Back to New Jersey

A1852 • 2026

Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Kennedy, James J.
Last action
2026-01-13
Official status
Introduced, Referred to Assembly Consumer Affairs Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

What This Bill Does

  • Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.
  • Topic: Consumer Affairs Fiscal note: This bill has not been certified by OLS for a fiscal note.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-01-13 New Jersey Legislature

    Introduced, Referred to Assembly Consumer Affairs Committee

Official Summary Text

Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.
Topic:
Consumer Affairs
Fiscal note:
This bill has not been certified by OLS for a fiscal note.

Current Bill Text

Read the full stored bill text
A1852

ASSEMBLY, No. 1852

STATE OF NEW JERSEY

222nd LEGISLATURE

�

PRE-FILED FOR INTRODUCTION IN THE 2026 SESSION

Sponsored by:

Assemblyman JAMES J. KENNEDY

District 22 (Somerset and Union)

Assemblywoman VERLINA REYNOLDS-JACKSON

District 15 (Hunterdon and Mercer)

SYNOPSIS

���� Requires certain notifications and free credit
reports for customers following breach of security of personal information
within business or public entity.

CURRENT VERSION OF TEXT

���� Introduced Pending Technical Review by Legislative
Counsel.

��

An Act

concerning breaches of security of personal
information and amending P.L.2005, c.226.

����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:

���� 1.��� Section 12 of P.L.2005,
c.226 (C.56:8-163) is amended to read as follows:

���� 12.��� a.�� Any business that
conducts business in New Jersey, or any public entity that compiles or
maintains computerized records that include personal information, shall
disclose any breach of security of those computerized records following
discovery or notification of the breach to any customer who is a resident of
New Jersey whose personal information was, or is reasonably believed to have
been, accessed by an unauthorized person.� The disclosure to a customer shall
be made in the most expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as provided in
subsection c. of this section, or any measures necessary to determine the scope
of the breach and restore the reasonable integrity of the data system.� Disclosure
of a breach of security to a customer shall not be required under this section
if the business or public entity establishes that misuse of the information is
not reasonably possible.� Any determination shall be documented in writing and
retained for five years.

���� b.���
[
Any
]

Whenever a

business or public entity that compiles or maintains computerized records that
include personal information on behalf of another business or public entity
experiences
a breach of security, the business or public entity that compiles or maintains
the computerized records
shall
:

����
(1)
��� notify that
business or public entity, who shall notify its New Jersey customers, as
provided in subsection a. of this section, of any breach of security of the
computerized records immediately following discovery, if the personal
information was, or is reasonably believed to have been, accessed by an
unauthorized person
; and

����
(2)�� be responsible for:

����
(a)�� reimbursing the
business or public entity for the cost of notifying its New Jersey customers
pursuant to paragraph (1) of this subsection; and

����
(b)�� the cost incurred for
providing customer access to independent credit reports pursuant to subsection
h. of this section
.

���� c.���� (1)���� Any business or
public entity required under this section to disclose a breach of security of a
customer's personal information shall, in advance of the disclosure to the
customer, report the breach of security and any information pertaining to the

breach to the Division of State
Police in the Department of Law and Public Safety for investigation or
handling, which may include dissemination or referral to other appropriate law
enforcement entities.

���� (2)�� The notification
required by this section shall be delayed if a law enforcement agency
determines that the notification will impede a criminal or civil investigation
and that agency has made a request that the notification be delayed.� The
notification required by this section shall be made after the law enforcement
agency determines that its disclosure will not compromise the investigation and
notifies that business or public entity.

���� �d.�� For purposes of this
section, notice may be provided by one of the following methods:

���� (1)�� Written notice;
or

���� (2)�� Electronic notice, if
the notice provided is consistent with the provisions regarding electronic
records and signatures set forth in section 101 of the federal "Electronic
Signatures in Global and National Commerce Act" (15 U.S.C. s.7001)
[
; or

���� (3)�� Substitute notice, if
the business or public entity demonstrates that the cost of providing notice
would exceed $250,000, or that the affected class of subject persons to be
notified exceeds 500,000, or the business or public entity does not have
sufficient contact information.� Substitute notice shall consist of all of the
following:

���� (a)�� E-mail notice when the
business or public entity has an e-mail address;

���� (b)�� Conspicuous posting of
the notice on the Internet web site page of the business or public entity, if
the business or public entity maintains one; and

���� (c)�� Notification to major
Statewide media
]
.

