6 min read
Book a Free Consultation

NJ 3-Day Cyber Attack Reporting Law: What It Means for New Jersey Government Entities

By Harrison Kelly

With many local government entities continuing to rely on outdated computer systems and IT workflows, their easy susceptibility makes them a prime target for hackers to target with ransomware attacks. And if a hacker does manage to breach a local government’s IT systems, it can result in the permanent loss of critical private data, pausing of government services for weeks, and burdensome costs to your tax payers to get your county or municipality running again. 

With these frustrating realities in mind, it’s no surprise that New Jersey Governor Phil Murphy signed a new bill into law requiring state, county, and local government institutions, law enforcement, and public schools to report cyber attacks within 72 hours to the New Jersey Office of Homeland Security and Preparedness. 

In this guide, you’ll come to understand the specific cyber incident reporting law and what it means for your local government, the rationale for passing this stringent cybersecurity legislation, and ways your locality can be proactive against cyber attacks with modern government data storage and software. Here’s everything NJ local governments need to know. 

(Even if you are not from the Garden State, follow along for insight into similar laws that have already been passed or may soon be put into place in your state) 

Download GovPilot Digital Transformation eBook


What is the NJ 72 Hour Cyber Reporting Law? 

Bill S297, also known as the New Jersey data breach notification law, was signed into law on March 13, 2023. Effective immediately, the legislation requires various public sector entities, and private sector government contractors, at the state, county, and local level to report data breaches within 72 hours of the incident. 

Institutions included in the bill’s language include:

  • State, county, and municipal governments 
  • K-12 public schools
  • Public colleges and universities 
  • Law enforcement agencies
  • Private sector contractors working with government data

What Does NJ Bill S297 Mean for NJ Cybersecurity Incident Reporting for Local Governments?

In the New Jersey Office of Homeland Security and Preparedness (NJOHSP) press release, Governor Murphy was quoted saying, “As we continue to face an evolving threat landscape, we must also adapt the mechanisms in place that safeguard our state, this legislation will bolster New Jersey’s security by expediting cybersecurity incident reporting and increase our resilience through effective communication.”

Here are key ways the legislation promotes these improved cybersecurity incident communication objectives between government departments and the NJOHSP:

72 Hour Reporting Requirement

When government entities such as county and municipal agencies, public schools, or private government contractors are hacked, they are required to report the cyber attack incident within 72 hours to the NJ Office of Homeland Security and Preparedness, effective immediately.

The Director of the NJOHSP Laurie Doran is currently developing reporting guidelines to, “connect the dots [between NJ government entities and the NJOHSP] allowing for effective collective incident response among all stakeholders.”

Get State Assistance Responding To Cyber Attacks

Modernizing local government communications with the NJOHSP and its New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) will allow for “assistance to the affected public agencies to help them respond and recover from an attack. It also allows the NJCCIC to help prevent further compromises of public agencies by sharing the techniques, tactics and protocols the attackers used and the best practices to thwart them,” as stated by NJCCIC Director Michael Geraghty. 

Federal assistance through grants can help too. Learn more about Federal Cybersecurity Grants for Local Governments

Improved Cyber Attack Data Collection 

Last year, 375 incidents relating to government-related cyber incident reports were submitted to the NJCCIC. With better reporting processes, quick and consistent reporting will assist NJCCIC in expediting its response and mitigating further incidents while improving its visibility and awareness of current hacking trends.

How Does Government Analytics Help for Making Informed Decisions? Here’s what to consider as a decision-making government leader. 

Keep Critical NJ Government Data Safe

Assemblywoman Carol Murphy summed it up perfectly when she said, “as more of the work our governments do goes online, it is more important than ever to protect vital information and keep our state secure for all of our residents.”

Local government software can automate processes across departments, and is well worth the time and money savings compared to more traditional workflows. Better educational resources and state government intervention will ensure that counties and municipalities won’t be susceptible to attacks due to human error by embracing a government digital transformation.

High-Standards for Private Government Contractors

Local governments can and should use private-sector partners to build and maintain local digital and physical infrastructure. And as New Jersey uses state and federal grants to modernize its infrastructure in partnership with government contractors, this legislation requires the same 72 hour incident reporting standards for private entities with access to critical government data. 

Here’s more insight into key grants allowing governments to modernize their public infrastructure using private contractors:

How Can Local Governments Improve Cybersecurity 

Clearly, the need for local governments to be proactive is evident in the Murphy administration’s new policy. “In New Jersey alone, thousands of cybercrime cases occur each week, with our schools, hospitals and police departments among the entities most affected," a recent press release stated.

