On March 13, 2023, the New Jersey Legislature approved S297/A493 (the “Act”). The Act takes effect immediately and requires that every public agency and government contractor report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness (“NJOHSP”) within 72 hours of when the public agency or government contractor “reasonably believes that a cybersecurity incident has occurred.”
Who is required to report cybersecurity incidents under the Act?
- Public Agencies, defined as: any public agency of the State or any political subdivision thereof including municipalities, counties, Kindergarten-12th grade public schools, public colleges and universities and State law enforcement agencies.
- Government Contractors, defined as: an individual or entity that performs work for or on behalf of a public sector institution on a contract basis with access to or hosting of the public agency’s network, systems, applications, or information.
What is a cybersecurity incident?
The Act defines a “cybersecurity incident” as a malicious or suspicious event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of an information system or the information the system processes, stores, or transmits.
When must cybersecurity incidents be reported?
Within 72 hours of “reasonable belief” that a cybersecurity incident has occurred
Where must reports be made?
The Act requires NJOHSP to 1) establish reporting capabilities and; 2) post instructions for submitting the incidents on its website within 90 days of the effective date.
While the legislation takes effect immediately, it does not provide any guidance for how reports should be submitted to NJOHSP in the 90 days between the effective date and when NJOSHP must have a system in place on its website. However, NJOSHP’s website already references the Act above its reporting function: https://www.cyber.nj.gov/report/
What must be included in the report?
NJOHSP has not yet promulgated reporting instructions.
Will reports under the Act be subject to OPRA?
No. Any reports submitted to the NJ Office of Homeland Security and Preparedness will be confidential, non-public, not subject to OPRA, not discoverable in civil or criminal actions, or subject to subpoena unless the subpoena is issued by the NJ State Legislature and is “deemed necessary for the purposes of legislative oversight.”
Connell Foley is proud to be designated an authorized Breach Coach® firm by NetDiligence®.