner that
ensures New Jerseyans would retain protection when a data security measure is
defeated:
“"Personal information" means
an individual's first name or first initial and last name linked with any one
or more of the following data elements: … Dissociated
data that, if linked, would constitute personal information is personal
information if the means to link the dissociated data were accessed in
connection with access to the dissociated data.”
Both because failing to resolve the ambiguity to maintain
the protection would defeat the purpose of the statute’s security breach
protection and because the Legislature, in the “personal information” section
emphasized its commitment to ensuring that security measures must continue to
work post-breach for the safe harbor to exist, NJPIRG urges the division to
resolve the ambiguity in the rule making.
Amending the proposed definition as follows would eliminate
the latent ambiguity:
"Breach of security" means
unauthorized access to … personal information that compromises the security,
confidentiality, integrity or availability of personal information. Access to personal information that has
been secured by security measures at least meeting the standards set forth in
N.J.A.C. 13:45F-3.2 or by any
other method or technology that renders the personal information unreadable or
unusable is not a breach of security provided that such method or technology
was not defeated by the unauthorized access, for example, by the related theft
of the encryption key. Good faith acquisition of personal information …”
Subchapter 2: Security Freeze
The security freeze is one of the strongest identity theft
protections available to consumers, as it gives consumers control over their
personal information and empowers them to proactively prevent new account fraud
from happening to them. New Jersey was a
security freeze pioneer, the first state to emphasize the importance of making
the use of the freeze consumer friendly.
However, the details of making the freeze consumer friendly were left up
to the regulations. Since New Jersey’s law passed, over thirty other states have
acted, and in some cases their statutes incorporate consumer friendly details
that go beyond the proposed regulations, and which we encourage New Jersey to
adopt. We also encourage the division to
adopt changes consistent with general consumer protection law, particularly the
effort to ensure that consumers are aware of and understand their rights.
Specifically:
Ensuring Consumers Are Aware of and Understand Their
Security Freeze Right
The regulations as drafted reveal an intent to ensure that
consumers are aware of and understand their security freeze right. In particular, we note the requirements for a
link on the home pages, the detailed specifications of what must be
communicated, and the frequent opportunities for communication of that
information, including the toll-free number. Nonetheless, a few simple
additions could further advance that goal.
1. We suggest you
specify a minimum font for security freeze information, e.g. 12-point, to
prevent the “easily accessible information in plain English” requirement from
being met by squintingly small type.
2. We suggest that
you give content to “plain English” by specifying that information must be
understandable by someone reading at the fifth grade level, which would ensure
that most New Jerseyans would be able to understand it.
3. We suggest you
define “regular business hours, eastern time” in subsection 2.1a(2) so that
consumers can have certainty regarding when they can contact credit bureaus for
information about freeze use and can have access that is consistent across all
three credit bureaus. We urge you to
adopt the definition of business hours in Montana’s security freeze law, which
is 6 am to 9:30 pm, seven days a week, albeit eastern time.
While “regular business hours” can have a 1950’s banker
connotation of 9-5, M-F, that’s not how the retail business world works;
internet shopping has made consumer consumption possible 24 hours a day, 7 days
a week. The credit bureaus have
recognized this constant commerce and enabled retailers to get consumers’
credit information sufficient to open a new account 24 hours a day, 7 days a
week. Thus consumers may decide they
need to lift their freeze at any time, any day, and yet not have access, other
than by phone, to the information they need to accomplish the lift. In this context, defining regular business
hours as 6 am to 9:30 pm, 7 days a week is eminently reasonable.
Implementation of the expedited temporary lift
The expedited temporary lift was one of New Jersey’s most important innovations,
because it enables consumers to protect themselves from new account fraud, AND
maintain access to instant credit.
Since New Jersey
acted, a number of other states have mandated completing temporary lifts within
15 minutes. Similarly, New Jersey was among the first to require,
rather than simply permit, a secure electronic method for communicating a
temporary lift request to a credit bureau.
Several other states now require electronic communication methods. We urge you to adopt, as much as possible,
the communication methods required elsewhere, given that as national companies,
the incremental difficulty of making the same method available to New Jerseyans
is de minimis.
Specifically:
Section 13:45F-2.3 (a) involves temporary lifts requested by
certified or overnight mail or by “such system of secure electronic media as
may be made available by the consumer reporting agency.” We urge you to clarify
that “made available by the consumer reporting agency” means made available to
consumers anywhere in the country, which would give New Jerseyans immediate
access to the phone methods established by the bureaus for Texas
and Pennsylvania, and which will be available
in Mississippi and New Mexico in about a month—July 1, 2007.