���� �e.���
[
Notwithstanding
subsection d. of this section, a business or public entity that maintains its
own notification procedures as part of an information security policy for the
treatment of personal information, and is otherwise consistent with the
requirements of this section, shall be deemed to be in compliance with the
notification requirements of this section if the business or public entity
notifies subject customers in accordance with its policies in the event of a
breach of security of the system.
]
�
(
Deleted by amendment, P.L.���� , c.��� ) (pending before the Legislature as
this bill)

���� �f.��� In addition to any
other disclosure or notification required under this section, in the event that
a business or public entity discovers circumstances requiring notification
pursuant to this section of more than 1,000 persons at one time, the business
or public entity shall also notify, without unreasonable delay, all consumer
reporting agencies that compile or maintain files on consumers on a nationwide
basis, as defined by subsection (p) of section 603 of the federal "Fair
Credit Reporting Act" (15 U.S.C. s.1681a), of the timing, distribution and
content of the notices.

���� �
g.�� The notice required
under this section shall contain contact information, including a toll free
telephone number, of a customer representative of the business or public entity
who shall be available to give the customer information on:

����
(1)�� what information has
been compromised and potential consequences of the breach of security;

����
(2)�� how the company or
public entity is addressing the breach;

����
(3)�� what steps the
customer may take to safeguard the customer�s information; and

����
(4)�� notification that the
customer has access to free credit reports pursuant to subsection h. of this
section.

���� �
h.�� For a period of six
months following notification of a breach of security, the business or public
entity shall provide a customer with access to independent credit reports from
a consumer reporting agency.� The business or public entity shall supply the appropriate
contact information of the consumer reporting agency and, except as provided in
paragraph (2) of subsection b. of this section,

pay any fees to that
consumer reporting agency for supplying the customer with a credit report once
per month for a period of 12 months following the customer�s initial request
for a credit report.� The customer shall be notified of the customer�s access
to free credit reports when the business or public entity notifies the customer
of the breach of security.

(cf: P.L.2005, c.226, s.12)

���� 2.��� This act shall take
effect on the first day of the third month following the date of enactment.

STATEMENT

���� This bill requires businesses
and public entities to provide customers with certain notifications following a
breach of security that compromises the personal information of customers.�

���� Under current law, following a
breach of security, a business or public entity is required to disclose the
breach of security of those computerized records following discovery or
notification of the breach to any customer who is a resident of New Jersey
whose personal information was, or is reasonably believed to have been,
accessed by an unauthorized person.� The bill requires that customers receive this
notification through either written or electronic notice.� Under the bill,
businesses and public entities may no longer provide notification through
substitute notice, which is permitted under current law for certain breaches of
security.

���� The bill requires the notice to
contain contact information, including a toll free telephone number, of a
customer representative of the business or public entity who is available to
give the customer information on:

���� (1)�� what information has
been compromised and potential consequences of the breach of security;

���� (2)�� how the company or
public entity is addressing the breach;

���� (3)�� what steps the customer
may take to safeguard the customer�s information; and

���� (4)�� notification that the
customer has access to free credit reports.

���� The bill, provides that
whenever a business or public entity that compiles or maintains computerized
records that include personal information on behalf of another business or
public entity experiences a security breach, the third party entity is
responsible for reimbursing the business or public entity the cost of notifying
its New Jersey customers of the security breach, as required under current law,
and the cost incurred for providing customer access to independent credit
reports, as required by the bill.

���� Additionally, for a period of
six months following notification of a breach of security, the business or
public entity is required to provide a customer with access to independent
credit reports from a consumer reporting agency (CRA).� When the business or
public entity notifies a customer of a security breach, it would also provide
notice of the customer�s access to free credit reports.� The business or public
entity is to supply the appropriate contact information of the CRA.� The
business or public entity, or the third party entity that compiles or maintains
computerized records on its behalf, would pay any fees to the CRA for supplying
the customer with a credit report once per month for a period of 12 months
following the customer�s initial request for a credit report.