On June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).

Earlier this year in United States v. Jones, the United State Supreme Court addressed the privacy implications of Global Positioning Systems (“GPS”), holding that placing a GPS tracking device on a suspect’s car was a “search” under the Fourth Amendment. Though a growing number of employers are using GPS systems to track employee activity on the job, the effect of the Supreme Court’s decision in the private sector remains unclear.

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The district court’s decision supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see our blog post here) into other jurisdictions.

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).