Key Points:
- Several new cybersecurity rules and regulations will take effect in 2024, including five state privacy laws.
- Important compliance dates in 2024 include the first deadline for Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0), new FTC data breach reporting rules, compliance deadlines for smaller reporting companies to comply with the SEC breach disclosure rules, three new state data privacy rules in Florida, Oregon, and Texas, and the deadline for federal agencies to achieve zero trust goals.
Several new cybersecurity rules and regulations will be implemented in 2024, including five state privacy laws. While the deadline of December 18, 2023, for the Securities and Exchange Commission’s (SEC) new cybersecurity breach disclosure rules has passed, cybersecurity professionals will now be focusing on a new set of compliance dates for the upcoming year.
The first compliance deadline to mark on your calendar is March 31, which is the deadline for organizations to comply with the first phase of Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0). This deadline applies to any organization that accepts credit, debit, or charge cards as payment. The requirements for compliance include identifying the roles and responsibilities of security team members and third-party service providers, determining the scope of the organization’s cardholder data environment (CDE), defining a customized approach to compliance, and conducting targeted risk analyses.
On May 13, new Federal Trade Commission (FTC) data breach reporting rules will take effect. These rules require non-banking financial institutions to report certain data breaches to the FTC, no later than 30 days after the breach is discovered. Financial institutions will need to notify the FTC of breaches where unencrypted information of at least 500 customers is acquired by an unauthorized party.
For smaller reporting companies, June 15 is the deadline to comply with the SEC’s new cybersecurity incident reporting rules. Smaller reporting companies are defined as companies with a public float of less than $250 million or companies with less than $100 million in annual revenues combined with no public float or a public float of less than $700 million.
On July 1, three new state data privacy rules will go into effect in Florida, Oregon, and Texas. These laws set rules for certain companies that do business in those states. The Florida Digital Bill of Rights (FDBR) applies to companies with an annual global revenue greater than $1 billion and offers certain services. The Oregon Consumer Privacy Act (OCPA) applies to companies that control or process the personal data of at least 100,000 Oregon residents. The Texas Data Privacy and Security Act (TDPSA) applies to any company that conducts business in Texas or offers products or services to Texas residents.
The deadline of September 30 is set for federal agencies to achieve zero trust goals. This goal was set forth by the White House in January 2022, requiring federal government agencies to complete specific tasks related to zero trust architecture by the end of fiscal year 2024. These tasks include enforcing multi-factor authentication, encrypting all DNS requests and HTTP traffic, and procuring third-party firms for application security testing.
In conclusion, 2024 will bring several cybersecurity compliance deadlines that organizations need to be aware of. From complying with new standards and regulations to reporting data breaches and achieving zero trust goals, organizations must stay updated and prepared to meet these requirements.