LEGISLATIVE FISCAL ESTIMATE

[Second Reprint]

ASSEMBLY, No. 4825

STATE OF NEW JERSEY

219th LEGISLATURE

 

DATED: MARCH 24, 2021

 

 

SUMMARY

 

Synopsis:

Revises cybersecurity, asset management, and related reporting requirements in “Water Quality Accountability Act.”

Type of Impact:

Annual State and local expenditure increases.

Agencies Affected:

Department of Environmental Protection, Board of Public Utilities, Office of Homeland Security and Preparedness, certain municipalities, and municipal and regional water authorities.

 

 

Office of Legislative Services Estimate

Fiscal Impact

Year 1 

Year 2 

Year 3 

 

State Expenditure Increase

Indeterminate

 

Local Expenditure Increase

Indeterminate

 

 

 

 

·         The Office of Legislative Services (OLS) determines that this bill would lead to an indeterminate annual expenditure increase for publicly-owned water purveyors—including State entities, certain municipalities, and municipal and regional water authorities—since it increases the cybersecurity, asset management, and reporting requirements for water purveyors under the "Water Quality Accountability Act" (WQAA).  The OLS cannot quantify this increase due to the unavailability of information about the cost of the new requirements, or the extent of water purveyors' existing cybersecurity programs and asset management plans.  However, one significant expenditure imposed by the bill is the requirement that water purveyors obtain cybersecurity insurance policies.  A large water purveyor might expect to pay around $10,000 annually for such a policy, according to information provided to the OLS by a private water purveyor.

 

·         The bill would also result in indeterminate annual State expenditure increases by imposing additional administrative tasks on the Department of Environmental Protection (DEP), the Board of Public Utilities (BPU), and the Office of Homeland Security and Preparedness (OHSP).  The most significant increase would likely result from the requirement that the DEP audit, or cause to be audited, at least 10 percent of public community water systems annually for compliance with the provisions of the WQAA.  Depending on the manner in which the DEP conducts these audits, this may require the hiring of additional staff or entering into a contract with a private engineering firm.  The OLS notes that the bill authorizes the DEP to require a water purveyor to pay the costs of such an audit, but it is unclear under what circumstances it would do so.

 

 

BILL DESCRIPTION

 

      This bill would revise the cybersecurity, asset management, and reporting requirements for water purveyors under the WQAA, and increase the oversight responsibilities of the DEP, BPU, and OHSP in relation to the WQAA.

      Regarding cybersecurity, the bill would require each water purveyor in the State to obtain a cybersecurity insurance policy.  The bill would also require water purveyors to update their cybersecurity programs to meet new requirements within 180 days after its effective date.  These new requirements include updating cybersecurity programs to apply to all of the public community water system’s industrial control systems, conforming the programs to the most recent version of certain industry-recognized cybersecurity frameworks, and annually certifying compliance with these requirements to the DEP, BPU, and OHSP.  The bill also would remove, from existing law, the exemption from cybersecurity-related requirements for water purveyors that do not have an internet-connected control system.

      The bill would require the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the OHSP to cause to be audited, for compliance with the cybersecurity provisions of the WQAA, any public community water system that fails to submit its cybersecurity program, any revision to the program, or its cybersecurity certification.  In addition, the bill would require the NJCCIC, no later than 30 days after receiving a report of a cybersecurity incident from a water purveyor, to cause to be audited the water purveyor’s cybersecurity program and any actions the water purveyor took in response to the cybersecurity incident.  Under the bill, cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the water purveyor’s expense.

      Regarding asset management, the bill would require water purveyors, within 18 months after  the effective date of the bill, to revise their asset management plans to include: (1) a comprehensive inventory, mapping, and evaluation of the condition of certain types of the public community water system’s assets; (2) level of service goals for the public community water system based upon industry standards; (3) a priority order in which the public community water system’s assets will be repaired or replaced as part of the water purveyor’s asset management plan; and (4) a long-term funding strategy to implement the water purveyor’s asset management plan.

      Regarding reporting, the bill would require each water purveyor to submit to the DEP a detailed annual report on its asset management plan, which would identify: (1) the infrastructure improvements completed in the past year and the cost of those improvements; (2) the infrastructure improvements generally planned to be undertaken in the next 3 years and the estimated cost of those improvements; and (3) the infrastructure improvements that  may be required over the next 10 years and the estimated cost of those improvements.  Compliance with these reporting requirements could also be demonstrated through the completion of a detailed, comprehensive planning study, facility master planning study, or other long-range planning study. 

      The bill would require the DEP to annually audit, or cause to be audited, for compliance with the requirements of the WQAA a random selection of at least 10 percent of all public community water systems in the State.  In addition, the bill would require the DEP to audit, or cause to be audited, any public community water system that fails to submit the certification required pursuant to section 6 of the WQAA.  The bill also would require the DEP to develop and publish on its website a report card for each water purveyor in the State indicating the water purveyor’s compliance with certain State and federal laws, and to conduct an assessment of certain data submitted by water purveyors under the WQAA.

      Finally, the bill would require the DEP and the BPU to adopt rules and regulations to implement the WQAA.  In addition to this general directive to adopt rules, the bill specifically requires the DEP to adopt rules implementing certain new asset management plan requirements and establishing a schedule of civil administrative penalties for violations of the WQAA, and clarifies that the BPU is to adopt its water purveyor cybersecurity program requirements as rules.

 

 

FISCAL ANALYSIS

 

EXECUTIVE BRANCH

 

      None received.

 

OFFICE OF LEGISLATIVE SERVICES

 

      The OLS determines that this bill would lead to an indeterminate annual expenditure increase for publicly-owned water purveyors—including State entities, certain municipalities, and municipal and regional water authorities—since it increases the cybersecurity, asset management, and reporting requirements for water purveyors under the WQAA.  The OLS cannot quantify this increase due to the unavailability of information about the cost of the new requirements, or the extent of water purveyors' existing cybersecurity programs and asset management plans.  The OLS notes that there are about 300 government and privately-owned water purveyors in the State to which the requirements of this bill will apply.

      One significant expenditure imposed by the bill is the requirement that water purveyors obtain cybersecurity insurance policies.  A large water purveyor might expect to pay around $10,000 annually for such a policy, according to information provided to the OLS by a private water purveyor.  In addition, the bill would require water purveyors to update their cybersecurity programs to conform to certain industry standards and to certify this update to the State.  Certain water purveyors may already have cybersecurity plans that conform to the industry standards, in which case they would only face the marginal costs associated with certifying their plans.  Other water purveyors may need to update their programs, which may require outside consultants and additional expenditures.  The bill would also remove from existing law an exemption from cybersecurity-related requirements for water purveyors that do not have internet-connected control systems.  Consequently, additional water purveyors may need to conform to the cybersecurity regulations in this bill and the WQAA.  However, it is uncertain how many water purveyors are in this situation.

      The bill would require water purveyors to revise their asset management plans to include detailed information about the water system's infrastructure, level of service goals, priorities for replacing infrastructure, and a long-term funding strategy to implement the plan. The bill would also require a water purveyor to complete and submit to the State a more detailed report on its asset management plan than is currently required under the WQAA, or to, alternatively, conduct certain comprehensive planning studies.  Certain water purveyors may already have completed an asset management plan or comprehensive planning study that meets the new requirements or be prepared to complete the more detailed report.  However, for those that are not, complying with these provisions may require the use of outside consultants.

      The OLS also determines that the bill would result in indeterminate annual State expenditure increases by imposing additional administrative tasks on the DEP, the BPU, and the OHSP.  The most significant increase would likely result from the requirement that the DEP audit, or cause to be audited, at least 10 percent of public community water systems annually for compliance with the provisions of the WQAA.  Depending on the manner in which the DEP conducts these audits, this may require the hiring of additional staff or entering into a contract with a private engineering firm.  The OLS notes that the bill authorizes the DEP to require a water purveyor to pay the costs of such an audit, but it is unclear under what circumstances it will do so.  Additional annual expenditure increases will likely result from other provisions of the bill that increase oversight related to the WQAA, including a provision that requires the DEP and BPU to adopt rules and regulations to implement the WQAA.  However, these tasks may be able to be subsumed within the duties of existing staff.

      Finally, the OLS notes that the bill makes persons who violate a provision of the WQAA subject to the administrative penalties set forth in the "Safe Drinking Water Act."  However, the OLS does not anticipate a significant revenue increase to the State as a result of this provision.

 

 

Section:

Environment, Agriculture, Energy, and Natural Resources

Analyst:

Eric Hansen

Associate Research Analyst

Approved:

Thomas Koenig

Legislative Budget and Finance Officer

 

 

This legislative fiscal estimate has been produced by the Office of Legislative Services due to the failure of the Executive Branch to respond to our request for a fiscal note.

 

This fiscal estimate has been prepared pursuant to P.L.1980, c.67 (C.52:13B-6 et seq.).