Institute Comment Letter on New Jersey's Proposed Consumer Breach and Computer Security System Rules
[21251]
June 14, 2007
TO: TECHNOLOGY ADVISORY COMMITTEE No. 15-07 RE: INSTITUTE COMMENT LETTER ON NEW JERSEY'S PROPOSED CONSUMER BREACH AND COMPUTER SECURITY SYSTEM RULES
In 2005, the New Jersey Legislature enacted the Identify Theft Prevention Act, which consisted of provisions regulating methods of destruction of customer records, disclosure of breach of security to customers, and public display of social security numbers. These provisions are largely consistent with similar enactments in other states. The Act charged New Jersey’s Division of Consumer Affairs, (the “Division”) in consultation with the Commissioner of Banking and Insurance, to promulgate regulations necessary to implement the Act.
In April, the Division published its proposed regulations. [1] As discussed in detail in the Institute’s attached comment letter on the proposal, the proposed regulations “appear both to be inconsistent with the Division’s authority under the Act and misguided in seeking to impose a ‘one-size-fits-all’ approach to data security. The Institute’s letter provides several examples of instances in which the proposed regulations either exceed the Division’s authority under the Act or are inconsistent with a plain reading of the Act’s provisions.
Of particular concern to the Institute is proposed Regulation13:45F-3.2, which would impose on every business and governmental entity that maintains a computer security system and that operates in New Jersey very detailed and specific computer security requirements. Moreover, proposed Regulation 13:45F-3.1(a)(1) would authorize the Department, at any time, to inspect any entity for compliance with these requirements. The Institute’s letter notes the following concerns with this regulation:
- It is not authorized – or even contemplated by the Act. As such, the Division is exceeding its authority by attempting to mandate computer security systems under a law that regulates notice of security breaches.
- The requirements of the regulation would apply to every business and governmental entity – including those that are not subject to the Act’s breach disclosure requirements.
- There is no evidence in the proposal (or in the Act, which is silent on computer security) regarding the need for the Division to promulgate regulations governing computer security.
- Attempting to impose a “one-size-fits-all” approach to computer security is misguided and not a meaningful or enlightened approach to regulating computer security.
- The Division’s economic analysis of this regulation is woefully inadequate and misleading.
- The Division has granted unto itself, through this provision, unbridled inspection authority that, to our knowledge, no other federal or state agency possesses.
The letter discusses each of these issues in detail.
Tamara K. Salmon
Senior Associate Counsel
[1] The proposal is available on the Division’s website at: http://www.njconsumeraffairs.gov/proposal/dcapro416.htm.