Consider these government cybersecurity strategies for keeping data secure and preventing hacks due to human error:

1. Choose a Trusted Government Software Partner

Cloud-based government software like GovPilot can keep data secure by performing regular data-backups, requiring multi-login steps for access to sensitive data, and embracing other key cybersecurity best practices.

GovPilot offers software solutions across departments to allow for government IT teams to keep government-wide data secure within one trusted cloud platform, and recently brought GovPilot to the Microsoft Azure Cloud for Enhanced Cybersecurity.

Learn more about Why the Cloud is More Secure for Local Governments Than Traditional In-House Servers.  

2. Educate on Phishing Scams and Other Hacking Tactics

Local government officials often fall susceptible to ransomware attacks due to human error. Ask about tech knowledge in your local government recruitment process to actively find tech-savvy candidates. Make sure that newly onboarded government officials are educated on cybersecurity best practices for governments, and that government-wide staff receive ongoing training on a regular basis.

Be proactive. Here are Cybersecurity Training Necessities for Teaching Government Workers and Tips for Hiring Tech Workers in Local Governments.

3. Prioritize Your Local Government IT Department

City managers and administrators as well as department leaders need to allocate government budgets towards addressing modern local government challenges, with cybersecurity posing an evolving and increasingly problematic issue for the public sector that only information technology support can address.  

A modern local government IT strategy will involve hiring officials that not only recognize cybersecurity threats to mitigate against across departments, but additionally staying in tune to the ever-evolving challenges as hackers find new sophisticated tactics to breach public-sector data centers

Embracing better IT infrastructure needs to happen now, as many current NJ laws are pushing local governments towards modern digital infrastructure: Learn more about government technology focused legislation in New Jersey:

4. Learn From Government Data Breach Examples

International, federal, state, and local government entities across department-types have fallen victim to major data breaches that have halted government progress and resulted in the permanent loss of sensitive data. 

Pay attention to hacks that occur nationwide to learn from others’ mistakes, and be sure to stay informed from the NJCCIC for lessons as incident reports continue to roll in about NJ specific cyber attacks. 

5. Switch to a .Gov Government Website

.Gov websites are more cyber secure than .com or .net domain names that many local governments continue to rely on. Make the switch to a .gov site as soon as possible, and optimize your government website to allow for online permitting applications, digital government fee and fine collection, etc. for a better citizen experience while you’re at it.

Here’s How to Modernize a Government Website for SEO, UX, & More and other Keys for Local Government Innovation.

Better NJ Cyber Incident Reporting

The state of New Jersey is taking a proactive approach towards public sector cybersecurity protocol by following other states and requiring public entities to report cyber breaches to the NJOHSP within 72 hours or less.

In doing so, the state can streamline cybersecurity communications, collect tangible data about the types of hacks occurring, and provide assistance to government agencies in getting breaches addressed.

Embracing government software is a modern way to keep data safe and secure. To learn how GovPilot can help, book a free demo. 

Book A Consultation

New Jersey Data Breach Notification Law FAQs

What is NJ Bill S297?

NJ Bill S297, known as the NJ 3-day cyber incident reporting law, put new requirements into place for government entities, as well as private government contractors, to report data breaches to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) within 72 hours of an incident occurring.

The New Jersey data breach notification law that was signed into law on March 13, 2023 is meant to improve cybersecurity communications between the states’ government entities, and to collect insightful data about how government departments are being breached to mitigate the risk of similar attacks in the future. 

Why Did the NJ State Government Vote to Pass a 3-Day Cyber Incident Reporting Law?

With 375 reports of NJ government data breaches in 2022, the state is prioritizing better reporting in the future. Assemblywoman Carol Murphy was quoted saying, “It is critical that cybersecurity incidents are reported. This information will allow the State to better assess cyber attacks and be prepared.” 

Why Do Local Governments Need to Care About Cybersecurity?

As more local governments move away from paper-based filing and store sensitive data online, they owe it to their citizens to keep private data secure. Additionally, hacks can often freeze government services for weeks on end, preventing your public workers from accomplishing the day to day objectives that keep your community functioning. 

Modern government technology can move your sensitive information online without sacrificing data security. Learn more about How Onboarding Government Software Works.

How Do Governments Get Hacked?

Hackers often look for governments to hack due to their reliance on outdated computer systems that are easy to break into. Additionally, breaches due to human error occur as a result of phishing scams, weak passwords, and downloads with malware. 

Read on:


Tags: Government Efficiency, Cybersecurity, Digital Transformation, Blog