SENATE LAW AND PUBLIC SAFETY COMMITTEE

 

STATEMENT TO

 

SENATE, No. 297

 

with committee amendments

 

STATE OF NEW JERSEY

 

DATED:  MARCH 21, 2022

 

      The Senate Law and Public Safety Committee reports favorably Senate Bill No. 297, with committee amendments.

      As amended and reported by the committee, this bill requires public agencies and government contractors in this State to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness. 

      Under the amended bill, the report is to be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred.  Private entities are permitted to submit reports to the office.

      In addition, under the amended bill, the Director of the New Jersey Office of Homeland Security and Preparedness is required to establish cyber incident reporting capabilities to facilitate submission of timely, secure, and confidential cybersecurity notifications from public agencies, government contractors, and private entities.

     The amended bill further provides that any cybersecurity incident notification submitted to the New Jersey Office of Homeland Security and Preparedness pursuant to the bill’s provisions is confidential and exempt from the provisions of the law commonly known as the open public records act, as well as from evidentiary and subpoena purposes except legislative subpoenas.  However, under the amended bill, the office may anonymize and share cyber threat indicators and relevant defensive measures to help prevent additional or future attacks and share cybersecurity incident notifications with relevant law enforcement authorities.

     Further, under the provisions of the amended bill, the office is required to develop privacy and protection procedures, which are to be based on procedures outlined in the federal Cybersecurity Information Sharing Act of 2015. 

     The amended bill also requires the office to submit an annual report to the Governor and the Legislature which is to include, at a minimum, information on the number of notifications received and a description of the cybersecurity incident types and associated mitigating measures taken during the one-year period preceding the publication of the report; the categories of public agencies and government contractors that submitted cybersecurity reports; and any other information required in the submission of a cybersecurity incident notification, noting any changes from the report published in the previous year.

      This bill was pre-filed for introduction in the 2022-2023 session pending technical review.  As reported, the bill includes the changes required by technical review, which has been performed.

 

COMMITTEE AMENDMENTS:

      The committee amended the bill to:

      1)   require every public agency and government contractor to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness;

      2)   require the report to be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred; and

      3)   make other clarifying and technical changes.