On December 15, 2008, the Division of Consumer Affairs ("DCA") published its Notice of Pre-Proposed Rule for "Identity Theft, Written Security Programs and Violations." Comments to the Pre-Proposed Rule are due February 13, 2009.
The pre-proposed Subchapter 3 seeks to require every business and every public entity to implement a comprehensive written information security "program" that includes administrative, technical and physical safeguards for the protection of individuals’ social security numbers, driver’s license numbers, state identification card numbers, or an account or credit or debit card number in combination with a required code or means of access that account (defined as "Personal Information"). Also "pre-proposed" are specific procedures for handling security breach incidents, including when and what agencies and individuals must be notified, and what information must be included in that notification.
The original draft of Subchapter 3 was pulled when the regulations proposed pursuant to the Identity Theft Prevention Act were adopted last year on April 7, 2008 due to numerous comments submitted in opposition that original draft. You can keep an eye out for the next draft to follow this "pre-proposed" version of Subchapter 3 on the NJ Division of Consumers website.