Current through Register Vol. 56, No. 24, December 18, 2024
(a)
Definitions. The following terms, when used in this section, shall have the
following meanings, unless the context clearly indicates otherwise:
"Agreement" means the agreement between the New Jersey Motor
Vehicle Commission and a commercial Program participant or a nonprofit
organization or not-for-profit organization.
"Applicant" means a person, governmental entity, or nonprofit
organization or not-for-profit organization that is requesting access to a
motor vehicle record or records.
"Application" means the application for the Commission's
Limited Online Access Program or Standard Data Files Program.
"Authorized recipient" as provided at N.J.S.A. 39:2-3.4(d),
means a person authorized to receive personal information from the Commission
pursuant to N.J.S.A. 39:2-3.4(c).
"Commercial Program participant" means a Program participant
that is not a governmental entity, nonprofit or not-for-profit entity.
"Commission" means the New Jersey Motor Vehicle
Commission.
"Employee and agent list" means a list of all proposed
authorized employees or agents that the Program participant seeks to allow to
use any electronic communications established for the Limited Online Access
Program and any data or information obtained therefrom.
"End user" means any person or entity for whose use
information is requested from the Commission's database. An end user may be
either the person requesting the information or another person on whose behalf
the information is requested.
"Governmental entity" means the State, Federal government,
county, municipality, or any subdivision thereof.
"Limited Online Access Program" means a process in which a
Program participant establishes electronic communications with the Commission
to receive motor vehicle record information on a per record basis.
"MOU" means a memorandum of understanding between the
Commission and a governmental entity.
"Nonprofit organization" or "not-for-profit organization"
means an organization that presents proof, acceptable to the Chief
Administrator, of its status as a nonprofit or not-for-profit organization, and
that is exempt from taxation pursuant to Internal Revenue Code 501(c) and
N.J.S.A. 54:32B-9(b) or 9(f)(1), and has presented to the Commission the
organization's certificate or articles of incorporation or other satisfactory
proof of nonprofit or not-for-profit status that is acceptable to the Chief
Administrator.
"Permitted purposes" means one or more of the uses of
personal information permitted by the Federal Driver's Privacy Protection Act
of 1984,
18
U.S.C. §§
2721 et seq. (Federal
DPPA), and the New Jersey Driver's Privacy Protection Act, N.J.S.A. 39:2-3.3 et
seq. (New Jersey DPPA), and that is explicitly set forth by the Program
participant on the applicant's application and approved by the Commission;
political and commercial solicitation and marketing shall not constitute
permitted purposes.
"Person" means an individual, organization, or entity, but
does not include the State, or a political subdivision thereof, consistent with
N.J.S.A. 39:2-3.3.
"Personal information" means information that identifies an
individual, including an individual's photograph; Social Security number;
driver identification number; name; address other than the five digit zip code;
telephone number; and medical or disability information, but does not include
information on vehicular accidents, driving violations, and driver's
status.
"Program" means the Limited Online Access Program and
Standard Data Files Program.
"Program participant" means any persons, governmental
entities, or nonprofit organization or not-for-profit organization approved for
participation in the Limited Online Access Program or the Standard Data Files
Program, including all officers, owners with an interest of 10 percent or more,
managers, and all employees, agents, or subcontractors thereof.
"Standard Data Files Program" means a process by which motor
vehicle records are provided by the Commission, based on a set of criteria and
assembled into a file and provided to the Program participant either on a
one-time basis or according to a regular schedule.
(b) Persons requesting to purchase a
government record shall pay the fee established by the Motor Vehicle Commission
as set forth in this section.
(c)
The fees are as follows:
1. A Driver History
Abstract:
2. A Notice of Scheduled Suspension, Order of
Suspension or Notice of Restoration:
5. Registration or Driver License
Application:
6. Boat
Registration Application:
7. Final Decision
of Chief Administrator:
8. File Search of Motor
Vehicle Commission Records:
(d) Payment
shall be made by check or money order payable to the New Jersey Motor Vehicle
Commission, or by any other method approved by the Chief
Administrator.
(e) Except as
otherwise provided at (f) and (g) below, governmental entities within and
outside the State, and nonprofit and not-for-profit organizations within and
outside the State are exempt from the fees set forth in this section.
