S297 1R AHS Statement 1/19/23

ASSEMBLY HOMELAND SECURITY AND STATE PREPAREDNESS COMMITTEE

STATEMENT TO

[First Reprint]

SENATE, No. 297

STATE OF NEW JERSEY

DATED: JANUARY 19, 2023

The Assembly Homeland Security and State Preparedness Committee reports favorably Assembly Bill No. 297 (1R).

As reported by the committee, Senate Bill No. 297 (1R) requires public agencies and government contractors in this State to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness.

Under the bill, the report is to be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred. Private entities are permitted to submit reports to the office.

In addition, under the bill, the Director of the New Jersey Office of Homeland Security and Preparedness is required to establish cyber incident reporting capabilities to facilitate submission of timely, secure, and confidential cybersecurity notifications from public agencies, government contractors, and private entities.

The bill further provides that any cybersecurity incident notification submitted to the New Jersey Office of Homeland Security and Preparedness pursuant to the bill’s provisions is confidential and exempt from the provisions of the law commonly known as the open public records act, as well as from evidentiary and subpoena purposes except legislative subpoenas. The office, however, may anonymize and share cyber threat indicators and relevant defensive measures to help prevent additional or future attacks and share cybersecurity incident notifications with relevant law enforcement authorities.

Further, under the provisions of the bill, the office is required to develop privacy and protection procedures, which are to be based on procedures outlined in the federal Cybersecurity Information Sharing Act of 2015.

The bill also requires the office to submit an annual report to the Governor and the Legislature which is to include, at a minimum, information on the number of notifications received and a description of the cybersecurity incident types and associated mitigating measures taken during the one-year period preceding the publication of the report; the categories of public agencies and government contractors that submitted cybersecurity reports; and any other information required in the submission of a cybersecurity incident notification, noting any changes from the report published in the previous year.

As reported by the committee, Senate Bill No. 297 (1R) is identical to Assembly Bill No. 493 which was amended and also reported by the committee on this date.