Section 13:45F-2.3(b) requires the consumer reporting agency
to temporarily lift a freeze as quickly as possible, with the goal being within
15 minutes, within four months of the regulations’ effective date. We believe four months is unnecessarily
generous, given that this law has been on the books for essentially two years
now, and numerous states have adopted rules mandating 15 minute lifts by dates
certain.
Given the other states’ 15 minute mandates, and the
technological sophistication of these agencies—they can identify and provide a
consumer with their credit report on line in less than five minutes—we
encourage you to require a no-more-than-15 minute temporary lift, and require
the companies to affirmatively show why that mandate is quicker than the
statutory “as quickly as possible.”
13:45F-3.2 Computer security system
requirements
NJPIRG strongly supports the obvious intent of these
regulations, namely, to ensure that any entity storing, using, sharing or
selling personal information takes fundamental precautions to secure that
information. The importance of this
principle cannot be overstated, as consumers have lost control over their
identities and are dependent for protection upon the entities that have our
information. While mandating
comprehensive, minimum standards for data security will seem excessively
onerous to all required to comply, the fact is a fundamental paradigm shift
toward comprehensive data protection is necessary to protect consumers’
identities and such regulation is necessary to drive that shift.
That said, NJPIRG lacks the technological expertise to
comment on whether the specific requirements at 13:45F-3.2 are the most
appropriate way to defend data.
Nonetheless, we would like to highlight some features of the proposed
provisions and urge that they be maintained in any subsequent revisions of this
section.
1. Applicability to
both wired and wireless systems;
2. Secure user
authentication access for all system components containing personal information;
3. Access to files containing personal information
restricted to those who need such information to perform their job duties;
4. Encryption of all
stored or transmitted files containing personal information, and of passwords
for access to such files;
5. Regular testing of
security systems and processes;
6. Storing personal
data on a closed system not connected to the internet, or if internet
connection is necessary, the use of a properly maintained firewall;
7. Requirements that
operating systems and anti-spyware/anti-virus software are kept current with
updates; and
8. Training of
employees in security procedures and their importance.
13:45F-3.3 Notification
of possible breach of security to the Division of State Police
NJPIRG strongly supports the six hour requirement for
notification of a breach to the state police.
The statute requires notice to consumers to be made
“in the most expedient time possible
and without unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subsection c. of this section, or any measures
necessary to determine the scope of the breach and restore the reasonable integrity
of the data system”
and
for notice to law enforcement to occur “in advance of the disclosure to the
customer.”
These
provisions make clear that the Legislature intended notice to law enforcement
to be swift, a goal that makes sense given that investigations are aided most
by fresh information.
Notice
to law enforcement is not a difficult task and should not interfere with any
efforts to “determine the scope of the breach and restore the reasonable
integrity of the data system” any more than calling 911 after finding one’s
home burglarized interferes with inventorying what was stolen from the house
and boarding up the window the burglar broke to gain entry, nor is it necessary
for the scope of the breach to be determined or the integrity of the system to
be restored to for the police to find the breach notice useful.
In
such a context, six hours is a very reasonable timeframe.
13:45F-3.5
Destruction of Certain Records
We support this regulation as written and want to emphasize
the importance of this section:
A
business or public entity shall document, maintain and make available for
inspection by the Division for a period of not less than five years a written
record of all documents containing personal information that have been
destroyed under this section. The written record shall contain the types of
records destroyed and the manner in which the records were destroyed.
Without this requirement, there is no accountability. Simply maintaining a log of the types of
records destroyed and the manner they were destroyed ensures that records will,
in fact, consciously be destroyed.
13:45F-4.1 Restrictions on the
communication of Social Security numbers
We urge you to limit the exemption in (d) by allowing the
inclusion of a Social Security number only when inclusion is necessary to the
transaction or to verify the accuracy of the number. A Social Security number is the most useful
piece of information an identity thief could steal, and efforts to limit its
transmission and use are a critical part of limiting identity theft. Narrowing the exemption in this way would
provide the most protection possible without interfering with the legitimate
business concerns that prompted the inclusion of the exemption.
Sincerely,
Abigail Caplovitz Field
Advocate
New Jersey Public Interest Research Group
143 E. State
St. Suite 6
Trenton, NJ 08608