(f) Notwithstanding the fees set forth in
this section, the Chief Administrator shall collect from Limited Online Access
Program participants, and a fee of $ 12.00 for each driver history record
requested online; a fee of $ 12.00 for each vehicle registration record or each
title record requested online; a fee of $ 12.00 for each title history
requested online; and a fee of $ 2.00 for each abbreviated driver history
record, known as a driver status record, requested online. Governmental
entities and nonprofit and not-for-profit organizations shall pay an
administrative fee of $ 150.00 for every 5,000 records, or part thereof, per
calendar year.
(g) Notwithstanding
the fees set forth in this section, the Chief Administrator shall collect a fee
of $.05 per individual registration record and individual title record from
users of the Standard Data Files Program, which provides for the electronic
transmittal of registration and title records. The Chief Administrator may, in
accordance with the New Jersey Driver's Privacy Protection Act (N.J.S.A. 39:2-3.3 et seq.), redact personal information from the registration and title
records made available through the Standard Data Files Program. In all cases,
the social security number shall be redacted from the registration and title
records made available through the Standard Data Files Program. A business
user's utilization of personal information contained in the registration and
title records that are made available through the Standard Data Files Program
shall be subject to the disclosure limitations set forth in the New Jersey
Driver's Privacy Protection Act (N.J.S.A. 39:2-3.4). In addition to the per
record fee set forth above, the Chief Administrator shall collect from users of
the Standard Data Files Program a fee for data processing costs incurred in
formatting the registration and title records requested by the user. The
Commission will consider custom or ad hoc records requests on a case-by-case
basis. The fee for a custom or ad hoc request shall be calculated on a
case-by-case basis, and based on the costs, both direct and indirect, to the
Commission of supplying the requested information. In lieu of the fee of $.05
per record, governmental entities and nonprofit and not-for-profit
organizations shall pay an administrative fee of $ 100.00 per file.
(h) Application for participation in the
Commission's Limited Online Access Program. Applicants for participation in the
Commission's Limited Online Access Program must complete an application on a
form to be provided by the Commission. At a minimum, the applicant must provide
the following information:
1. The applicant's
full name and tax identification number;
2. Whether any parent companies, subsidiary
companies, or related companies or entities purchase information from the
Commission, and, if so, the name of the company or entity, the relationship to
the applicant, and whether the company or entity has ever been suspended or
permanently revoked from purchasing information from the Commission;
3. Any other names under which the applicant
has done or does business;
4.
Whether the owners or principals of the applicant have ever had their ability
to obtain records from the Commission, State, or any other state or
jurisdiction suspended or revoked;
5. Whether the owners, principals, partners,
officers, employees, or agents of the applicant have ever been convicted of a
crime arising out of fraud; violence against another person; improper
use/release of personal information; or relating to fraud in connection with
the sale of a motor vehicle, in this State or any other state or
jurisdiction;
6. The nature of the
applicant's business activity;
7.
Contact information for the applicant's representative, including a driver
license number and a valid email address;
8. The type of access requested, including
whether requests will be individual or batch requests, the type of information
requested, identification of all employees that will have access to the online
system, and whether applicant will be reselling or redisclosing the Commission
records;
9. If the applicant will
be reselling or redisclosing Commission records, the applicant must submit a
list of clients and a separate document detailing the procedures and methods
applicant will use to monitor the use of the information to ensure that
applicant's clients comply with the New Jersey DPPA;
10. A completed Motor Vehicle Commission
Technology Questionnaire;
11. The
applicant shall submit a list of all proposed authorized individuals, including
owners, principals, partners, officers of the applicant, and employees or
agents, who will have access to Motor Vehicle Commission records and
information. The applicant shall also submit a signed statement certifying that
criminal history record background checks were performed on all owners,
principals, partners, officers of the applicant, and employees or agents of the
applicant that will have access to Motor Vehicle Commission records and
information. The applicant shall also maintain a signed statement from all
owners, principals, partners, officers of the applicant, and employees or
agents of the applicant that will have access to Motor Vehicle Commission
records and information certifying that they do not have any record of criminal
history as specified at (h)5 above. Any principal, partner, officer of the
applicant, or employee or agent of the applicant who has any record of criminal
history as specified at (h)5 above shall be prohibited from access to Motor
Vehicle Commission records and information. The applicant shall have an ongoing
duty to the Motor Vehicle Commission to provide an updated certified statement
and list of users who will have access to Motor Vehicle Commission records and
information;
12. A certification of
applicant agreeing to limit its use of all information obtained from the
Commission to the specific permitted purposes set forth by applicant in its
approved application, the agreement or MOU with the Commission, and pursuant to
the terms of the New Jersey DPPA;
13. The Program participant is strictly
prohibited from using Commission records to conduct surveillance or to
investigate or locate an individual for reasons not specifically related to
motor vehicle activity, including, but not limited to, immigration enforcement,
divorce or domestic disputes, and matchmaking services. If reselling or
redisclosing the data and/or information, the Program participant shall require
the third-parties/end-users to represent in writing to the Program participant
that they agree not to use Commission records to conduct surveillance or to
investigate or locate an individual for reasons not specifically related to
motor vehicle activity, including, but not limited to, immigration enforcement,
divorce disputes, and matchmaking services; and
14. Any additional information the Chief
Administrator may deem necessary.
