Let's add the word "compliance" to those things certain in life; well, at least in the business world.
The year ahead holds a myriad of such compliance certainties for cybersecurity professionals that range from state-level rules around breach notifications, others tied to privacy and zero trust deadlines for federal agencies.
Now as cybersecurity pros turn the page to a fresh 2024, and dealing with last year's compliance issues feel like a new year's day hangover, let's mark our calendars for what's to come. Here are five new compliance dates to keep in mind for 2024.
1. March 31 – First compliance deadline for Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0)
The end of Q1 2024 will see yet another compliance race for any organization that accepts credit, debit or charge cards as payment. The first phase of Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0) includes 13 new requirements that companies must comply with by March 31, 2024.
Requirements include identifying the relevant roles and responsibilities of security team members and third-party service providers, determining the scope of an organization’s cardholder data environment (CDE), defining a “customized approach” to compliance, and performing targeted risk analyses.
See our PCI DSS 4.0 survival guide for recommendations on achieving full compliance.
2. May 13 – New FTC data breach reporting rules take effect
In October 2023, the Federal Trade Commission (FTC) amended its Safeguards Rule to include a requirement for non-banking financial institutions to report certain data breaches to the FTC “as soon as possible,” and no later than 30 days after the breach is discovered. The rule applies to financial institutions such as mortgage brokers, payday lenders and vehicle dealers, but not banks or credit unions, which fall outside the FTC’s authority.
Under the amended rule, financial institutions will need to notify the FTC of breaches in which unencrypted information of at least 500 customers is acquired by an unauthorized party. The amendment also outlines what should be included in a notification, such as the date range of the unauthorized access and the number of affected consumers.
With the activation of this rule on May 13, 2024, some financial institutions may find themselves juggling both FTC and SEC reporting requirements in the aftermath of a breach.
3. June 15 – Deadline for smaller reporting companies to comply with new SEC breach disclosure rules
As mentioned, Dec. 18, 2023, was a big deal for big companies, but for smaller reporting companies, June 15, 2024, is the deadline to comply with the SEC’s new cybersecurity incident reporting rules. Smaller reporting companies are defined by the SEC as companies with a public float of less than $250 million, or companies that have less than $100 million in annual revenues combined with no public float or a public float of less than $700 million.
The commission adopted the 180-day compliance date extension for smaller companies based on stakeholder feedback but declined to make any other exemptions. Come June 15, these companies will be held to the same standard as their larger counterparts when it comes to breach disclosure.
Check out this complete guide to the new SEC cybersecurity rules for an overview of the requirements and steps to prepare.
4. July 1 – Three new state data privacy rules go into effect: Florida, Oregon and Texas
More states across the country are following California’s lead and implementing comprehensive laws to protect residents’ data privacy. On July 1, 2024, three of these new laws will take effect, setting rules for certain companies that do business in Florida, Oregon and Texas. It’s important for businesses to know whether they fall within the jurisdiction of these regulations and, if so, what steps they may need to take to be in compliance.
The Florida Digital Bill of Rights (FDBR) only applies to a narrow range of companies that have an annual global revenue greater than $1 billion and offer certain services, such as online advertising or app distribution. The Oregon Consumer Privacy Act (OCPA) applies to companies that control or process the personal data of at least 100,000 Oregon residents, although this threshold falls to 25,000 residents if a company gets more than a quarter of its gross revenue from selling personal data.
The Texas Data Privacy and Security Act (TDPSA) is likely to encompass the greatest number of companies, as it applies to any company that conducts business in Texas or offers products or services to Texas residents. However, small businesses (as defined by the U.S. Small Business Administration) are exempt from this law.
While these three effective dates all converge on July 1, they are not the only state privacy law deadlines coming up in 2024. Montana’s Consumer Data Privacy Act (MTCDPA) is coming up on Oct. 1, 2024; additionally, Washington state’s My Health My Data Act (MHMD), which specifically pertains to consumer health data, takes effect on March 31, 2024, for non-small businesses, and June 20, 2024, for small businesses.
5. Sept. 30 – Deadline for federal agencies to achieve zero trust goals
The White House issued a memorandum in January 2022 setting forth the government’s zero trust architecture strategy and requiring all federal government agencies to complete 19 specific tasks by the end of fiscal year 2024 (i.e. Sept. 30, 2024). These tasks align with five zero trust pillars outlined in the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model: Identity, Devices, Networks, Applications and Workloads, and Data.
Objectives range from the enforcement of multi-factor authentication (MFA), and the encryption of all DNS requests and HTTP traffic, to the procurement of third-party firms for application security testing. While these requirements only apply to federal agencies, they may also have implications for other organizations that work with the government. Additionally, there are many lessons private companies can learn from the government’s implementation of zero-trust architecture, which may become more apparent once this deadline has passed.
