Recent Advances in Cybersecurity Legislation

Over the past six months, cybersecurity bills impacting residents of New Jersey were introduced at both the federal and state levels.  These bills highlight the continued efforts to improve information sharing and cybersecurity practices at the federal, state, and local levels

NJ A311: Disclosure of Security Breach

On April 7, 2016 the New Jersey General Assembly unanimously passed NJ A311, a bill  requiring any organization maintaining online accounts for consumers to immediately report unauthorized access of its information system to the consumer. The reporting requirement applies to both public and private organizations in New Jersey.

This bill expands the protections afforded by New Jersey's Identity Theft Prevention Act of 2005, which required both public and private entities to report breaches involving only the personally identifiable information of New Jersey residents to the consumer and New Jersey State Police. NJ A311 reduces that reporting threshold by requiring an organization to report any unauthorized access of an information system's online account data.

On April 18, 2016 the bill was received in the New Jersey Senate and referred to the Senate Commerce Committee. It has yet to be considered by the Senate Commerce Committee.

Highlights of the Proposed Legislation

  • Requires organizations to report any unauthorized access to systems that store consumer information.

  • Provides consumers with early notification in response to unauthorized access of their information.

  • Underscores the need for both commercial and public organizations to regularly review, update, and strengthen information security systems.

HR 3869: State and Local Cyber Protection Act of 2015

Representative Will Hurd (R-Texas) introduced the State and Local Cyber Protection Act of 2015 (HR 3869) on November 2, 2015. The bill requires the US Department of Homeland Security (DHS) to help state and local agencies improve their cybersecurity posture by providing services currently available to only federal departments and agencies. An example of one of these services is the Continuous Diagnostic and Mitigation Program (CDM), a systems analysis tool that continuously identifies cybersecurity risk, prioritizes them based on potential impact, and enables cybersecurity personnel to mitigate risks accordingly. Services like CDM would be provided to state and local government agencies by the National Cybersecurity and Communications Integration Center (NCCIC).

During an interview with Government Computer News on April 12, 2016, Representative Hurd stated this bill is intended to improve state and local government cybersecurity practices and capabilities. He also asserted that "state and local agencies and critical infrastructure providers must take care to respect privacy concerns both real and perceived." The State and Local Cyber Protection Act of 2015 includes language requiring DHS to provide privacy and civil liberties training to state and local partners.

The US House of Representatives passed the bill on December 10, 2015. The legislation has been referred to the Senate Committee on Homeland Security and Government Affairs, but has yet to be considered by the Committee.

Highlights of the Proposed Legislation

  • Makes DHS services and training platforms available to all state and local governments.

  • Requires that DHS coordinate a nationwide effort to ensure the resiliency of state and local information systems.   

For additional resources and information on cybersecurity policy and practices, visit the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) website.

For more information, please contact NJOHSP's Preparedness Bureau at