(i) Program participant agreement or MOU for
the Commission's Limited Online Access Program. If the applicant's application
is approved, the applicant must execute an agreement or MOU with the
Commission, to be reviewed by a member of the Commission's executive staff, and
in a form to be provided by the Commission, to be accepted into the
Commission's Limited Online Access Program and become a Program participant.
The agreement or MOU may contain such terms and conditions as deemed necessary
by the Commission for the protection of data and information provided by the
Commission. The agreement or MOU shall contain, at a minimum, provisions
addressing the following:
1. A description of
the permitted purposes;
2. A
description of the information and data to be provided pursuant to the
agreement or MOU;
3. Restrictions
upon use of the information provided pursuant to the agreement or
MOU;
4. Confidentiality agreements
between the Commission and applicant;
5. Identification of persons authorized to
access data and information;
6.
Security standards covering data supplied by the Commission, applicant's
hardware, applicant's software, applicant's system, applicant's data
transmission, applicant's network, and applicant's physical location;
7. Recordkeeping requirements;
8. Records retention requirements;
9. Storage of information and data;
13. If the applicant is reselling or
redisclosing Commission information, the terms under which that information may
be resold or redisclosed and used by third parties, and any restrictions on the
resale or redisclosure of information to third parties; and
14. Such other conditions as deemed necessary
by the Chief Administrator.
(j) Denial, suspension, or revocation of a
Program participant's access to Limited Online Access Program.
1. The Commission may deny, suspend, or
revoke a Program participant's online access for any of the following reasons:
i. The application is incomplete;
ii. The applicant requests access to
residence address information when not authorized to obtain such access
pursuant to statute, rule, or rule of court;
iii. Based on the applicant's stated purpose
for requesting information, the Commission determines that the public interest
in withholding the information outweighs the public interest in releasing the
information;
iv. The information on
the application is incorrect, false, misleading, or identifies an intended use
of the information requested that is not an approved use;
v. The applicant, or a representative of the
applicant, was previously a Program participant or a managerial employee of a
Program participant whose online access was revoked for cause and never
reissued by the Commission, or was suspended for cause and the terms of the
suspension are not fulfilled. For the purposes of this subparagraph, a
representative means an owner, principal, proprietor, limited or general
partner, a managerial employee, or a director or officer active in the
management, direction, or control of the business of the Program participant,
or a parent, subsidiary, or related entity to the Program participant. A
managerial employee is any person who exercises managerial control over the
business of a Program participant;
vi. The Program participant, or any employee
or agent of the Program participant, used information received from the
Commission for a purpose other than the purpose stated in the application of
the Program participant or approved by the Commission;
vii. The Program participant, or any employee
or agent of the Program participant, used information received from the
Commission in violation of the New Jersey DPPA;
viii. The Program participant submitted a
check, draft, money order, or other means of payment to the Commission, that
was thereafter dishonored when presented for payment;
ix. The Program participant sold or otherwise
delivered information obtained from the Commission to a person other than the
person or entity for whom the information was obtained;
x. The Program participant failed to pay for
information received from the Commission;
xi. The Program participant or any
representative of the Program participant represented to any person that the
Program participant or such representative was an officer, agent, or employee
of, or otherwise affiliated with, the Commission;
xii. The Program participant published any
false or misleading advertising related to the purchase of information from the
Commission;
xiii. The Program
participant used the Commission logo in any advertising or other materials used
in the business of the Program participant. The Program participant may not use
the Commission logo in any advertising;
xiv. The Program participant violated any of
the provisions contained in applicable rules;
xv. The Program participant has been
convicted of a crime arising out of fraud in connection with the sale of a
motor vehicle in any state, a felony in any state, or a crime involving
violence against another person in any state, or the Program participant is
affiliated with any other Program participant or other requester whose access
to Commission data and information has been, or was suspended or revoked, and
not reinstated;
xvi. The agreement
or MOU between the Commission and the Program participant has expired;
or
xvii. For any other reason
determined to be appropriate by the Commission.
