Read the full stored bill text
A4198
ASSEMBLY, No. 4198
STATE OF NEW JERSEY
222nd LEGISLATURE
�
INTRODUCED FEBRUARY 19, 2026
Sponsored by:
Assemblywoman� CAROL A. MURPHY
District 7 (Burlington)
SYNOPSIS
���� Requires New Jersey Cybersecurity and Communications
Integration Cell to study cybersecurity infrastructure and establish
cybersecurity guidelines.
CURRENT VERSION OF TEXT
���� As introduced.
��
An Act
concerning cybersecurity and supplementing Title 52 of
the New Jersey Statutes.
����
Be It
Enacted
by the Senate and General Assembly of
the State of New Jersey:
���� 1.��� a.� As used in this
section:
���� "Breach of security"
means unauthorized access to electronic files, media, or data containing
personal information that compromises the security, confidentiality, or
integrity of personal information when access to the personal information has
not been secured by encryption or by any other method or technology that
renders the personal information unreadable or unusable.� Good faith
acquisition of personal information by an employee or agent of the business for
a legitimate business purpose is not a breach of security, provided that the
personal information is not used for a purpose unrelated to the business or
subject to further unauthorized disclosure.
���� "Business" means a
sole proprietorship, partnership, corporation, association, or other entity,
however organized and whether or not organized to operate at a profit,
including a financial institution organized, chartered, or holding a license or
authorization certificate under the law of this State, any other state, the
United States, or of any other country, or the parent or the subsidiary of a
financial institution.
���� "Cybersecurity
incident" means an event occurring on or conducted through a computer
network that jeopardizes the integrity, confidentiality, or availability of
computers, information systems, communications systems, networks, physical or
virtual infrastructure controlled by computers or information systems, or
information residing thereon.�
���� "Public entity"
means the State, and any county, municipality, district, public authority,
public agency, and any other political subdivision or public body in the
State.� A public entity shall not include the federal government.
���� b.��� The New Jersey
Cybersecurity and Communications Integration Cell established pursuant to
Executive Order 178 (2015) in the New Jersey Office of Homeland Security and
Preparedness shall conduct a 12-month study of the cybersecurity infrastructure
of public entities and private businesses that conduct business in this State
for the purpose of identifying potential cybersecurity threats and
vulnerabilities to cyberattacks.
���� Within 120 days of the
effective date of P.L.��� , c.��� (C.������� ) (pending before the Legislature
as this bill), the New Jersey Cybersecurity and Communications Integration Cell
shall establish parameters for the study, which shall include the requirement
for public entities and private businesses that conduct business in this State
to report, for a period of 12 months, any cybersecurity incident or breach of
security and the results of the subsequent investigation of the cybersecurity
incident or breach of security to the New Jersey Cybersecurity and
Communications Integration Cell.� The New Jersey Cybersecurity and
Communications Integration Cell shall provide notification to public entities
and private businesses that conduct business in this State regarding the
reporting requirements.
���� c.���� Within six months of
the conclusion of the 12-month study, the New Jersey Cybersecurity and
Communications Integration Cell shall establish cybersecurity guidelines for
all public entities and private businesses that conduct business in this State
based on the data collected pursuant to subsection b. of this section.
���� d.��� Public entities and
private businesses that conduct business in this State shall be required to
implement the cybersecurity guidelines established pursuant to subsection c. of
this section within one year of the establishment of the guidelines, after which
time a penalty may be imposed for failure to implement the required
guidelines.�
���� e.���� The New Jersey
Cybersecurity and Communications Integration Cell shall monitor cybersecurity
incidents and breaches of security after public entities and private businesses
have implemented the guidelines pursuant to subsection d. of this section and
modify the cybersecurity guidelines, as appropriate.
���� f.���� The Department of
Homeland Security and Preparedness shall adopt pursuant to the �Administrative
Procedure Act,� P.L.1968, c.410 (C.52:14B-1 et seq.), a schedule of civil
administrative penalties to be applied pursuant to subsection d. of this
section for the failure to implement the required guidelines and rules and
regulations to implement the provisions of this act.
���� 2.��� This act shall take
effect immediately.
STATEMENT
���� This bill requires the New
Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to study the
State�s cybersecurity infrastructure and promulgate cybersecurity guidelines.
���� Under the bill, the NJCCIC is
required to conduct a 12-month study of the cybersecurity infrastructure of
public entities and private businesses that conduct business in this State for
the purpose of identifying potential cybersecurity threats and vulnerabilities
to cyberattacks.
���� Within 120 days of the bill�s
effective date, the NJCCIC is to establish parameters for the study, which are
to include the requirement for public entities and private businesses that
conduct business within the State to report to the NJCCIC, for a period of 12
months, any cybersecurity incident or breach of security and the results of the
subsequent investigation of the cybersecurity incident or breach of security.
���� The bill provides that within
six months of the conclusion of the 12-month study, the NJCCIC is to establish
cybersecurity guidelines for all public entities and private businesses that
conduct business in the State based on the data collected under the bill.�
Public entities and private businesses that conduct business in the State are
required to implement the cybersecurity guidelines within one year of the
establishment of the guidelines, after which time a penalty may be imposed for
failure to implement the guidelines.
���� Further, under the bill, the
NJCCIC is to monitor cybersecurity incidents and breaches of security after
public entities and private businesses have implemented the required guidelines
and modify the guidelines, as necessary.
���� Finally, the Department of
Homeland Security and Preparedness it to adopt, pursuant to the �Administrative
Procedure Act,� a schedule of civil administrative penalties to be applied for
the failure of a public entity or private business that conducts business in
the State to implement the required guidelines and rules and regulations to
implement the provisions of the bill.