New Jersey businesses will soon be required to notify affected consumers following a data breach that involves online account information that would allow access to the consumer’s online account.

The state’s data breach notification law requires businesses to notify consumers following a data breach involving personal information. In March, the governor signed legislation (AB 3245) expanding the definition of “personal information” in the law to include online account information. The amendment takes effect July 1.

Prior to the amendment, New Jersey defined personal information as an individual’s first name or first initial and last name in combination with:

• Social Security number
• Driver’s license number
• State identification card number
• Account number or credit or debit card number in combination with the required access code that would permit access to an individual’s financial account

With the recent amendment, personal information now also includes any of the following, in combination with any password or security question and answer that would permit access to an online account:

• User name
• Email address
• Any other account holder identifying information

New Jersey is not the first state to include online account information within the definition of personal information. Effective March 1, 2020, the state of Washington will join New Jersey and other states such as Wyoming, Florida, Rhode Island and Nevada, to name a few, that also include online account information in their definitions of personal information.