2. The Commission may terminate any Program
participant's access to the Limited Online Access Program, and any agreement or
MOU with a Program participant in its sole discretion, upon 10 days notice to
the Program participant.
3. The
Commission may terminate a Program participant's access to the Limited Online
Access Program, and any agreement or MOU with a Program participant immediately
and in its sole discretion, if it believes the individual or public health or
individual or public safety may be at risk.
4. The Commission may terminate a Program
participant's access to the Limited Online Access Program, and any agreement or
MOU with a Program participant if the Program participant or end users are
found to be using Commission records to conduct surveillance or to investigate
or locate an individual, unless pursuant to
N.J.S.A. 39:2-3.4(c)(6), for use by
an insurer or insurance support organization, its agents, employees or
contractors, or by a self-insured entity, or its agents, employees, or
contractors, in connection with claims investigation activities, antifraud
activities, ratings, or underwriting. For any other purpose involving
surveillance, the Program participant must submit an individual request for the
evaluation and consideration of the Commission.
5. The Commission may cancel or amend a
Program participant's access to the Limited Online Access Program, and any
agreement or MOU with a Program participant, if such cancellation or amendment
is deemed necessary by the Commission due to any changed requirement in the law
or Commission policy that would prohibit such access or agreement, or upon a
determination by the Commission that there has been a breach of the integrity
or security of the data or information provided to the Program participant, or
a failure of the Program participant to comply with established procedures or
legal requirements relating to the Limited Online Access Program.
6. The Program participant is required to
ensure that all end users comply with all the terms, conditions, and
limitations of the Program participant's agreement or MOU with the Commission
and is required to ensure that its end users use any and all data and
information solely for the permitted purposes set forth in the Program
participant's agreement or MOU with the Commission. A violation of the terms of
the agreement between the Program participant and the end users to whom the
Program participant sells or discloses, or has sold or disclosed, Commission
data or information, will result in termination of participation in the Limited
Online Access Program, but the Chief Administrator may, in the Chief
Administrator's sole discretion, allow remediation of the violation by
permitting the Program participant to provide to the Commission a remediation
plan, which the Chief Administrator may accept, modify, or reject, in the Chief
Administrator's sole discretion.
7.
The Commission's decision to terminate participation in the Limited Online
Access Program for any violation of the terms and conditions of a Limited
Online Access Program Agreement or MOU between the Commission and any
subsidiary, related entity, or parent company of the Program participant shall
automatically terminate the Program participant's agreement or MOU with the
Commission.
8. If a Limited Online
Access Program Agreement or MOU between the Commission and any subsidiary,
related entity, or parent company of the Program participant is suspended or
terminated for violation of the terms of that agreement by the end users to
whom the subsidiary, related entity or parent company sells or discloses, or
has sold or disclosed, Commission data and information, the Program
participant's participation in the Limited Online Access Program shall be
indefinitely suspended. The Chief Administrator may, in the Chief
Administrator's sole discretion, allow remediation of the violation by
permitting the subsidiary, related entity, or parent company to provide to the
Commission a remediation plan, which the Chief Administrator may accept,
modify, or reject, in the Chief Administrator's sole discretion.
