NJ S3101

Bill

Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.

Introduced
04/15/2024

In Committee
04/15/2024

Crossed Over

Passed

Dead
01/12/2026

Introduced Session

2024-2025 Regular Session

Bill Summary

This bill would require sensitive businesses to report certain cybersecurity incidents promptly to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). For the purposes of this bill, a "cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems. The bill would direct the NJCCIC to audit the relevant business no later than 30 days after being made aware of an incident. Cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the sensitive business' expense.

AI Summary

This bill requires businesses in the financial, essential infrastructure, and healthcare industries, referred to as "sensitive businesses," to promptly report any cybersecurity incident to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), which is a state entity responsible for cybersecurity. A "cybersecurity incident" is defined as any event through a computer network that compromises the security, privacy, or availability of computer systems, networks, or controlled infrastructure. These businesses must report incidents that affect their billing, communication, data management, or business information systems, as well as any incident impacting their industrial control systems, which are used to manage industrial processes like manufacturing or distribution, if such an incident causes a loss of service or damage. Following a report, the NJCCIC will have 30 days to arrange for an audit of the business's cybersecurity program and its response to the incident, conducted by an independent cybersecurity company at the business's own cost, to identify threats and weaknesses and develop strategies for improvement.

Committee Categories

Justice

Sponsors (2)

Linda Greenstein (D)*, Raj Mukherji (D)*,

Last Action

Combined with S3100 (SCS) (on 06/13/2024)

Official Document

https://www.njleg.state.nj.us/bill-search/2024/S3101

(3 Companion Bills)

Version:

Document Type	Source Location
State Bill Page	https://www.njleg.state.nj.us/bill-search/2024/S3101
BillText	https://pub.njleg.gov/Bills/2026/S3500/3101_I1.HTM
BillText	https://pub.njleg.gov/Bills/2024/S3500/3101_I1.HTM

Bill	Bill Name	Last Action	Type
A1979	Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.	Introduced, Referred to Assembly Financial Institutions and Insurance Committee	Carry Over
A2199	Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.	Introduced, Referred to Assembly Science, Innovation and Technology Committee	Same As
S3100	Requires businesses in financial essential infrastructure, and health care industries to develop cybersecurity plans and report cybersecurity incidents.	Referred to Senate Budget and Appropriations Committee	Replaced by

Bill > S3101

summary

Introduced Session

Bill Summary

AI Summary

Committee Categories

Sponsors (2)

Last Action

Official Document

bill text

bill summary

bill summary

bill summary