ASSEMBLY, No. 2307

STATE OF NEW JERSEY

214th LEGISLATURE

INTRODUCED FEBRUARY 25, 2010

Sponsored by:

Assemblyman  VINCENT PRIETO

District 32 (Bergen and Hudson)

SYNOPSIS

     Prohibits disclosure of certain personal information by computer services providers.

CURRENT VERSION OF TEXT

     As introduced.

An Act concerning information disclosure by computer services providers and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    As used in this act:

     "Computer" means an electronic, magnetic, optical, electrochemical or other high speed data processing device or another similar device capable of executing a computer program, including arithmetic, logic, memory, data storage or input-output operations and includes all computer equipment connected to such a device, computer system or computer network, but shall not include an automated typewriter or typesetter or a portable, hand-held calculator.

     "Computer equipment" means any equipment or devices, including all input, output, processing, storage, software, or communications facilities, intended to interface with the computer.

     "Computer network" means the interconnection of communication lines, including microwave or other means of electronic communications, with a computer through remote terminals, or a complex consisting of two or more interconnected computers, and shall include the Internet.

     "Computer program" means a series of instructions or statements executable on a computer, which directs the computer system in a manner to produce a desired result.

     "Computer software" means a set of computer programs, data, procedures, and associated documentation concerned with the operation of a computer system.

     "Computer system" means a set of interconnected computer equipment intended to operate as a cohesive system.

     "Data" means information, facts, concepts, or instructions contained in a computer, computer storage medium, computer system, or computer network.  It shall also include, but not be limited to, any alphanumeric, hexadecimal, octal or binary code.

     "Data base" means a collection of data.

     "Financial instrument" includes but is not limited to a check, draft, warrant, money order, note, certificate of deposit, letter of credit, bill of exchange, credit or debit card, transaction authorization mechanism, marketable security and any computer representation of these items.

     "Internet" means the international computer network of both federal and non-federal interoperable packet switched data networks.

     "Personal identifying information" means:

     a.     any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual and includes, but is not limited to, the name, address, telephone number, date of birth, social security number, official State issued identification number, employer or taxpayer number, place of employment, employee identification number, demand deposit account number, savings account number, credit card number, mother's maiden name, unique biometric data, such as fingerprint, voice print, retina or iris image or other unique physical representation, or unique electronic identification number, address or routing code of the individual;

     b.    any password or other code that permits access to any data, data base, computer, computer storage medium, computer program, computer software, computer equipment, computer system or computer network, where access is intended to be secure, restricted or limited; or

     c.     any information utilized, compiled, or maintained by a provider of computer services which identifies individuals or their contact information or computer addresses.

     "Services" includes but is not limited to the use of a computer system, computer network, computer programs, data prepared for computer use and data contained within a computer system or computer network.

     "User of computer services" shall include, but not be limited to, any person, business, computer, computer network, computer system, computer equipment or any other device which makes use of any resources of a computer, computer network, computer system, computer storage medium, computer equipment, data or data base.

     2.    a.  No person or provider of computer services shall disclose, or cause to be disclosed, any data, data base, computer software, computer programs, or personal identifying information of any user of computer services, unless such user of computer services has received proper notice of the provider's disclosure practices, as required pursuant to section 3 of P.L.    , c.     (C.    ) (pending before the Legislature as this bill), and has consented to the disclosure.

     b.    Nothing contained in subsection a. of this section shall be construed to prohibit the disclosure of personal identifying information if the disclosure is:

     (1) Necessary to render or conduct business or provide services to the user of computer services;

     (2) Made pursuant to a court order; or

     (3) For the purpose of extending credit to the user of computer services or to execute or validate a financial instrument transaction incidental to the services provided to the user of computer services.

     3.    Upon first collecting any personal identifying information from a user of computer services, the provider of computer services shall provide a notice to the user of computer services, in a separate statement, that clearly and conspicuously discloses:

     a.     The nature of personal identifying information collected by the provider and the nature of the provider's use of this information;

     b.    The nature, frequency, and purpose of any disclosure of the users' personal identifying information, including an identification of the types of persons or businesses to whom such disclosure may be made;

     c.     The period of time for which any personal identifying information will be maintained by the provider; and

     d.    A description of the procedures by which the user of computer services may obtain access to the personal identifying information collected by the provider.

     The notice required by this section may be provided electronically.

     4.    Upon request, a user of computer services shall be provided access to all personal identifying information that is utilized, compiled, or maintained by a provider of computer services.  A user of computer services shall be provided reasonable opportunity by the provider of computer services to correct errors in personal identifying information and the provider shall promptly correct such information.

     5.    A violation of any provision of this act shall be an unlawful practice pursuant to P.L.1960, c.39 (C.56:8-1 et seq.), provided however that a provider of computer services shall not be deemed in violation of the provisions of this act, if that provider shows by a preponderance of the evidence that the act was not intentional and resulted from a bona fide error made despite reasonable procedures adopted and maintained by the provider to avoid any such error.

     6.    This act shall take effect on the first day of the thirteenth month following enactment.

STATEMENT

     This bill would prohibit the disclosure of certain personal identifying information by providers of computer services.  Under the bill, it would be an unlawful practice for any provider to disclose, or cause to be disclosed, any data, data base, computer software, computer programs, or personal identifying information of any user of computer services, unless the user has received proper notice of the provider's disclosure practices and has consented to the disclosure.  The bill's provisions would not apply to disclosures which are necessary to conduct business or provide services, pursuant to a court order, or to extend credit or validate a financial transaction incidental to the services provided.

     Upon first collecting any personal identifying information, the bill would require providers of computer services to notify the user of computer services, in a separate statement, that clearly and conspicuously discloses:

·        The nature of personal identifying information collected and its use;

·        The nature, frequency, and purpose of any disclosure of users' personal identifying information, including an identification of the types of persons or businesses to whom such disclosure may be made;

·        The period of time for which any personal identifying information will be maintained by the provider; and

·        A description of the procedures by which the user of computer services may obtain access to the personal identifying information collected by the provider.

     The bill would also require providers to grant users of computer services access to all their personal identifying information utilized, compiled, or maintained by the provider and a reasonable opportunity to correct errors.

     The bill specifies that violations are unlawful practices under the Consumer Fraud Act, but that a provider would not be deemed in violation if it shows by a preponderance of the evidence that the act was not intentional and resulted from a bona fide error, despite reasonable procedures designed to prevent such an error.  An unlawful practice under the Consumer Fraud Act is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for any subsequent offense.  In addition, a violation can result in cease and desist orders issued by the Attorney General, the assessment of punitive damages and the awarding of treble damages and costs to the injured.