And let’s get you caught up on legislation moves.
Lawmakers have finalized the 2024 National Defense Authorization Act, a must-pass annual defense policy bill authorizing $874.2 billion for the Pentagon and national security programs. The bill covers a wide range of issues, including cyber-related provisions such as establishing the Office of Strategic Capital, boosting cyber capabilities, and creating a cross-functional team for cyber defense in nuclear command systems.
The Federal Communications Commission (FCC) has updated its data breach rules for the first time in 16 years. The new rules expand the definition of a breach and require telecommunications carriers and providers to notify customers of breaches involving personally identifiable information. The FCC will also be alerted of breaches, and customers must be notified within 30 days unless law enforcement requests a delay.
And don’t forget that new SEC cybersecurity rules have gone into effect, and experts anticipate challenges for organizations that must comply. The regulations require public companies to describe their processes for evaluating and managing cyber threats in their annual reports to the SEC. Additionally, larger public companies must disclose cybersecurity incidents to the SEC within four days. Determining the materiality of incidents and assembling a committee to make decisions are key challenges for companies. The Department of Justice has also released guidelines on temporary exemptions for disclosing major cyber incidents that could harm national security.
Apple has announced it will no longer provide law enforcement with users’ push notification data without a valid judge’s order. Previously, this information could be obtained with a subpoena, but now, a court order or search warrant approved by a judge is required. This is an update to a story I previously covered.
Why do we care?
You’ve got some homework here. If relevant, Review and update data breach policies, ensuring compliance with the new FCC rules. This includes implementing systems for rapid breach detection, customer notification, and timely reporting to the FCC or SEC.
Apple’s decision also reminds us that Companies should review their policies on law enforcement data requests to ensure they balance legal compliance with user privacy. This may involve revising legal request protocols and enhancing data protection measures, which is an actionable service for customers.