← All US breach laws·NJ

New Jersey data breach notification law

New Jersey's data breach notification requirements under N.J. Stat. §56:8-163. Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
N.J. Stat. §56:8-163
Enforcer
New Jersey Division of State Police + Division of Consumer Affairs (AG)
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay
Notify the state regulator
Yes — written notice to the Division of State Police BEFORE notifying residents
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification not required if the business establishes that misuse of PI is not reasonably possible — strict standard
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under New Jersey law

First name/initial + last name with SSN, DL/state ID, financial account + access code, OR username/email + password/security Q&A; ALSO standalone PI that compromises confidentiality

Penalties and enforcement

Up to $10,000 first violation, $20,000 thereafter under Consumer Fraud Act
Enforced by: New Jersey Division of State Police + Division of Consumer Affairs (AG). Official regulator page →

Common pitfalls

New Jersey requires State Police notice BEFORE residents — many counsel sequence consumer first by default and miss this
The 'not reasonably possible' misuse standard is stricter than most states' 'not reasonably likely' — assume notice is required

Frequently asked questions

How long do I have to notify New Jersey residents after a data breach?
In the most expedient time possible and without unreasonable delay
Do I have to notify the New Jersey Attorney General?
Yes — written notice to the Division of State Police BEFORE notifying residents
Does New Jersey require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from New Jersey's breach notification requirement?
Yes — New Jersey has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can New Jersey residents sue me directly for a data breach?
No — New Jersey's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under New Jersey law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, OR username/email + password/security Q&A; ALSO standalone PI that compromises confidentiality
What are the penalties for failing to comply with New Jersey's breach notification law?
Up to $10,000 first violation, $20,000 thereafter under Consumer Fraud Act

Related state breach laws

Nevada (NV)
Nev. Rev. Stat. §§603A.010 to 603A.290 + SB 220
New Hampshire (NH)
N.H. Rev. Stat. §§359-C:19 to 359-C:21
New Mexico (NM)
N.M. Stat. §§57-12C-1 to 57-12C-12
New York (NY)
N.Y. Gen. Bus. Law §899-aa + §899-bb

Pre-empt the New Jersey breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against New Jersey's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit