ASSEMBLY APPROPRIATIONS COMMITTEE
STATEMENT TO
[Third Reprint]
SENATE COMMITTEE SUBSTITUTE FOR
SENATE, No. 647
with committee amendments
STATE OF NEW JERSEY
DATED: MARCH 17, 2021
The Assembly Appropriations Committee reports favorably Senate Bill No. 647 SCS (3R), with committee amendments.
As amended, this bill would revise the cybersecurity, asset management, and reporting requirements for water purveyors under the "Water Quality Accountability Act" (WQAA), P.L.2017, c.133 (N.J.S.A.58:31-1 et seq.), and increase the oversight responsibilities of the Department of Environmental Protection (DEP) and the Office of Homeland Security and Preparedness in relation to the WQAA. The bill would also provide that the WQAA applies to “public community water systems” instead of “public water systems,” as those terms are defined in the “Safe Drinking Water Act,” P.L.1977, c.224 (N.J.S.A.58:12A-1 et seq.).
Specifically, the bill would require water purveyors to update their cybersecurity programs to meet new requirements within 180 days after enactment of the bill into law. These new requirements include updating cybersecurity programs to apply to all of the public water system’s industrial control systems, reasonably conforming these programs to the most recent version of certain industry-recognized cybersecurity frameworks, and annually certifying compliance with these requirements. The bill would also direct the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the Office of Homeland Security and Preparedness to formulate additional requirements for cybersecurity programs. The bill would require water purveyors to submit their cybersecurity plans and revisions to the NJCCIC. The bill would direct the NJCCIC to audit any water purveyor that fails to submit a cybersecurity plan. The bill would remove, from existing law, an exemption from cybersecurity-related requirements of the WQAA for water purveyors that do not have an internet-connected control system. The bill would also require water purveyors to obtain a cybersecurity insurance policy.
In addition, the bill would require water purveyors to report certain cybersecurity incidents (i.e. data breaches and computer hacking) promptly to the NJCCIC. The bill would direct the NJCCIC to audit the relevant public community water system no later than 30 days after being made aware of an incident. Cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the water purveyor’s expense.
The bill would require the DEP to annually audit, or cause to be audited, a random selection of at least 10 percent of all public community water systems in the State for compliance with the requirements of the WQAA. The DEP would also be required to audit, or cause to be audited, any public community water system that fails to submit the certification required pursuant to section 6 of the WQAA (N.J.S.A.58:31-6). If the DEP finds that a water purveyor has made a false or misleading statement in the certification, the DEP would forward the matter to the Attorney General for further investigation and, if necessary, criminal prosecution or other appropriate relief.
The WQAA currently requires water purveyors to develop a water main replacement program designed to achieve a replacement cycle of either 150-years or another appropriate duration, as determined by a detailed engineering analysis. This bill would modify this requirement to provide that the DEP may determine an appropriate replacement cycle. Additionally, the bill requires each water purveyor, within one year after enactment of the bill into law and every year thereafter, to submit to the DEP and the Board of Public Utilities (BPU), if applicable, a more detailed report based on its asset management plan than currently required by the WQAA. This report would identify: (1) the infrastructure improvements completed in the past year and the cost of those improvements; (2) the infrastructure improvements planned to be undertaken in the next three years and the estimated cost of those improvements; and (3) the infrastructure improvements that will be required over the next 10 years and the estimated cost of those improvements. A water purveyor would be required to provide, upon request, a copy of its asset management plan to the DEP, the BPU, or the Division of Local Government Services in the Department of Community Affairs.
The bill would also require water purveyors, within 18 months after enactment of the bill into law, to revise their asset management plans to include: (1) a comprehensive inventory, mapping, and condition assessment of the public water system’s assets; (2) level of service goals for the public water system; (3) a priority order in which the public water system’s assets will be repaired or replaced as part of the water purveyor’s asset management plan; and (4) a long-term funding strategy to implement the water purveyor’s asset management plan. Compliance may be demonstrated through the submission of evidence of completion of a detailed, comprehensive planning study, facility master planning study, or other long range planning study that is intended for use in developing three- and ten-year capital improvement plans. A water purveyor’s detailed comprehensive planning study, facility master planning study, or other long range planning study submitted pursuant to these requirements would not be considered a government record and would not be made available for public inspection.
The bill would provide that violations of the WQAA are to be subject to the same penalties as violations of the "Safe Drinking Water Act." The bill would direct the DEP, no later than 18 months after the effective date of the bill, to adopt, pursuant to the “Administrative Procedure Act,” a schedule of civil administrative penalties for specific violations of the WQAA.
The bill would also require the DEP to develop and publish on its Internet website an annual report card for each water purveyor in the State, indicating the water purveyor’s compliance with federal and State drinking water quality standards, its compliance with the requirements of the WQAA, and any other factors the DEP deems appropriate. The bill also requires the DEP, within 18 months after enactment and every three years thereafter, to submit a report to the Governor and the Legislature, which includes an analysis of the Statewide estimated cost of infrastructure improvements to water purveyors required over the next 10 years and an assessment of the compliance of public water systems with the requirements of the WQAA.
Finally, the bill would modify certain valve inspection, fire hydrant identification, and record keeping requirements of the WQAA, as set forth in section 12 of the bill.
As amended by the committee, this bill is identical to Assembly Bill No. 4825 (1R), as also amended by the committee.
COMMITTEE AMENDMENTS:
The committee amendments to the bill:
(1) clarify that the auditing authority provided to the DEP under the bill would not limit the fiscal oversight authority granted, under current law, to the Division of Local Government Services in the Department of Community Affairs; and
(2) require certain municipalities, counties, and authorities that have capital programs extending beyond three years to identify, in their annual reports to the DEP on their asset management plans, the infrastructure improvements to be undertaken pursuant to their asset management plans in the remaining years of their capital programs, along with the actual or estimated cost of the improvements.
FISCAL IMPACT:
The Office of Legislative Services (OLS) determines that this bill would lead to an indeterminate annual expenditure increase for publicly-owned water purveyors—including State entities, certain municipalities, and municipal and regional water authorities—since it increases the cybersecurity, asset management, and reporting requirements for water purveyors under the "Water Quality Accountability Act" (WQAA). The OLS cannot quantify this increase due to the unavailability of information about the cost of the new requirements, or the extent of water purveyors' existing cybersecurity programs and asset management plans. However, one significant expenditure imposed by the bill is the requirement that water purveyors obtain cybersecurity insurance policies. A large water purveyor might expect to pay around $10,000 annually for such a policy, according to information provided to the OLS by a private water purveyor.
The bill would also result in indeterminate annual State expenditure increases by imposing additional administrative tasks on the Department of Environmental Protection (DEP), the Board of Public Utilities (BPU), and the Office of Homeland Security and Preparedness (OHSP). The most significant increase would likely result from the requirement that the DEP audit, or cause to be audited, at least 10 percent of public community water systems annually for compliance with the provisions of the WQAA. Depending on the manner in which the DEP conducts these audits, this may require the hiring of additional staff or entering into a contract with a private engineering firm. The OLS notes that the bill authorizes the DEP to require a water purveyor to pay the costs of such an audit, but it is unclear under what circumstances it would do so.