May 23 2023

New Jersey Gets More Serious About Cyber Incident Reporting

In an effort to improve state response, agencies are now required to report cyber incidents within 72 hours.

New Jersey governor Phil Murphy recently signed legislation that requires state public agencies to report cyber incidents to the state within 72 hours.

New Jersey joins a number of other states that have taken such a step in recent years. Virginia, for instance, passed similar legislation last year. New Jersey reportedly received 375 confirmed cyber incident reports in 2022. And just last month, a ransomware attack locked up police files in Camden County, N.J.

The New Jersey law requires state agencies and their contractors, counties, K–12 schools, public colleges and universities, and law enforcement agencies to promptly report cybersecurity incidents they discover to the New Jersey Office of Homeland Security and Preparedness.

Data breaches — incidents where personal identifiable information is compromised — already have reporting requirements in New Jersey. But before the new legislation was signed, government organizations in the state weren’t required to report incidents if they didn’t involve a breach. The legislation aims to make reporting timelier and more consistent, with NJOHSP set to establish reporting guidelines for the state.

Click on the banner below to learn more about cybersecurity solutions by becoming an Insider.

NJOHSP Aims to Respond More Quickly to Incidents

According to New Jersey CISO Michael Geraghty, who’s also director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a division of NJOHSP, the legislation is meant to help organizations respond promptly to cybersecurity threats, not punish them for late reporting.

“It’s not punitive in any way if you don’t report in 72 hours. We’re not going to hit you over the head with anything,” Geraghty says. “It’s really that idea of a neighborhood watch. We want to share information with our cyber neighbors so they can protect themselves.” 

With prompt reporting, New Jersey cybersecurity officials should be better positioned to help organizations respond to attacks quickly and stamp out attacks before they spread. Geraghty notes that even if organizations don’t have all the details when they alert the NJOHSP, a timely report can keep an attack from growing, and organizations can always follow up later with more details as they become available.

“Local, county, K–12, state government: They’re all interconnected in some way,” Geraghty says. “If one organization has a cyber incident, it has the potential to impact others.”

Timely reporting should also help government organizations stay safe in the future, as NJCCIC will be able to share the techniques, tactics and protocols that attackers have used and the best practices to thwart them.

Without reporting requirements, Geraghty says it’s not possible to get enough data to accurately assess the threat landscape and identify overarching trends or changes. With all incidents being reported, the NJOHSP will better understand what kind of help is needed and where.

“We’ll never disclose who the victims are when sharing information. But what we can say is, ‘This email address is sending malicious emails’ or, ‘This IP address has attacked a number of school districts,’ so that other agencies can be on the lookout,” Geraghty says.

READ MORE: NASCIO and the NGA call for strengthening the cybersecurity Workforce.

Incident Reporting Guidelines Aim for a Timely Response

According to Geraghty, the NJOHSP’s reporting guidelines are being finalized and should be released in the coming days. The guidelines aim to keep agencies from reporting benign incidents that were blocked or otherwise unsuccessful, as these kinds of reports take time and resources away from more important incidents.

“Everyone connected to the internet is subject to numerous probes, scans and attempts to exploit vulnerabilities. The vast majority of those attempts are benign,” Geraghty says. “We don’t want agencies to report on those. We don’t want the legislation to be a burden.”

New Jersey wants reports on events in which agencies reasonably believe the incident:

  • May impact their ability to conduct daily business operations or provide core services
  • Resulted in the loss of agency data, system availability, or control of informational or operational systems
  • Indicates unauthorized access to or malicious software present on public information or operational technology systems
  • Resulted in financial loss to the agency
  • Had an impact or threatens to impact the health, welfare and safety of individuals
  • Is part of an ongoing series of attacks by a threat actor that may have originally been thwarted but could result in any of the impacts listed above.

Agencies can file their cyber incident reports online at

Just_Super/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.