In an effort to educate the public about online privacy risks, Attorney General Gurbir S. Grewal and the New Jersey State Police today announced 2017 statistics regarding data breaches affecting New Jersey residents.
According to officials, the statistics showed that 958 data breaches were reported to State Police in 2017, a 41 percent increase from the 676 breaches reported to State Police in 2016. During 2017, the Attorney General’s Office also over saw a number of significant data privacy investigations, which resulted in $4.8 million in civil settlements with the State.
The single largest data breach reported in 2017 involved Equifax, which affected more than 4 million New Jersey residents. In total, the 958 breaches reported in 2017 affected more than 4.38 million accounts belonging to New Jersey residents( the vast majority of which resulted from the Equifax breach). In 2016, the first year that the Attorney General’s Office collected such data, approximately 116,000 New Jersey account holders were affected by data breaches.
As part of today’s announcement, and in conjunction with National Cybersecurity Month, the Division of Consumer Affairs (DCA) is also releasing tips for New Jersey residents about how they can better protect their sensitive personal information. The effort is part of a broader effort by Attorney General Grewal to strengthen the state’s cybersecurity protections, and follows an announcement earlier this year the creation of a Data Privacy & Cybersecurity Section within the Division of Law (DOL) to investigate data privacy cases and advise state agencies on related matters.
“As more of our daily activities take place online and on our devices, we must be increasingly vigilant to protect our personal information.” said Attorney General Grewal. “Cybersecurity Awareness Month reminds us to take an extra look at our accounts. I encourage everyone to review the tips for keeping yourself and your information safe and to report any activity that seems suspicious.”
"We want New Jersey residents to take the time to view the security of their online accounts as they would the security of their homes and vehicles," said Colonel Patrick Callahan of the New Jersey State Police. "As our public safety and homeland security missions evolve, so too will the troopers tasked with investigating and preventing crime whether it is on land, water, air, or on the internet."
The New Jersey Cybersecurity & Communications Integration Cell is the state’s one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting. Located at the State Police Regional Operations Intelligence Center, the NJCCIC brings together analysts and engineers to promote statewide awareness of cyber threats and widespread adoption of best practices.
“In today’s digital economy, it’s difficult, if not impossible for consumers to avoid having their personal information end up stored in multiple databases,” said, Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “Consumers must become their own first line of defense against identity theft and other cyber-crimes. As the Division continues to protect consumers by vigilantly enforcing laws requiring companies to secure the data they collect, we encourage consumers to visit our website for tips on safeguarding their personal information online and to immediately file complaints against cyber predators.
“The world is becoming increasingly interconnected by the minute. Our computers, phones, refrigerators, and televisions all connect to the internet. Cybersecurity has become a major priority, which is why the NJCCIC is such a critical component of NJOHSP,” said Jared Maples, Director of the New Jersey Office of Homeland Security and Preparedness. “People that interact with these connected devices are often the first line of defense in cybersecurity. However, it also means they are the biggest vulnerability. As a result, cybersecurity is everyone’s responsibility. Training and general cybersecurity awareness is imperative to protect the residents and visitors of New Jersey.”
“Over the course of the year, the NJCCIC has published its “Be Sure to Secure” series of best practices that New Jersey citizens can use to help protect their privacy and the security of their sensitive information,” said Michael Geraghty, Director of the New Jersey Cybersecurity and Communications Integration Cell. “We encourage everyone to review and implement these best practices. They can be found at https://www.cyber.nj.gov/be-sure-to-secure.”
The Attorney General’s Office and the State Police today released the following information on data breaches in New Jersey in 2017 Data breaches may involve identity theft or unauthorized access or use of personal health information, trade secrets or intellectual property. These totals include only incidents that were required by law to be reported to the State Police because they met the definition of “data breach” under New Jersey law. Other incidents that might be considered “data breaches” but that did not meet the statutory definition would not have been reported to State Police or included in these statistics.
Total Number of Data Breaches Reported in 2017(reported to New Jersey State Police as required by N.J.S.A. 56:8-163): 958
New Jersey accounts affected by breaches (estimate) (accounts affected do not equal New Jersey residents affected, as individual residents may have more than one affected account and one account may contain more than one person’s data, such as life insurance, tax documents, etc.) 4,382,853
Business sectors affected (estimates):
The business sectors most often involved with breaches include finance/banking, health services followed by business services and retail trade. Other areas include education, restaurant, industrial/manufacturing, hotels, non-profits, non-medical insurance, and telecommunications, among others.
Methods of breaches reported include:
The methods used to breach security were led by phishing, a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, instant message or other communication channels, and hacking. Website malware, employee incident, unauthorized email access and ransomware were also utilized.
The New Jersey Attorney General’s Office, through the Division of Law and the Division of Consumer Affairs, has taken action this year in the following cases to protect consumers:
Virtua Medical Group - In April DOL and DCA announced a settlement of an investigation into alleged violations of the Health Information Portability and Accountability Act (HIPAA) and New Jersey Consumer Fraud Act ("CFA") relating to the disclosure of patient medical records by a Virtua vendor. In addition to requirements that the company tighten its security practices relating to handling of patient records and vendor retention, Virtua also agreed to a $418,000 settlement amount.
Along with the announcement of a new enforcement section dedicated to consumer data privacy and cybersecurity issues within DOL, the AG publicly announced an investigation of Facebook after revelations of the Cambridge Analytica data breach.
