Sponsored by:
Senator LINDA R. GREENSTEIN
District 14 (Mercer and Middlesex)
SYNOPSIS
Requires municipalities, counties, and school districts to report cybersecurity incidents.
CURRENT VERSION OF TEXT
As introduced.
An Act requiring municipalities, counties, and school districts to report certain cybersecurity incidents and supplementing chapter 17B of Title 52 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. As used in this act:
“Cybersecurity incident” means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers or information systems.
“Department” means the Department of Law and Public Safety.
“Governing body" means the body exercising general legislative powers in a county or municipality according to the terms and procedural requirements set forth in the form of government adopted by the county or municipality.
“Information resource” means information and related resources, such as personnel, equipment, funds, and information technology.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
“New Jersey Cybersecurity and Communications Integration Cell” means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 of 2015 in the New Jersey Office of Homeland Security and Preparedness, or any successor entity.
“School district” means a local or regional school district established pursuant to chapter 8 or chapter 13 of Title 18A of the New Jersey Statutes, a county special services school district established pursuant to article 8 of chapter 46 of Title 18A of the New Jersey Statutes, a county vocational school district established pursuant to article 3 of chapter 54 of Title 18A of the New Jersey Statutes, and a district under full State intervention pursuant to P.L.1987, c.399 (C.18A:7A-34 et al.).
2. a. The Attorney General, in consultation with the New Jersey Cybersecurity and Communications Integration Cell, shall develop an online cybersecurity incident reporting form on the New Jersey Cybersecurity and Communications Integration Cell’s Internet website, specific for an employee of (1) a governing body of a municipality; (2) a governing body of a county; and (3) a school district.
b. A designated employee of a municipality, county, or school district that has been made aware of a cybersecurity incident shall promptly complete and submit a cybersecurity incident online form developed pursuant to subsection a. of this section if the cybersecurity incident has:
(1) compromised the confidentiality, integrity, availability, or privacy of the billing, communications, data management or information systems, or the information resources thereon, of a municipality, county, or school district where the employee works; or
(2) compromised a municipality’s, county’s, or school district’s industrial control system, if applicable, including monitoring operations, and centralized control systems, that adversely impacted, disabled, or manipulated infrastructure, resulting in loss of service or damage to infrastructure.
c. No later than 30 days after receiving a cybersecurity incident reporting form that has been submitted through the online form developed pursuant to subsection a. of this section, the New Jersey Cybersecurity and Communications Integration Cell shall contract with an independent cybersecurity company to audit the cybersecurity program of the municipality, county, or school district that submitted the form and to audit any actions the municipality, county, or school district took in response to the cybersecurity incident.
d. The audit of a municipality, county, or school district, required pursuant to subsection c. of this section shall be provided by the independent cybersecurity company to the municipality, county, or school district, and shall identify:
(1) cyber threats and vulnerabilities to a municipality, county, or school district;
(2) weaknesses in the municipality’s, county’s, or school district’s cybersecurity program; and
(3) strategies to address those weaknesses as to protect the municipality, county, or school district from the threat of future cybersecurity incidents.
e. The audit required pursuant to subsection c. of this section shall be conducted by a qualified and independent cybersecurity company and shall be paid for by the department.
f. Following an audit required pursuant to subsection c. of this section, the governing body of a municipality or county, or a school district, shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.
3. This act shall take
effect immediately.
STATEMENT
This bill requires municipalities, counties, and school districts, to report cybersecurity incidents.
Under the bill, the Attorney General, in consultation with the New Jersey Cybersecurity and Communications Integration Cell, would develop an online cybersecurity incident reporting form on the New Jersey Cybersecurity and Communications Integration Cell’s Internet website, specific for a designated employee of (1) a governing body of a municipality; (2) a governing body of a county; and (3) a school district; to report a cybersecurity incident.
The bill provides that the online form would be used promptly after the designated employee of a municipality, county, or school district has been made aware of a cybersecurity incident and that cybersecurity incident has:
(1) compromised the confidentiality, integrity, availability, or privacy of the billing, communications, data management or information systems, or the information resources thereon, of a municipality, county, or school district where the employee works; or
(2) compromised a municipality’s, county’s, or school district’s industrial control system, if applicable, including monitoring operations, and centralized control systems, that adversely impacted, disabled, or manipulated infrastructure, resulting in loss of service or damage to infrastructure.
Under the bill, no later than 30 days after receiving a cybersecurity incident that has been submitted through the online form, the New Jersey Cybersecurity and Communications Integration Cell would require an audit of the cybersecurity program of a municipality, county, or school district, and any actions a municipality, county, or school district took in response to the cybersecurity incident.
The bill provides that the audit of a municipality, county, or school district, would identify:
(1) cyber threats and vulnerabilities to a municipality, county, or school district;
(2) weaknesses in a municipality’s, county’s, or school district’s cybersecurity program; and
(3) strategies to address those weaknesses as to protect a municipality, county, or school district from the threat of future cybersecurity incidents.
Under the bill, the audit established would be conducted by a qualified and independent cybersecurity company and would be paid for by the Department of Law and Public Safety.
The bill provides that after the audit is conducted, a governing body of a municipality or county, or a school district, would submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.