On March 13, 2023, New Jersey Gov. Phil Murphy signed Senate Bill No. 297 (Assembly Bill No. 493) requiring public agencies and government contractors to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness within 72 hours of discovery of an incident. The bill was first introduced in January 2022 and went through several iterations before it was signed into law by Murphy. The bill became effective immediately upon signature. 

Background

The new law seeks to address the persistent threat posed by cybercriminals to the information systems and records of public agencies. In a statement about the law, Sen. Fred Madden, one of the bill’s sponsors, noted “[i]n New Jersey alone, thousands of cybercrime cases occur each week, with our schools, hospitals and police departments among the entities most affected.” The information held by these agencies is often highly sensitive—criminal justice records, court records, tax files, and the like. Through this law, New Jersey hopes to empower the New Jersey Office of Homeland Security and Preparedness (NJOHSP) to be better informed of cybercrime patterns and prevalence and to have sufficient information to enable the office to respond more quickly and effectively to cybercrime events. “By intaking cybersecurity incident reports, the [NJOHSP’s cybersecurity division—the New Jersey Cybersecurity and Communications Integration Cell or NJCCIC] can provide assistance to the affected public agencies to help them respond to and recover from an attack,” said NJCCIC Director Michael Geraghty in a statement. “It also allows the NJCCIC to help prevent further compromises of public agencies by sharing the techniques, tactics and protocols the attackers used and the best practices to thwart them.”

Scope and Application