Meitu - In May, DCA and DOL announced that Meitu, Inc., a Chinese software and consumer electronics company agreed to pay $100,000 and change its business practices to resolve the Division’s investigation into allegations it violated the Children’s Online Privacy Protection Act (“COPPA”) and the CFA in collecting personal information from children who downloaded its mobile apps.
UNIXIZ - In August, the operator of a teen social website agreed to close its site in a settlement that also assessed more than $98,000 in civil penalties against the company. DCA alleged that, among other issues, the company failed to adequately secure children's personal information as required by COPPA.
Lightyear Dealer Technologies - In September, DCA and DOL announced a settlement with Lightyear Dealer Technologies, a software company that DCA alleged violated the CFA when the company exposed the personal information that its car dealership clients entrusted it to store securely. The company agreed to reform its business practices and also agreed to an $80,000 settlement amount.
Uber - As a part of a multi-state settlement with 49 other states and the District of Columbia, Uber resolved allegations that it violated state data breach notification laws when it failed to timely report a breach of security that impacted hundreds of thousands Uber drivers' license information, including over 16,000 NJ drivers. The $148 million settlement is the largest data breach settlement in history, and New Jersey received $3.75 million as an Executive Committee state that participated in the resolution of this matter.
Aetna, Inc. – In October the Office of the Attorney General announced that a multi-state investigation of Aetna for its breach of subscriber information has been resolved. On two separate occasions, Aetna sent mailers to its subscribers which potentially disclosed medical information regarding those subscribers, including information about AIDS/HIV medication. As a part of the settlement, Aetna has agreed to reform its business with respect to subscriber mailings, and pay NJ $365,000 in civil penalties. NJ coordinated the investigation and jointly negotiated the resolution of this matter with Washington, Connecticut, and DC, which entered into separate agreements with the company.
The NJCCIC statewide campaign:
“2FA for New Jersey” or “#2FA4NJ” – to promote awareness of two-factor authentication (2FA). From securing email accounts to remote access tools and online banking, 2FA is a simple but highly effective best practice for protecting against identity theft and bolstering privacy. For more information, visit the NJCCIC website: www.cyber.nj.gov. The website allows individuals to directly report data breaches or cyber incidents, and allows residents to register to receive alerts, advisories, bulletins and training information.
The Division of Consumer Affairs outreach:
Professional Boards Outreach - Board of Accountancy. In response to reports of e-mail phishing schemes and other computer intrusion targeting tax preparers, the Board of Accountancy issued a bulletin that provided recommendations for providers of accounting servicers who handle personally identifiable information.
The Division of Consumer Affairs offers the following Tips to Consumers:
Avoid clicking on e-mail links or attachments from unknown individuals, financial institutions, computer services or government agencies. To check out the message, go to the sender's legitimate public website, and use the contact information provided.
Adjust device privacy settings to control sharing of data between applications, software and address books.
Choose a strong password containing letters, numbers and symbols. If a website offers two-factor authentication security, use it.
To protect your device from unauthorized access and malware software, install security software, often available from your internet provider, and ensure that firewall and anti-virus protections are updated continually.
Before disposing of any electronic device, wipe the hard drive using specialized software that will overwrite your information; or donate the device to a certified recycling facility that follows government standards for the destruction of data.
Under federal law, consumers can get three free credit reports per year through www.annualcreditreport.com. New Jersey law entitles consumers to an additional three free credit reports annually – one from each of the national credit reporting agencies. Scrupulous checking of credit reports, bank and credit card statements, and subscription services can catch identity theft at its earliest stages.
Avoid free Wi-Fi, especially for health, financial, and other personal transactions.
Before giving up your personal information to win a contest or participate in a survey, read the "Terms and Conditions" and "Privacy Policy" within the website or app. These sections should clearly lay out how the website will use and share your information.
Parents can report concerns about websites directed to children to the Division of Consumer Affairs, which enforces the federal Children’s Online Privacy Protection Act (COPPA). Parents should take advantage of parental control software offered by their internet service provider, adjust browser settings to limit children's access, and review history logs to monitor usage.
Cybersecurity Resources:
New Jersey Division of Consumer Affairs, Office of Consumer Protection, Cyber Fraud Unit https://www.njconsumeraffairs.gov/ocp/Pages/cyberfraud.aspx
New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) https://www.cyber.nj.gov
Federal Trade Commission https://www.ftc.gov
Federal Communications Commission Cyberplanner https://www.fcc.gov/cyberplanner
U.S. Department of Health and Human Services – HIPAA for Professionals https://www.hhs.gov/hipaa/for-professionals/index.html
United States Small Business Administration’s “Cybersecurity for Small Businesses” training https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses
American Institute of CPAs – Cybersecurity Resource Center https://www.aicpa.org/INTERESTAREAS/FRC/ASSURANCEADVISORYSERVICES/Pages/cyber-security-resource-center.aspx
United States Computer Emergency Readiness Team https://www.us-cert.gov
United States Department of Homeland Security, Cyber Security Division https://www.dhs.gov/science-and-technology/cyber-security-division
National Cybersecurity and Communications Integration Center
https://www.us-cert.gov/nccic
Free Annual Credit Report Website Authorized by Federal Law https://www.annualcreditreport.com/index.action and 1-877-322-8228
U.S. Department of Health and Human Services – HIPAA for Individuals http://www.hhs.gov/hipaa/for-individuals/index.html
FDIC - A Bank Customer's Guide to Cybersecurity https://www.fdic.gov/consumers/consumer/news/cnwin16/