Sponsored by:
Senator LINDA R. GREENSTEIN
District 14 (Mercer and Middlesex)
SYNOPSIS
Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.
CURRENT VERSION OF TEXT
As introduced.
An Act requiring certain businesses to report cybersecurity incidents and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in this act:
“Cybersecurity incident” means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems.
“Industrial control system” means an information system used to control industrial processes such as manufacturing, product handling, production, or distribution. “Industrial control system” includes supervisory control and data acquisition systems used to control geographically dispersed assets, and distributed control systems and smaller control systems using programmable logic controllers to control localized processes.
“Information resource” means information and related resources, such as personnel, equipment, funds, and information technology.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
“New Jersey Cybersecurity and Communications Integration Cell” means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 of 2015 in the New Jersey Office of Homeland Security and Preparedness, or any successor entity.
"Sensitive business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution, that is engaged in the financial, essential infrastructure, or healthcare industries and does business in this State.
2. a. A sensitive business shall report to the New Jersey Cybersecurity and Communications Integration Cell, promptly after an employee is made aware of a cybersecurity incident, and in accordance with all applicable laws, rules, and regulations:
(1) any cybersecurity incident that results in the compromise of the confidentiality, integrity, availability, or privacy of the sensitive business’ billing, communications, data management, or business information systems, or the information thereon; and
(2) any cybersecurity incident against the sensitive business’ industrial control system, if applicable, including monitoring, operations, and centralized control systems, that adversely impact, disable, or manipulate infrastructure, resulting in loss of service or damage to infrastructure.
b. No later than 30 days after receiving a report of a cybersecurity incident from a sensitive business pursuant to subsection a. of this section, the New Jersey Cybersecurity and Communications Integration Cell shall cause to be audited the sensitive business’ cybersecurity program and any actions the sensitive business took in response to the cybersecurity incident. The audit shall identify cyber threats and vulnerabilities to the sensitive business, weaknesses in the sensitive business’ cybersecurity program, and strategies to address those weaknesses so as to protect the sensitive business from the threat of future cybersecurity incidents. The audit shall be conducted by a qualified and independent cybersecurity company, at the sensitive business’ expense. Following the audit, the sensitive business shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.
3. This act shall take effect on the 90th day after the date of enactment.
STATEMENT
This bill would require sensitive businesses to report certain cybersecurity incidents promptly to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). For the purposes of this bill, a “cybersecurity incident” means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems. The bill would direct the NJCCIC to audit the relevant business no later than 30 days after being made aware of an incident. Cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the sensitive business’ expense.