| 47 | | - | An Act requiring certain procedures and training for municipalities, counties, and school districts in response to cybersecurity incidents and amending P.L.2023, c.19. Be It Enacted by the Senate and General Assembly of the State of New Jersey: 1. Section 1 of P.L.2023, c.19 (C.52:17B-193.2) is amended to read as follows: 1. As used in [this act,] P.L.2023, c.19 (C.52:17B-193.2 et seq.): "County" means a county of any class of this State, and any authority, commission, agency, or instrumentality of a county. "Cybersecurity incident" means a malicious or suspicious event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of an information system or the information the system processes, stores, or transmits. "Cyber threat indicator" means information that is necessary to describe or identify: (1) malicious reconnaissance, including, but not limited to, anomalous patterns of communication that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or vulnerability; (2) a method of defeating a security control or exploitation of a security vulnerability; (3) a security vulnerability, including, but not limited to, anomalous activity that appears to indicate the existence of a security vulnerability; (4) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability; (5) malicious cyber command and control; (6) the actual or potential harm caused by an incident, including but not limited to, a description of the data exfiltrated as a result of a particular cyber threat; and (7) any other attribute of a cyber threat, if disclosure of such attribute is not otherwise prohibited by law. "Defensive measure" means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cyber threat or security vulnerability, but does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by the entity operating the measure, or another entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure. "Governing body" means the body exercising general legislative powers in a county or municipality according to the terms and procedural requirements set forth in the form of government adopted by the county or municipality. "Government contractor" means an individual or entity that performs work for or on behalf of a public agency on a contract basis with access to or hosting of the public agency's network, systems, applications, or information. "Information resource" means information and related resources, such as personnel, equipment, funds, and information technology. "Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. "Information technology" means any equipment or interconnected system or subsystem of equipment that is used in automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information used by a public agency or a government contractor under contract with a public agency which requires the use of such equipment or requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes, but is not limited to, computers, ancillary equipment, software, firmware, and similar procedures, services, including support services, and related resources. "Municipality" means a city of any class, a town, township, village, or borough of this State, other than a county or a school district, and any authority, commission, agency, or instrumentality of a municipality. "Private entity" means any individual, corporation, company, partnership, firm, association, or other entity, but does not include a public agency as defined in this act, or a foreign government, or any component thereof. "Public agency" means any public agency of the State or any political subdivision thereof. "School district" means a local or regional school district established pursuant to chapter 8 or chapter 13 of Title 18A of the New Jersey Statutes, a county special services school district established pursuant to section 1 of P.L.1971, c.271 (C.18A:46-29), a county vocational school district established pursuant to article 3 of chapter 54 of Title 18A of the New Jersey Statutes, and a district under full State intervention pursuant to P.L.1987, c.399 (C.18A:7A-34 et seq.). (cf: P.L.2023, c.19, s.1) 2. Section 2 of P.L.2023, c.19 (C.52:17B-193.3) is amended to read as follows: 2. a. Every public agency and government contractor shall report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness. The report shall be made within 72 hours of when the public agency or government contractor reasonably believes that a cybersecurity incident has occurred. b. The New Jersey Office of Homeland Security and Preparedness shall receive and maintain cybersecurity incident notifications from public agencies, government contractors, and private entities in accordance with [this act] P.L.2023, c.19 (C.52:17B-193.2 et seq.). c. No later than 90 days after the effective date of [this act] P.L.2023, c.19 (C.52:17B-193.2 et seq.), the Director of the New Jersey Office of Homeland Security and Preparedness shall establish cyber incident reporting capabilities to facilitate submission of timely, secure, and confidential cybersecurity incident notifications from public agencies, government contractors, and private entities to the office. d. No later than 90 days after the effective date of [this act] P.L.2023, c.19 (C.52:17B-193.2 et seq.), the New Jersey Office of Homeland Security and Preparedness shall prominently post instructions for submitting cybersecurity incident notifications on its website. The instructions shall include, at a minimum, the types of cybersecurity incidents to be reported and any other information to be included in the notifications made through the established cyber incident reporting system. e. The cyber incident reporting system shall permit the New Jersey Office of Homeland Security and Preparedness to: (1) securely accept a cybersecurity incident notification from any individual or private entity, regardless of whether the entity is a public agency or government contractor; (2) track and identify trends in cybersecurity incidents reported through the cyber incident reporting system; and (3) produce reports on the types of incidents, indicators, defensive measures, and entities reported through the cyber incident reporting system. f. Any cybersecurity incident notification submitted to the New Jersey Office of Homeland Security and Preparedness pursuant to P.L.2023, c.19 (C.52:17B-193.2 et seq.) shall be deemed confidential, non-public, and not subject to the provisions of P.L.1963, c.73 (C.47:1A-1 et seq.), commonly known as the open public records act, as amended and supplemented, may not be discoverable in any civil or criminal action, and may not be subject to subpoena, unless the subpoena is issued by the New Jersey State Legislature and is deemed necessary for the purposes of legislative oversight. g. Notwithstanding the provisions of subsection f. of this section, the New Jersey Office of Homeland Security