ASSEMBLY HOMELAND SECURITY AND STATE PREPAREDNESS COMMITTEE

 

STATEMENT TO

 

ASSEMBLY, No. 493

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  JANUARY 19, 2023

 

      The Assembly Homeland Security and State Preparedness Committee reports favorably Assembly Bill No. 493 with committee amendments.

      As amended and reported by the committee Assembly Bill No. 493 requires public agencies and government contractors in this State to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness. 

      Under the amended bill, the report is to be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred.  Private entities are permitted to submit reports to the office.

      In addition, under the amended bill, the Director of the New Jersey Office of Homeland Security and Preparedness is required to establish cyber incident reporting capabilities to facilitate submission of timely, secure, and confidential cybersecurity notifications from public agencies, government contractors, and private entities.

     The amended bill further provides that any cybersecurity incident notification submitted to the New Jersey Office of Homeland Security and Preparedness pursuant to the bill’s provisions is confidential and exempt from the provisions of the law commonly known as the open public records act, as well as from evidentiary and subpoena purposes except legislative subpoenas.  However, under the amended bill, the office may anonymize and share cyber threat indicators and relevant defensive measures to help prevent additional or future attacks and share cybersecurity incident notifications with relevant law enforcement authorities.

     Further, under the provisions of the amended bill, the office is required to develop privacy and protection procedures, which are to be based on procedures outlined in the federal Cybersecurity Information Sharing Act of 2015. 

     The amended bill also requires the office to submit an annual report to the Governor and the Legislature which is to include, at a minimum, information on the number of notifications received and a description of the cybersecurity incident types and associated mitigating measures taken during the one-year period preceding the publication of the report; the categories of public agencies and government contractors that submitted cybersecurity reports; and any other information required in the submission of a cybersecurity incident notification, noting any changes from the report published in the previous year.

      This bill was prefiled for introduction in the 2022-2023 session pending technical review.  As reported, the bill includes the changes required by technical review, which has been performed.

      As amended and reported by the committee, Assembly Bill No. 493 is identical to Senate Bill No, 297 (1R) which also was reported to the committee on this date.

 

COMMITTEE AMENDMENTS

      The committee amended the bill to:

      1)   require every public agency and government contractor to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness;

      2)   require the report to be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred; and

      3)   make other clarifying and technical changes.