A2226

An Act concerning information security standards and guidelines for State and local government, supplementing P.L.2007, c.56 (C.52:18A-219 et seq.), P.L.2007 c.63 (C.40A:5-48 et al.), chapter 36 of Title 18A of the New Jersey Statues, and chapter 1 of Title 2B of the New Jersey Statutes.

Be It Enacted by the Senate and General Assembly of the State of New Jersey:

1. The Office of Information Technology, in partnership with relevant Executive Branch offices, shall provide minimum information security standards and guidelines that Executive Branch departments, agencies, and other instrumentalities of the Executive Branch shall follow to protect against unauthorized access to, alteration, disclosure, or destruction of information and information systems.

2. A county, municipality, subdivision or instrumentality thereof shall:

a. follow the Office of Information Technology’s minimum standards and guidelines for the protection against unauthorized access to, alteration, disclosure, or destruction of information and information systems that are established for the Executive Branch, pursuant to section 1 of P.L. , c. (C. ) (pending before the Legislature as this bill); or

b. ensure that its own standards and guidelines protecting against unauthorized access to, alteration, disclosure, or destruction of information and information systems are commensurate with the information’s sensitivity.

3. A board of education shall:

4. The Administrative Director of the courts, as approved by the Chief Justice of the Supreme Court, is authorized and encouraged to:

a. ensure that courts in this State follow the Office of Information Technology’s minimum standards and guidelines for the protection against unauthorized access to, alteration, disclosure, or destruction of information and information systems that are established for the Executive Branch, pursuant to section 1 of P.L. , c. (C. ) (pending before the Legislature as this bill); or

b. ensure that courts in this State have standards and guidelines to protect against unauthorized access to, alteration, disclosure, or destruction of information and information systems commensurate with the information’s sensitivity.

5. This act shall take effect immediately, but shall remain inoperative for 180 days following the date of enactment.

STATEMENT

This bill requires the Office of Information Technology in the Department of the Treasury to provide minimum information security standards and guidelines that are to be followed by State agencies. In the course of governance, agencies often collect and use personal or confidential information. Because personal and confidential information are vulnerable to unauthorized access and disclosure, it is important that such information is protected by physical and cyber security.

The bill also requires that local governments and boards of education follow the Office of Information Technology’s guidelines or use other standards and guidelines that protect information commensurate with the information’s sensitivity. The bill authorizes and encourages the Judiciary to follow the Office of Information Technology’s guidelines or use other standards and guidelines that protect information commensurate with the information’s sensitivity.

The bill will take effect immediately upon passage. However, 180 days are given for the State and local governments to implement the requirements of the bill.