- NJASA
- Legal Corner Nov. 23
-
Every School District Must Report Cybersecurity Incidents to the NJ Office of Homeland Security Within 72 Hours
Malicious cyber actors have engaged in cyber-attacks against schools and school districts throughout the United States.[1] The K12 Security Information eXchange (“K12 SIX”), a nonprofit organization dedicated to protecting K-12 schools from cybersecurity threats, reported over 1,600 cyber incidents involving public schools from 2016 through 2022.[2] A Joint Cybersecurity Advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center states that the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year.[3] In addition to ransomware attacks, K-12 schools also experience theft of data and denial-of-service attacks that disrupt school district operations.
In response to these cyber-attacks on public schools and on governmental agencies, in January 2023, the New Jersey Legislature approved Senate Bill No. 297 which requires public agencies and government contractors to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness (“NJ Homeland Security”). On March 13, 2023, Governor Phil Murphy signed the bill into law, and it became effective immediately.[4]
Under this new law, every “public agency” and “government contractor” must report cybersecurity incidents to NJ Homeland Security within 72 hours of reasonably believing that a cybersecurity event has occurred.[5] A “public agency” means “any public agency of the State or any political subdivision thereof” which would therefore include public school districts, and a “government contractor” means any “individual or entity that performs work for or on behalf of a public agency on a contract basis with access to or hosting of the public agency’s network, systems, applications, or information.” [6] A “cybersecurity incident” means any “malicious or suspicious event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of an information system.”[7]
Cybersecurity incidents come in various forms. They include among other things: (1) a denial service in which an attack impairs the normal functioning of networks, systems, or applications; (2) malicious code which includes malware or ransomware that will have an adverse impact on the network, systems, applications, or information; and (3) social engineering such as phishing in which an individual is deceived into revealing sensitive information or into performing certain actions.
In the event that a school district or a district’s contractor who provides network or information technology services reasonably believes or has knowledge that it has been subject to a cybersecurity attack, a report must be made to NJ Homeland Security. The incident report is made online, and instructions are provided.[8] The NJ Homeland Security’s online reporting system permits it to securely accept reports, track and identify trends, and produce reports on the types of incidents, defensive measures, and entities that make reports.[9]
Cybersecurity incident notifications made to NJ Homeland Security are considered confidential, non-public, and not subject to disclosure under the Open Public Records Act.[10] The notifications are also not subject to discovery in civil or criminal actions.[11] In 2024 and at least once per year thereafter, the Director of NJ Homeland Security will issue a report on its activities to the Governor and Legislature which will include information on the number and type of incidents reported and the categories of public agencies and government contractors that submitted notifications.[12]
In order to protect the integrity and security of computer networks, school administrators must ensure that effective defensive measures are in place to prevent or mitigate cyber-attacks. School administrators should confer with their technology coordinators to make sure appropriate defensive measures are in place. Whenever a cybersecurity incident occurs, they must also ensure that the incident is promptly reported to NJ Homeland Security. Cybersecurity incidents should also be reported to local law enforcement and to the local FBI field office for your region.[13] In addition, the board attorney should be promptly notified to address any legal concerns including potential employee or contractor misconduct.[14] Questions regarding the new law and its implementation should be directed to the board attorney.
[1] See, e.g., Nicole Asbury, About 4,500 Users Affected by Cyberattack on Prince George’s Schools, District Says, The Washington Post, Aug. 15, 2023; Kari Paul, Hackers Infiltrate Second-Largest US School District in Growing Trend, The Guardian, Sept. 6, 2022.
[2] See K12-SIX’s K-12 Cyber Incident Map available on the Internet at The K12 Cyber Incident Map — K12 SIX.
[3] See Joint Cybersecurity Advisory (December 10, 2020) available on the Internet at Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data (cisa.gov).
[4] Pub. L. 2023, ch. 19, §4 (“This act shall take effect immediately.”).
[5] N.J.S.A. 52:17B-193.3(a).
[6] N.J.S.A. 52:17B-193.2 (defining “public agency” and “government contractor”).
[7] Id. (defining “cybersecurity incident”).
[8] Cybersecurity incidents can be reported online at NJCCIC Home Page.
[9] See N.J.S.A. 52:17B-193.3(e).
[10] See N.J.S.A. 52:17B-193.3(f).
[11] See id.
[12] See N.J.S.A. 52:17B-193.4.
[13] The Newark field office of the FBI which covers the State of New Jersey (except for Camden, Gloucester, and Salem counties) can be contacted at Newark — FBI. The Philadelphia field office which covers Camden, Gloucester and Salem counties can be contacted at Philadelphia — FBI.
[14] For additional information about computer-related crimes, refer to NJASA Administrative Guide, Federal Computer Fraud and Abuse Act and New Jersey’s Computer-Related Offense Laws, Vol. 44, No. 10 (October 2014).