9. If any combination of the Program
participant's subsidiaries, related entities, parent companies, or end users
violates the terms of the end users' agreements or their agreement with the
Commission or the Program participant, the Commission may terminate the Program
participant's participation in the Limited Online Access Program permanently
with no opportunity for reinstatement. Additionally, if the Program
participant's participation in the Limited Online Access Program was suspended
for a violation or violations by end users of subsidiaries, related entities,
or parent companies to the Program participant, and thereafter reinstated, a
subsequent violation may result in the Program participant's participation in
the Limited Online Access Program being terminated with no opportunity for
reinstatement.
(k)
Application for participation in Commission's Standard Data Files Program.
Applicants for participation in the Commission's Standard Data Files Program
must submit a written request to the Commission that, at a minimum, must
include:
1. The applicant's full name and tax
identification number;
2. Whether
any parent companies, subsidiary companies, or related companies or entities
purchase information from the Commission, and, if so, the name of the company
or entity, the relationship to applicant, and whether the company or entity has
ever been suspended or permanently revoked from purchasing information from the
Commission;
3. Any other names
under which the applicant has done or does business;
4. Whether the owners or principals of the
applicant have ever had their ability to obtain records from the Commission,
State, or any other state or jurisdiction suspended or revoked;
5. Whether the owners, principals, partners,
officers, employees, or agents of the applicant have ever been convicted of a
crime arising out of fraud; violence against another person; improper
use/release of personal information; or relating to fraud in connection with
the sale of a motor vehicle, in this State or any other state or
jurisdiction;
6. The nature of the
applicant's business activity;
7.
Contact information for the applicant;
8. The type of information requested,
identification of all employees that will have access to the requested
information, and whether the applicant will be reselling or redisclosing the
Commission records;
9. If the
applicant will be reselling or redisclosing Commission records, the applicant
must submit a list of clients and a separate document detailing the procedures
and methods applicant will use to monitor the use of the information to ensure
that the applicant's clients comply with the New Jersey DPPA;
10. A completed Motor Vehicle Commission
Technology Questionnaire;
11. The
applicant shall submit a list of all proposed authorized individuals, including
owners, principals, partners, officers of the applicant, and employees or
agents, who will have access to Motor Vehicle Commission records and
information. Applicants shall also submit a signed statement certifying that
criminal history record background checks were performed on all owners,
principals, partners, officers of the applicant, and employees or agents of the
applicant that will have access to Motor Vehicle Commission records and
information. The applicant shall also maintain a signed statement from all
owners, principals, partners, officers of the applicant, and employees or
agents of the applicant that will have access to Motor Vehicle Commission
records and information certifying that they do not have any record of criminal
history as specified at (k)5 above. Any principal, partner, officer of the
applicant, or employee or agent of the applicant who has any record of criminal
history as specified at (k)5 above shall be prohibited from access to Motor
Vehicle Commission records and information. The applicant shall have an ongoing
duty to the Motor Vehicle Commission to provide an updated certified statement
and list of users who will have access to Motor Vehicle Commission records and
information;
12. A certification of
the applicant agreeing to limit its use of all information obtained from the
Commission to the specific permitted purposes set forth by the applicant in its
approved application, the agreement or MOU with the Commission, and pursuant to
the terms of the New Jersey DPPA;
13. The Program participant is strictly
prohibited from using Commission records to conduct surveillance or to
investigate or locate an individual for reasons not specifically related to
motor vehicle activity, including, but not limited to, immigration enforcement,
divorce or domestic disputes, and matchmaking services. If reselling or
redisclosing the data and/or information, the Program participant shall require
the third-parties/end-users to represent in writing to the Program participant
that they agree not to use Commission records to conduct surveillance or to
investigate or locate an individual for reasons not specifically related to
motor vehicle activity, including, but not limited to, immigration enforcement,
divorce disputes, and matchmaking services; and
14. Any additional information the Chief
Administrator may deem necessary.
