top of page
  • Writer's pictureRic Armstrong

Cybersecurity Compliance for Small Businesses in 2024


The end of Q1 2024 will see yet another compliance race for any organization that accepts credit, debit or charge cards as payment. The first phase of Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0) includes 13 new requirements that companies must comply with by March 31, 2024.


For smaller reporting companies, June 15, 2024, is the deadline to comply with the SEC’s new cybersecurity incident reporting rules. Smaller reporting companies are defined by the SEC as companies with a public float of less than $250 million, or companies that have less than $100 million in annual revenues combined with no public float or a public float of less than $700 million.


More states are also following California’s lead and implementing comprehensive laws to protect residents’ data privacy. On July 1, 2024, three of these new laws will take effect, setting rules for certain companies that do business in Florida, Oregon, and Texas. Businesses need to know whether they fall within the jurisdiction of these regulations and, if so, what steps they may need to take to comply.


The Florida Digital Bill of Rights (FDBR) only applies to a narrow range of companies that have an annual global revenue greater than $1 billion and offer certain services, such as online advertising or app distribution. The Oregon Consumer Privacy Act (OCPA) applies to companies that control or process the personal data of at least 100,000 Oregon residents. However, this threshold falls to 25,000 residents if a company gets more than a quarter of its gross revenue from selling personal data.


The Texas Data Privacy and Security Act (TDPSA) is likely to encompass the greatest number of companies, as it applies to any company that conducts business in Texas or offers products or services to Texas residents. However, small businesses (as defined by the U.S. Small Business Administration) are exempt from this law.


While these three effective dates all converge on July 1, they are not the only state privacy law deadlines coming up in 2024. Montana’s Consumer Data Privacy Act (MTCDPA) is coming up on Oct. 1, 2024; additionally, Washington state’s My Health My Data Act (MHMD), which specifically pertains to consumer health data, takes effect on March 31, 2024, for non-small businesses, and June 20, 2024, for small businesses.


If you have any questions about the laws pertaining to cybersecurity compliance, don't hesitate to get in touch with us.


Source: CyberRisk Alliance

bottom of page