As lawyers, we frequently serve clients in critical infrastructure sectors such as finance, energy, water, transportation and health care: any threat to these sectors could have potentially debilitating national security, economic, and public health or safety consequences. By fostering a proactive compliance culture, attorneys can help clients not only meet regulatory demands but also mitigate liability and enhance overall resilience against cyberthreats.
Recent changes in U.S. cybersecurity regulations for critical infrastructure have significantly increased oversight and reporting requirements at both the federal and state levels. New Jersey is no exception, and has actively addressed the rising threat of cyberattacks against critical infrastructure through enhanced cybersecurity requirements, threat assessments, and the creation of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). NJCCIC assesses that in 2024 and 2025, New Jersey’s critical infrastructure assets will continue to face an array of cyberattacks that are costly and operationally debilitating. See “2024 Cyber Threat Assessment,” (last visited Oct. 31, 2024).
How Does New Jersey Plan to Regulate Cyberattacks That Affect Critical Infrastructure Sectors?
On March 13, 2023, Gov. Phil Murphy signed into law P.L. 2023, c.19 (C.52-17B-193.2), which imposes a state-mandated reporting requirement following any “cybersecurity incident.” This legislation targets incidents that could disrupt daily operations, cause financial loss, or compromise sensitive data and systems.
Specifically, government entities such as county and municipal agencies, public schools or private government contractors that are hacked are now obligated to notify the New Jersey Office of Homeland Security and Preparedness (NJOHSP) within 72 hours of any “cyber incident.” A “cybersecurity incident” is defined as “a malicious or suspicious event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of an information system or the information the system processes, stores, or transmits.”
The NJOSHP has created a reporting hotline and a portal on its website that maintains secure online incident reporting. The law aims to standardize and streamline response protocols while aligning with broader national goals set by the federal Cybersecurity and Infrastructure Security Agency (CISA) in its recently proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which focuses on elevating security standards across critical infrastructure sectors at the federal level.
Though not required, private entities are encouraged to report cybersecurity incidents. The law protects the confidentiality of such reports from public disclosure under the Open Public Records Act. Notably, however, it excludes minor, unsuccessful attacks (e.g., routine automated scans or failed intrusion attempts do not need to be reported) to avoid overburdening resources.
Private entities may have further reporting obligations under federal law. Specifically, the federal government is planning to require certain entities to report when they are victims of cyberattacks. In March 2024, CISA released their Notice of Proposed Rulemaking to implement CIRCIA in an effort to collect real-time data on cyber threats, identify trends, and quickly share critical information to prevent similar attacks on other infrastructure sectors. See 89 FR 23644. Similar to the New Jersey reporting requirement, CIRCIA requires a critical infrastructure company (a covered entity) to report to CISA substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The proposed rule would apply to entities that are either larger than the Small Business Administration’s (SBA) Small Business Size Regulation or meet a sector-specific criterion set forth in the rule.
Depending on the industry, a company may be exempt from the reporting requirement if it has fewer than between 100 and 1,500 employees or has annual profits of less than between $2.5 million and $47 million. Under the proposed rule, covered entities should expect that information they report to the government would be shared among relevant government agencies, and also carry protections against unauthorized disclosures and judicial proceedings. See Chris Jaikaran, Cong. Rsch. Serv., R48025, CIRCIA: Notice of Proposed Rule Making: In Brief, available at https://crsreports.congress.gov/product/pdf/R/R48025 (last visited Oct. 31, 2024). The final rule is expected in early 2025.
What Is on the Horizon?
Lawyers should anticipate advising public and private clients regarding more reporting and auditing obligations, which are aimed to fortify the state’s critical infrastructure sectors against escalating cyber risks.