(l) Program participant agreement or MOU for
the Commission's Standard Data Files Program. If the applicant's application is
approved, the applicant must execute an agreement or MOU with the Commission,
to be reviewed by a member of the Commission's executive staff, and in a form
to be provided by the Commission to be accepted into the Commission's Standard
Data Files Program and become a Program participant. The agreement or MOU may
contain such terms and conditions as deemed necessary by the Commission for the
protection of data and information provided by the Commission. The applicant's
agreement or MOU shall contain, at a minimum, provisions addressing the
following:
1. A description of the information
and data to be provided pursuant to the agreement or MOU;
2. Restrictions upon use of the information
provided pursuant to the agreement or MOU;
3. Confidentiality agreements between the
Commission and the applicant;
4.
Security standards covering data supplied by the Commission, applicant's
hardware, applicant's software, applicant's systems, applicant's data
transmission, applicant's network, and applicant's physical location;
5. Recordkeeping requirements;
6. Records retention requirements;
7. Storage of information and data;
10. Modification and termination
conditions;
11. If the applicant
will be reselling or redisclosing Commission information, the terms under which
that information may be resold, redisclosed, and used by third-parties, and any
restrictions on the resale or redisclosure of information to third parties;
and
12. Such other conditions as
deemed necessary by the Chief Administrator.
(m) Denial, suspension, or revocation of a
Program participant's approval for the Standard Data Files Program shall be as
follows:
1. The Commission may deny, suspend,
or revoke a Program participant's approval to participate in the Standard Data
Files Program for any of the following reasons:
i. The request is incomplete;
ii. The applicant requests residence address
information when not authorized to obtain such information pursuant to statute,
rule, or rule of court;
iii. Based
on the applicant's stated purpose for requesting information, the Commission
determines that the public interest in withholding the information outweighs
the public interest in releasing the information;
iv. The information contained in the
applicant's request is incorrect, false, misleading, or identifies an intended
misuse of the information requested;
v. The applicant, or a representative of the
applicant, was previously a Program participant or a managerial employee of a
Program participant whose approval for participation in the Standard Data Files
Program was revoked for cause and never reissued by the Commission, or was
suspended for cause, and the terms of the suspension are not fulfilled. For the
purposes of this subparagraph, a representative means an owner, principal,
proprietor, limited or general partner, a managerial employee, or a director or
officer active in the management, direction, or control of the business of the
Program participant or a parent, subsidiary or related entity to the Program
participant. A managerial employee is any person who exercises managerial
control over the business of a Program participant;
vi. The Program participant, or any employee
or agent of the Program participant, used information received from the
Commission for a purpose other than the purpose stated in the request of the
Program participant or approved by the Commission;
vii. The Program participant, or any employee
or agent of the Program participant, used information received from the
Commission in violation of the New Jersey DPPA;
viii. The Program participant submitted a
check, draft, money order, or other means of payment to the Commission, that
was thereafter dishonored when presented for payment;
ix. The Program participant failed to pay for
information received from the Commission;
x. The Program participant or any
representative of the Program participant represented to any person that the
Program participant, or such representative, was an officer, agent, or employee
of or otherwise affiliated with the Commission;
xi. The Program participant published any
false or misleading advertising related to the purchase of information from the
Commission;
xii. The Program
participant used the Commission logo in any advertising or other materials used
in the business of the Program participant. The Program participant may not use
the Commission logo in any advertising;
xiii. The Program participant violated any of
the provisions contained in the applicable rules;
xiv. The Program participant has been
convicted of a crime arising out of fraud in connection with the sale of a
motor vehicle in any state, a felony in any state, or a crime involving
violence against another person in any state, or the Program participant is
affiliated with any other Program participant or other requester whose access
to Commission data and information has been, or was, suspended or revoked, and
not reinstated;
xv. The agreement
or MOU between the Commission and the Program participant has expired;
or
xvi. For any other reason
determined to be appropriate by the Commission.
2. The Commission may terminate any Program
participant's approval for the Standard Data Files Program, and any agreement
or MOU with a Program participant in its sole discretion upon 10 days notice to
the Program participant.
3. The
Commission may terminate a Program participant's approval for the Standard Data
Files Program, and any agreement or MOU with a Program participant immediately
and in its sole discretion, if it believes an individual or public health or
individual or public safety may be at risk.
