SENATE, No. 3645

STATE OF NEW JERSEY

220th LEGISLATURE

INTRODUCED FEBRUARY 27, 2023

Sponsored by:

Senator  JEAN STANFIELD

District 8 (Atlantic, Burlington and Camden)

Senator  LINDA R. GREENSTEIN

District 14 (Mercer and Middlesex)

SYNOPSIS

     Requires New Jersey Cybersecurity and Communications Integration Cell to study cybersecurity infrastructure and establish cybersecurity guidelines.

CURRENT VERSION OF TEXT

     As introduced.

An Act concerning cybersecurity and supplementing Title 52 of the New Jersey Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    a.  As used in this section:

     "Breach of security" means unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.  Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.

     "Business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution.

     "Cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of computers, information systems, communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information residing thereon. 

     "Public entity" means the State, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in the State.  A public entity shall not include the federal government.

     b.    The New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order 178 (2015) in the New Jersey Office of Homeland Security and Preparedness shall conduct a 12-month study of the cybersecurity infrastructure of public entities and private businesses that conduct business in this State for the purpose of identifying potential cybersecurity threats and vulnerabilities to cyberattacks.

     Within 120 days of the effective date of P.L.    , c.    (C.        ) (pending before the Legislature as this bill), the New Jersey Cybersecurity and Communications Integration Cell shall establish parameters for the study, which shall include the requirement for public entities and private businesses that conduct business in this State to report, for a period of 12 months, any cybersecurity incident or breach of security and the results of the subsequent investigation of the cybersecurity incident or breach of security to the New Jersey Cybersecurity and Communications Integration Cell.  The New Jersey Cybersecurity and Communications Integration Cell shall provide notification to public entities and private businesses that conduct business in this State regarding the reporting requirements.

     c.     Within six months of the conclusion of the 12-month study, the New Jersey Cybersecurity and Communications Integration Cell shall establish cybersecurity guidelines for all public entities and private businesses that conduct business in this State based on the data collected pursuant to subsection b. of this section.

     d.    Public entities and private businesses that conduct business in this State shall be required to implement the cybersecurity guidelines established pursuant to subsection c. of this section within one year of the establishment of the guidelines, after which time a penalty may be imposed for failure to implement the required guidelines.  

     e.     The New Jersey Cybersecurity and Communications Integration Cell shall monitor cybersecurity incidents and breaches of security after public entities and private businesses have implemented the guidelines pursuant to subsection d. of this section and modify the cybersecurity guidelines, as appropriate.

     f.     The Department of Homeland Security and Preparedness shall adopt pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), a schedule of civil administrative penalties to be applied pursuant to subsection d. of this section for the failure to implement the required guidelines and rules and regulations to implement the provisions of this act.

     2.    This act shall take effect immediately.

STATEMENT

     This bill requires the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to study the State's cybersecurity infrastructure and promulgate cybersecurity guidelines.

     Under the bill, the NJCCIC is required to conduct a 12-month study of the cybersecurity infrastructure of public entities and private businesses that conduct business in this State for the purpose of identifying potential cybersecurity threats and vulnerabilities to cyberattacks.

     Within 120 days of the bill's effective date, the NJCCIC is to establish parameters for the study, which are to include the requirement for public entities and private businesses that conduct business within the State to report to the NJCCIC, for a period of 12 months, any cybersecurity incident or breach of security and the results of the subsequent investigation of the cybersecurity incident or breach of security.

     The bill provides that within six months of the conclusion of the 12-month study, the NJCCIC is to establish cybersecurity guidelines for all public entities and private businesses that conduct business in the State based on the data collected under the bill.  Public entities and private businesses that conduct business in the State are required to implement the cybersecurity guidelines within one year of the establishment of the guidelines, after which time a penalty may be imposed for failure to implement the guidelines.

     Further, under the bill, the NJCCIC is to monitor cybersecurity incidents and breaches of security after public entities and private businesses have implemented the required guidelines and modify the guidelines, as necessary.

     Finally, the Department of Homeland Security and Preparedness it to adopt, pursuant to the "Administrative Procedure Act," a schedule of civil administrative penalties to be applied for the failure of a public entity or private business that conducts business in the State to implement the required guidelines and rules and regulations to implement the provisions of the bill.