Pending New Jersey Senate Bills 3100 and 3101—initially introduced as separate measures and combined into a single Substitute Bill on June 13, 2024—require businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents. The Substitute Bill mandates that these “sensitive businesses” implement cybersecurity plans and confirm compliance annually to the NJCCIC, with an audit conducted if plans are not submitted as required. See S.B. 3100-3101, 221st Leg., (N.J. 2024) The Substitute Bill defines “sensitive businesses” as sole proprietorships, partnerships, corporations, associations or other entities, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate in the U.S. that is engaged in the financial, essential infrastructure, or health care industries and does business in New Jersey. Additionally, the Substitute Bill mandates immediate reporting of cybersecurity incidents that threaten data confidentiality, integrity, or availability of information residing on computers, information systems, communication system networks, physical or virtual infrastructure controlled by computers, or information systems. Incidents impacting industrial control systems, such as service disruptions or damage or infrastructure, must also be reported.
Once a cybersecurity incident is reported, NJCCIC is authorized to audit the business’s cybersecurity program within 30 days. The Substitute Bill mandates that these audits, conducted by independent cybersecurity experts, are funded by the business and aim to identify any vulnerabilities and recommend actions to enhance resilience against further threats. Lastly, a business shall, upon the request of the attorney general or the NJCCIC, provide proof of compliance with the new requirements.
While it is still unclear how the incoming Trump administration in January 2025 will address cybersecurity issues facing the critical infrastructure sector, executives and analysts look to the Trump administration’s priorities around cybersecurity from his previous term in office. In 2017, the Trump administration issued several key directives aimed at strengthening cybersecurity in critical sectors, such as Executive Order 13800, which called for federal agencies to work with private sector partners to improve resilience in sectors like energy, finance, and transportation. The Trump administration, however, generally resisted introducing mandatory cybersecurity regulations, arguing that the private sector should have flexibility to address cybersecurity based on specific risks. For instance, the Cybersecurity and Infrastructure Security Agency (CISA), created in 2018 under the Trump administration, focused on providing resources, guidance, and partnerships rather than enforcing compliance. Whether these mandatory reporting requirements are here to stay is unclear. Attorneys should stay abreast of any upcoming changes to these regulations and anticipate to continue advising their clients on best practices against cyberthreats.
How Should Attorneys Advise New Jersey Business Clients To Comply With These New Regulations?
There are several ways attorneys can begin preparing clients:
- Prepare for increased compliance responsibilities and more stringent cybersecurity protocols under these new regulations. For instance, S.B. 3101 mandates that businesses in essential sectors like finance, health care, and infrastructure, establish and regularly update cybersecurity programs that align with recognized frameworks.
- Ensure cybersecurity policies are up-to-date, meet state requirements and industry best practices, as required by S.B. 3100 and 3101.
- Develop protocols for detecting, documenting and reporting cybersecurity incident within the 72-hour window mandated by New Jersey law. They should also emphasize the importance of training client’s staff to recognize reportable events and implement internal procedures for notifying NJCCIC promptly.
- Invest in continuous monitoring and threat detection given the rising frequency of attacks on critical infrastructure. By preparing early, investing in compliance, and actively participating in New Jersey’s information-sharing initiatives, businesses can not only meet regulatory standards, but also strengthen their defenses in a rapidly evolving cybersecurity landscape.
Both state and federal efforts reflect a proactive stance against rising cyber threats to critical infrastructure. New Jersey’s recent legislative initiatives, including the 72-hour reporting requirement and S.B. 3100 and 3101, signal an increased commitment to cybersecurity in essential sectors. These measures not only bolster local infrastructure security but also align with federal efforts such as CISA. The cooperation between New Jersey’s NJCCIC and federal entities underscores the need for a cohesive approach, where timely reporting, shared intelligence, and consistent audits are key to maintaining cyber resilience. By working proactively and reactively with clients, attorneys can ensure that cybersecurity risks are minimized.
Naju R. Lathia is a partner in Day Pitney’s New Jersey office, she is also the co-chair of the firm’s data privacy, protection and litigation practice group. Potoula P. Tournas is a litigation associate in the firm’s Stamford office.