4. The Commission may terminate a Program
participant's approval for the Standard Data Files Program, and any agreement
or MOU with a Program participant if the Program participant or end users are
found to be using Commission records to conduct surveillance or to investigate
or locate an individual, unless pursuant to
N.J.S.A. 39:2-3.4(c)(6), for use by an insurer or
insurance support organization, its agents, employees, or contractors, or by a
self-insured entity, or its agents, employees, or contractors, in connection
with claims investigation activities, antifraud activities, ratings, or
underwriting. For any other purpose involving surveillance, the Program
participant must submit an individual request for the evaluation and
consideration of the Commission.
5.
The Commission may cancel or amend a Program participant's approval for the
Standard Data Files Program, and any agreement or MOU with a Program
participant, if such cancellation or amendment is deemed necessary by the
Commission due to any changed requirement in the law or Commission policy that
would prohibit such access or agreement, or upon a determination by the
Commission that there has been a breach of the integrity or security of the
data or information provided to the Program participant or a failure of the
Program participant to comply with established procedures or legal requirements
relating to the Standard Data Files Program.
6. The Program participant is required to
ensure that all end users comply with all the terms, conditions, and
limitations of the Program participant's agreement or MOU with the Commission
and is required to ensure that its end users use any and all data and
information solely for the permitted purposes set forth in the Program
participant's agreement or MOU with the Commission. A violation of the terms of
the agreement between the Program participant and end users to whom the Program
participant sells or discloses, or has sold or disclosed, Commission data or
information, will result in termination of participation in the Standard Data
Files Program, but the Chief Administrator may, in the Chief Administrator's
sole discretion, allow remediation of the violation by permitting the Program
participant to provide to the Commission a remediation plan, which the Chief
Administrator may accept, modify, or reject, in the Chief Administrator's sole
discretion.
7. The Commission's
decision to terminate participation in the Standard Data Files Program for any
violation of the terms and conditions of a Standard Data Files Program
Agreement or MOU between the Commission and any subsidiary, related entity, or
parent company of the Program participant shall automatically terminate the
Program participant's agreement or MOU with the Commission.
8. If a Standard Data Files Program Agreement
or MOU between the Commission and any subsidiary, related entity, or parent
company of the Program participant is suspended or terminated for violation of
the terms of that agreement or MOU by end users to whom the subsidiary, related
entity, or parent company sells or discloses, or has sold or disclosed,
Commission data and information, the Program participant's participation in the
Standard Data Files Program shall be indefinitely suspended. The Chief
Administrator may, in the Chief Administrator's sole discretion, allow
remediation of the violation by permitting the subsidiary, related entity, or
parent company to provide to the Commission a remediation plan, which the Chief
Administrator may accept, modify, or reject, in the Chief Administrator's sole
discretion.
9. If any combination
of the Program participant's subsidiaries, related entities, parent companies,
or end users violates the terms of the end users' agreements or their agreement
with the Commission or the Program participant, the Commission may terminate
the Program participant's participation in the Standard Data Files Program
permanently with no opportunity for reinstatement. Additionally, if the Program
participant's participation in the Standard Data Files Program was suspended
for a violation or violations by end users of subsidiaries, related entities,
or parent companies to the Program participant, and thereafter reinstated, a
subsequent violation may result in the Program participant's participation in
the Standard Data Files Program being terminated with no opportunity for
reinstatement.
(n)
Program participants enrolled in the Limited Online Access or Standard Data
Files programs shall at all times maintain compliance with
N.J.S.A. 56:8-163, Disclosure of breach of security to
customers.
(o) Program participants
enrolled in the Limited Online Access or Standard Data Files programs shall
develop and implement a cybersecurity program, that reasonably conforms to the
current version of an industry-recognized cybersecurity framework, such as any
of the following, or any combination of the following, subject to required
revisions, if applicable:
1. The Framework for
Improving Critical Infrastructure Cybersecurity developed by the National
Institute of Standards and Technology (NIST);
2. The Center for Internet Security Critical
Security Controls for Effective Cyber Defense publication; or
3. The International Organization for
Standardization and International Electrotechnical Commission 27000
family--information security management systems.
(p) When updates or changes in the form of a
final revision to a framework listed at (o) above is published, a Program
participant shall reasonably conform to the revised framework not later than
one year after the publication date stated in the revision.
