New Jersey Gov. Phil Murphy has signed new legislation that will require state agencies and government contractors to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness (NJOHSP) within 72 hours of an incident.
“As we continue to face an evolving threat landscape, we must also adapt the mechanisms in place that safeguard our state,” said Gov. Murphy. “This legislation will bolster New Jersey’s security by expediting cybersecurity incident reporting and increase our resilience through effective communication. We remain committed to equipping our state with the best practices and the strongest defense possible in order to keep our communities safe.”
The governor’s office said the intent of the bill is to “ensure the timely reporting of cybersecurity incidents that jeopardize the confidentiality, integrity or availability of systems and information.” The new bill requires NJOHSP Director Laurie Doran to establish and publish reporting guidelines to facilitate the timely and confidential submission of incident notifications.
“Cyber threats are constantly evolving and, on the rise, not only in New Jersey but throughout the nation and the world,” NJOHSP Director Doran said. “This new cyber incident reporting law will help connect the dots, allowing for effective collective incident response among all stakeholders.”
The new law applies to all state public agencies, as well as government contractors, including municipalities, counties, K-12 public schools, public colleges and universities, and state law enforcement agencies among others. The governor’s office said that the new reporting requirement will take effect immediately.
“In New Jersey alone, thousands of cybercrime cases occur each week, with our schools, hospitals, and police departments among the entities most affected,” said state Sen. Fred Madden. “These public agencies store confidential information about residents, and we must establish procedures to make sure that information is not falling into the wrong hands. With this law in place, our State will have a critical aid to ensure cybercrime cases are not only being reported in a timely manner, but also how many residents are being affected by these attacks and how we can implement ways to prevent them from occurring further.”
The governor’s office said that the quick and consistent cyber incident report mandated under the new law will help NJOHSP’s cybersecurity division, the New Jersey Cybersecurity and Communications Integration Cell, expedite its response and mitigate further incidents while improving visibility and awareness of current cyber trends.
“This legislation is very positive from a cybersecurity perspective,” said NJOHSP Acting Deputy Director and NJCCIC Director Michael Geraghty. “By intaking cybersecurity incident reports, the NJCCIC can provide assistance to the affected public agencies to help them respond and recover from an attack. It also allows the NJCCIC to help prevent further compromises of public agencies by sharing the techniques, tactics, and protocols the attackers used and the best practices to thwart them.”