Skip to main content
2024 Annual Public Policy Forum, December 4, 2024 REGISTER

Legislation requiring businesses in the financial, essential infrastructure and healthcare industries to report cybersecurity incidents to the state should be amended to avoid inadvertently ushering in “a cottage industry of lawsuits,” NJBIA told lawmakers Thursday. 

In testimony before the Senate Law & Public Safety Committee, NJBIA Deputy Chief Government Affairs Officer Ray Cantor took issue with language in the bills, S-3100/S-3101, stating that the legislation supplements the state’s 1960 Consumer Fraud Act. 

“By doing so, what you are doing is bringing in private rights of action, you’re allowing for treble damages, and more significantly, it’s allowing for shifting attorneys’ fees so that plaintiffs can get their attorneys’ fees paid by the defendant,” Cantor testified.  

Cantor said the New Jersey Attorney General’s Office would be the appropriate place to address violations of the proposed law, not a myriad of costly lawsuits litigated against individual businesses in the court system. 

“Otherwise, this may create a cottage industry of lawsuits and, again, I don’t think that is what your intent is,” Cantor said. 

The committee chair, Sen. Linda Greenstein (D-14), who is also the sponsor of the legislation, said she would be willing to consider amendments that could be done on the Senate floor to address concerns raised by NJBIA and other organizations. 

Bill S-3100 would require “sensitive businesses” defined as those in the financial, essential infrastructure, or healthcare industries, to develop cybersecurity programs based on regulations to be adopted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the Office of Homeland Security and Preparedness. 

Bill-3101 would require these same businesses to report to the NJCCIC, within 30 days, any cybersecurity incident that results in the compromise of the confidentiality, integrity, availability, or privacy of the sensitive business’ billing, communications, data management, or business information systems.  

The committee voted to combine the two bills and advance them to the full Senate for further consideration.