and Preparedness may anonymize and share cyber threat indicators and relevant defensive measures to help prevent additional or future attacks and share cybersecurity incident notifications with relevant law enforcement authorities. h. Information submitted to the New Jersey Office of Homeland Security and Preparedness through the cyber incident reporting system shall be subject to privacy and protection procedures developed and implemented by the office, which shall be based on the comparable privacy protection procedures developed for information received and shared pursuant to the federal [Cyber Security] Cybersecurity Information Sharing Act of 2015 (6 U.S.C. s.1501 et seq.). i. In the event that a cybersecurity incident impacts a municipality, county, or school district, no later than 30 days after receiving a cybersecurity incident notification pursuant to this section, the New Jersey Office of Homeland Security and Preparedness shall contract with an independent cybersecurity company to audit the cybersecurity program of the municipality, county, or school district, and to audit any actions the municipality, county, or school district took in response to the cybersecurity incident. j. The audit of a municipality, county, or school district required pursuant to subsection i. of this section shall be provided by the independent cybersecurity company to the municipality, county, or school district, and shall identify: (1) cyber threats and vulnerabilities to a municipality, county, or school district; (2) weaknesses in the municipality's, county's, or school district's cybersecurity program; and (3) strategies to address those weaknesses to protect the municipality, county, or school district from the threat of future cybersecurity incidents. k. The audit required pursuant to subsection i. of this section shall be conducted by a qualified and independent cybersecurity company and shall be paid for by the New Jersey Office of Homeland Security and Preparedness. l. Following an audit required pursuant to subsection i. of this section, the governing body of a municipality, county, or school district shall submit the audit and any corrective action plans derived from the audit to the New Jersey Office of Homeland Security and Preparedness. m. (1) Not less than six months following an audit required pursuant to subsection i. of this section, but not more than once in each calendar year, all county and municipal officers and employees, including all school district employees, shall complete a cybersecurity awareness training program, to be developed by the New Jersey Office of Homeland Security and Preparedness in consultation with the New Jersey Attorney General. An officer or employee shall verify completion of the training program to the governing body of each county or municipality, or school district, as appropriate. The governing body of each municipality, county, or school district, as appropriate, shall report completion of the training program to the New Jersey Office of Homeland Security and Preparedness, or an authorized designee. (2) The governing body of each municipality, county, or school district, as appropriate, shall require periodic audits by appropriate persons to ensure compliance with the requirements set forth in this subsection. n. A municipality, county, or school district may apply to the New Jersey Office of Homeland Security and Preparedness, in a form and manner to be determined by the New Jersey Office of Homeland Security and Preparedness, for reimbursement of costs incurred pursuant to the requirements of P.L. , c. (pending before the Legislature as this bill). The New Jersey Office of Homeland Security and Preparedness shall reimburse municipalities, counties, and school districts for all applicable costs subject to an application submitted pursuant to this subsection. o. Information collected and shared by a municipality, county, or school district concerning the cybersecurity incident reported pursuant to subsection a. of this section, the audit required pursuant to subsection i. of this section, the training program required pursuant to subsection m. of this section, and any corrective action plan derived therefrom, shall be exempt from disclosure pursuant to the provisions of P.L.1963, c.73 (C.47:1A-1 et seq.), commonly known as the open public records act. (cf: P.L.2023, c.19, s.2) 3. This act shall take effect immediately. |
|---|
| 45 | + | An Act concerning cybersecurity incidents, including reporting procedures and training, for municipalities, counties, and school districts, and supplementing chapter 17B of Title 52 of the Revised Statutes. Be It Enacted by the Senate and General Assembly of the State of New Jersey: 1. As used in P.L. , c. (C. ) (pending before the Legislature as this bill): "County" means any county of any class of this State, and any authority, commission, agency, or instrumentality of a county. "Cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communication system networks, physical or virtual infrastructure controlled by computers, or information systems. "Department" means the Department of Law and Public Safety. "Governing body" means the body exercising general legislative powers in a county or municipality according to the terms and procedural requirements set forth in the form of government adopted by the county or municipality. "Information resource" means information and related resources, such as personnel, equipment, funds, and information technology. "Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. "Municipality" means any city of any class, any town, township, village, or borough of this State, other than a county or a school district, and any authority, commission, agency, or instrumentality of a municipality. "New Jersey Cybersecurity and Communications Integration Cell" means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 of 2015 in the New Jersey Office of Homeland Security and Preparedness, or any successor entity. "School district" means a local or regional school district established pursuant to chapter 8 or chapter 13 of Title 18A of the New Jersey Statutes, a county special services school district established pursuant to article 8 of chapter 46 of Title 18A of the New Jersey Statutes, a county vocational school district established pursuant to article 3 of chapter 54 of Title 18A of the New Jersey Statutes, and a district under full State intervention pursuant to P.L.1987, c.399 (C.18A:7A-34 et al.). 