If your business discovers a data breach, the clock starts immediately. New Jersey's data breach notification law (N.J.S.A. 56:8-163) requires you to notify affected residents "in the most expedient time possible and without unreasonable delay." There is no explicit 72-hour deadline written into the statute, but regulators and courts interpret that language strictly, and waiting too long exposes you to enforcement actions, lawsuits, and reputational damage that can be far worse than the breach itself.
Here is what you need to do, hour by hour, to stay compliant and protect your business.
Hour 0-4: Contain the Breach and Activate Your Response Team
The first few hours are about stopping the bleeding. Do not start notifying anyone yet. You need to understand what happened before you can accurately describe it.
Isolate affected systems. Disconnect compromised machines from the network, but do not power them off. Forensic evidence lives in memory, and shutting down a server can destroy the information you need to understand the scope of the breach.
Activate your incident response plan. If you have one, pull it out now. If you do not, this is the painful lesson that makes you build one after this is over. Your response team should include IT leadership, legal counsel, your managed IT provider, and an executive decision-maker.
Preserve all logs and evidence. Screenshot active sessions, export firewall logs, and document everything you observe. Courts and regulators will want to see a timeline. If you cannot produce one, it looks like you were not paying attention.
Hour 4-24: Determine the Scope and Legal Obligations
Once the breach is contained, your next job is figuring out exactly what was compromised. New Jersey's law covers "personal information," which includes combinations of a resident's name plus any of the following: Social Security number, driver's license number, account numbers with access codes, or usernames with passwords.
Conduct a preliminary forensic assessment. Identify which systems were accessed, what data those systems contained, and how many records may be affected. If you work with a managed IT services provider, they should be leading this assessment with you.
Engage legal counsel. Your attorney needs to be involved from day one. They will help you determine whether the compromised data triggers notification requirements under New Jersey law, and potentially under other state laws if you have customers outside NJ. Every state has its own breach notification statute, and if you hold data on residents of multiple states, you may need to comply with several of them simultaneously.
Determine whether law enforcement should be contacted. If the breach appears to involve criminal activity such as ransomware, unauthorized access, or theft of credentials, contact the FBI's Internet Crime Complaint Center (IC3) or your local FBI field office. In some cases, law enforcement may ask you to delay notification briefly to avoid tipping off the attacker, and New Jersey's law does allow for that.
Hour 24-48: Draft Your Notification and Prepare for Disclosure
By now you should have a reasonable understanding of what happened, what data was exposed, and who is affected. It is time to start drafting your notification.
New Jersey requires specific content in your notification. At minimum, you need to describe what happened, what information was involved, what you are doing about it, and what steps the affected individual can take to protect themselves. The notification must be written in plain language, not legal jargon.
Decide on your notification method. The law allows written notice (postal mail), electronic notice (if you have a prior relationship and consent), or substitute notice if the cost of direct notification exceeds $250,000, more than 500,000 people are affected, or you do not have sufficient contact information. Substitute notice requires email notification, conspicuous website posting, and notification to major statewide media.
Prepare to notify the New Jersey State Police. If the breach affects more than 1,000 residents, you must also notify the NJ Division of State Police. For breaches involving Social Security numbers, you must also offer affected individuals at least one year of identity theft prevention services at no cost.
Hour 48-72: Execute Notifications and Document Everything
Send notifications. Get them out the door. Every day you wait increases your legal exposure and erodes trust with your customers. Do not let perfect be the enemy of good. Your notification does not need to contain every forensic detail. It needs to be accurate, timely, and helpful.
Notify your cyber insurance carrier. If you carry cyber insurance (and in 2026, you should), contact your carrier immediately. Most policies have strict notification windows, and failing to notify promptly can void your coverage. Your carrier may also provide access to breach response vendors, legal counsel, and public relations support that are covered under your policy.
Document your entire response timeline. Create a detailed log of every action taken, every decision made, and the reasoning behind it. This documentation serves two purposes: it demonstrates good faith to regulators if your response is scrutinized, and it becomes the foundation for improving your incident response plan going forward.
What Happens If You Do Not Comply
New Jersey takes breach notification seriously. The Attorney General's office has enforcement authority under the Consumer Fraud Act, which carries penalties of up to $10,000 per violation for a first offense and up to $20,000 for subsequent offenses. In a breach affecting thousands of residents, those numbers add up fast.
Beyond fines, the reputational damage is often worse. Customers expect you to handle their data responsibly. A delayed or botched notification signals that you either did not know you were breached (which means your security was inadequate) or you knew and tried to hide it (which is worse).
How to Prepare Before a Breach Happens
The businesses that handle breaches well are the ones that prepared in advance. Here is what you should have in place today.
A written incident response plan that names specific people, defines roles, and includes contact information for legal counsel, your IT provider, your insurance carrier, and law enforcement.
Regular security assessments that identify where personal information is stored, who has access, and whether your cybersecurity defenses are adequate for the threats you actually face.
Employee training so your team knows how to recognize a potential breach and who to contact. Most breaches are discovered by employees who notice something unusual, but only if they know what unusual looks like and feel empowered to report it.
Tested backups and a recovery plan so that a breach does not also become an extended outage. Your compliance program should include regular testing of your ability to restore operations after an incident.
Frequently Asked Questions
Does New Jersey have a specific deadline for breach notification?
No exact number of days is specified in the statute. The law requires notification "in the most expedient time possible and without unreasonable delay." In practice, regulators expect notification within days, not weeks. The 72-hour framework we recommend is based on what regulators and courts have considered reasonable in enforcement actions. Waiting longer than that without a legitimate reason, such as a law enforcement request, puts you at significant risk.
Do I need to notify the state if only a few records were compromised?
The notification requirement applies regardless of the number of records. If even one New Jersey resident's personal information was compromised, you must notify that individual. The requirement to also notify the NJ State Police kicks in when more than 1,000 residents are affected.
What if encrypted data was breached?
New Jersey's law includes a safe harbor for encrypted data. If the breached information was encrypted and the encryption key was not also compromised, you may not be required to notify. However, this determination should be made carefully with legal counsel, because regulators will scrutinize whether your encryption implementation was actually adequate.