Data Privacy and Cybersecurity Update BY MARY T. COSTIGAN, ESQ., PRINCIPAL, AND JASON GAVEJIAN, ESQ., PRINCIPAL, JACKSON LEWIS P.C. Data protection and cybersecurity are a growing concern for companies — particularly dealerships. The following is a summary of the three data protection laws that went into effect or were enacted in 2024. THE NJ DATA PROTECTION ACT The New Jersey Data Protection Act (NJ DPA) is a comprehensive consumer data protection law that went into effect on January 15, 2025. The Act applies to organizations that conduct business in New Jersey OR produce products or provide services targeted to New Jersey residents; AND during a calendar year: • Control or process the personal data of at least 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or • Control or process the personal data of at least 25,000 consumers and derive revenue or receive a discount on the price of any goods or services from the sale of personal data. The Act excludes financial institutions, data, or affiliates of a financial institution that are subject to the Gramm‑Leach‑Bliley Act (GLBA), which may include auto dealerships that offer consumers financial products or services involving credit, loans, and leases. Entities that do not offer financial services and are not subject to GLBA may be subject to the NJ DPA. The DPA does not apply to employment-related personal data or data collected in the business‑to‑business context. Obligations imposed by the Act on covered businesses include: • Providing a privacy notice to consumers. • Responding to consumer requests to access, correct, or delete the personal data collected by the business, or requests to opt out of the business selling that data to a third party or using it to serve online targeted advertising. • Implementing reasonable safeguards to protect consumer data. • Contractually obligating service providers with access to the business’ consumer data to implement reasonable safeguards to protect it. 56:12-18.1 (NJ BILL A4723) Effective January 2024, motor vehicle dealers must offer to delete a consumer’s personal data from a vehicle upon taking possession of the vehicle for resale or lease. The connected nature of vehicles means that certain information systems, (such as navigation history, paired phone, garage door codes, etc.), collect and store consumer personal data. A motor vehicle dealer who violates this law may be subject to a civil penalty of $500 for a first offense and $1,000 for any subsequent offense. AMENDMENT TO THE FTC SAFEGUARDS RULE Effective June 2024, motor vehicle dealerships that are subject to GLBA must notify the Federal Trade Commission within 30 days of discovering a security breach that impacts the information of 500 or more consumers. This reporting obligation is in addition to any state data breach notification obligations that may apply. The amendment applies to incidents directly impacting a dealership as well as those impacting a vendor or service provider who has access to or processes information on behalf of the dealership. The breach notification rule supplements the Safeguards Rule requirement that dealerships maintain a comprehensive written information security program to protect customer information and an incident response plan, monitor service providers who have access to or process information on behalf of the dealership, and conduct employee security awareness training. Failure to comply with the Safeguards Rule can result in substantial financial penalties. Mary T. Costigan and Jason Gavejian are Principals with Jackson Lewis P.C. and members of the firm’s national Privacy, Data and Cybersecurity practice group. Mary and Jason work out of the firm’s Berkeley Heights office and can be reached via email at mary.costigan@jacksonlewis.com and jason.gavejian@jacksonlewis.com. 18 NEW JERSEY auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==