New Jersey latest state to implement cyber incident reporting requirement

New Jersey Gov. Phil Murphy on Monday signed legislation that requires public agencies and government contractors to report cyber incidents to the state within 72 hours, joining several other states that’ve created similar rules.

The law requires state agencies and their contractors, counties, K-12 schools, public colleges and universities, law enforcement agencies and others to quickly report cybersecurity incidents they discover.

Many other states have in recent years adopted laws and regulations that require public-sector entities to disclose if they’ve been the victim of a ransomware attack, data breach or other compromise. The federal government is implementing legislation that requires critical infrastructure operators to notify the Department of Homeland Security if they’ve been breached.

“As we continue to face an evolving threat landscape, we must also adapt the mechanisms in place that safeguard our state,” Murphy said in a press release. “This legislation will bolster New Jersey’s security by expediting cybersecurity incident reporting and increase our resilience through effective communication.”

Cybersecurity incidents must be reported to the New Jersey Office of Homeland Security and Preparedness within 72 hours, the law says. The office’s director, Laurie Doran, will establish reporting guidelines, but the new reporting requirement “will take effect immediately,” according to Murphy’s office.

New Jersey’s cybersecurity division, which is housed in the homeland security office, received 375 confirmed cyber incident reports in 2022. By requiring incidents to be reported in 72 hours, the state hopes to gain new insight into current threats, and mitigate future incidents.

“This new cyber incident reporting law will help connect the dots, allowing for effective collective incident response among all stakeholders,” Doran said.