2. a. The Attorney General, in consultation with the New Jersey Cybersecurity and Communications Integration Cell, shall develop an online cybersecurity incident reporting form and cybersecurity awareness training program on the New Jersey Cybersecurity and Communications Integration Cell's Internet website, specifically for use by a designated employee of: (1) a governing body of a municipality; (2) a governing body of a county; or (3) a school district. b. A designated employee of a municipality, county, or school district that has been made aware of a cybersecurity incident shall promptly complete and submit a cybersecurity incident online form developed pursuant to subsection a. of this section if the cybersecurity incident has: (1) compromised the confidentiality, integrity, availability, or privacy of the billing, communications, data management or information systems, or the information resources thereon, of a municipality, county, or school district where the employee works; or (2) compromised a municipality's, county's, or school district's industrial control system, if applicable, including monitoring operations and centralized control systems that adversely impacted, disabled, or manipulated infrastructure, resulting in loss of service or damage to infrastructure. c. No later than 30 days after receiving a cybersecurity incident reporting form that has been submitted through the online form developed pursuant to subsection a. of this section, the New Jersey Cybersecurity and Communications Integration Cell shall contract with an independent cybersecurity company to audit the cybersecurity program of the municipality, county, or school district that submitted the form, and to audit any actions the municipality, county, or school district took in response to the cybersecurity incident. d. The audit of a municipality, county, or school district required pursuant to subsection c. of this section shall be provided by the independent cybersecurity company to the municipality, county, or school district, and shall identify: (1) cyber threats and vulnerabilities to a municipality, county, or school district; (2) weaknesses in the municipality's, county's, or school district's cybersecurity program; and (3) strategies to address those weaknesses to protect the municipality, county, or school district from the threat of future cybersecurity incidents. e. The audit required pursuant to subsection c. of this section shall be conducted by a qualified and independent cybersecurity company and shall be paid for by the department. f. Following an audit required pursuant to subsection c. of this section, the governing body of a municipality, county, or school district shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell. g. (1) Not less than six months following an audit required pursuant to subsection c. of this section, but not more than once in each calendar year, all county and municipal officers and employees, including all school district employees, shall complete the cybersecurity awareness training program, developed pursuant to subsection a. of this section. An officer or employee shall verify completion of the program to the governing body of each county or municipality, or school district, as appropriate. The governing body of each municipality, county, or school district, as appropriate, shall report completion of the program to the New Jersey Cybersecurity and Communications Integration Cell, or an authorized designee. (2) The governing body of each municipality, county, or school district, as appropriate, shall require periodic audits by appropriate persons to ensure compliance with the requirements set forth in this subsection. h. A municipality, county, or school district may apply to the department, in a form and manner to be determined by the department, for reimbursement for costs incurred pursuant to the requirements of P.L. , c. (C. ) (pending before the Legislature as this bill). The department shall reimburse municipalities, counties, and school districts for all valid costs subject to an application submitted pursuant to this subsection. i. Information collected and shared by a municipality, county, or school district concerning the cybersecurity incident reported pursuant to subsection b. of this section, the audit required pursuant to subsection c. of this section, the training program required pursuant to subsection g. of this section, and any corrective action plan derived therefrom, shall be exempt from disclosure pursuant to the provisions of P.L.1963, c.73 (C.47:1A-1 et seq.), commonly known as the open public records act. 3. This act shall take effect immediately. STATEMENT This bill requires municipalities, counties, and school districts to report cybersecurity incidents. Under the bill, the Attorney General, in consultation with the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), is required to develop an online cybersecurity incident reporting form and cybersecurity awareness training program on the NJCCIC's Internet website, specifically for use by a designated employee of a municipality, county, or school district to report a cybersecurity incident and to complete the training program required under the bill. The bill provides that the online form is to be used promptly after the designated employee of a municipality, county, or school district has been made aware of a cybersecurity incident that has compromised certain computer system functions as enumerated in the bill. Under the bill, no later than 30 days after receiving a cybersecurity incident that has been submitted through the online form, the NJCCIC is to contract with an independent cybersecurity company to audit the cybersecurity program of the municipality, county, or school district, and any actions the municipality, county, or school district took in response to the cybersecurity incident. The audit is to be paid for by the Department of Law and Public Safety (department) and is to be provided to the municipality, county, or school district by the cybersecurity company upon completion. The bill requires that within six months of an audit in response to a cybersecurity incident, but not more than once per calendar year, all municipal and county officers and employees, including all school district employees, are to complete a cybersecurity awareness training program developed by the Attorney General, in consultation with the NJCCIC, and verify completion as required by the bill. The bill requires that the governing body of each municipality, county, or school district, as appropriate, complete periodic audits to ensure compliance with this training requirement. The bill permits a municipality, county, or school district to apply to the department for reimbursement for any costs incurred pursuant to the requirements of the bill, and provides that the municipality, county, or school district is to submit the audit completed by the independent cybersecurity company and any corrective action plans derived from the audit to NJCCIC. Any information collected and shared pursuant to specific provisions of the bill are not to be subject to the provisions of the open public records act. |
|---|