Table of Contents
Governments enact cybersecurity legislation to protect their citizens and critical infrastructure from cyber threats, such as data breaches, cyber espionage, and cyber attacks. The digital landscape has become increasingly complex and interconnected, which has led to new vulnerabilities and threats that can have serious consequences for individuals, businesses, and governments.
Increasingly, new cybersecurity legislation has been proposed and enacted to help protect the privacy and security of personal information and other data. Here are some of the newest regulations businesses need to know about in 2023.
Cybersecurity regulations 2023
American Data Privacy and Protection Act (ADPPA)
The American Data Privacy and Protection Act (ADPPA) is federally proposed bill that would create national standards for the protection of personal information. The bill establishes requirements for how companies, organizations, non-profits, and other entities handle personal data.
The ADPPA is the first federal online privacy bill to pass committee thanks to bipartisan support. While it is unlikely that the bill will be enacted in 2023 (it needs to be approved in the House and Senate), it is already helping to shape the future of the cybersecurity compliance landscape.
California Privacy Right Act (CPRA)
California enacted the first data privacy law in the U.S. in 2018 with the California Consumer Privacy Act (CCPA). The CCPA was designed to give California residents more control over their personal information and increase transparency about how businesses collect and use that information.
As of January 1, 2023, these protections have been expanded with the enactment of the CPRA. Highlights of the CPRA include giving California residents the right to correct inaccurate personal information and the right to limit use/disclosure of sensitive personal information.
Colorado Privacy Act (CPA)
Inspired by California’s CCPA, the Colorado Privacy Act (CPA) will have its initial phases go into effect on July 1, 2023.
The CPA requires consent to process a consumer’s sensitive data. Businesses may rely on consent given before this date and have until July 1, 2024 to gain consent for previously-collected data, however they are required to have consent for any newly collected information starting on July 1, 2023. There are some exceptions granted to this rule including if the data is deleted within 24 hours of collection and organizations may need to submit to a Data Protection Assessment.
Connecticut Data Privacy Act (CTDPA)
Starting on July 1, 2023, organizations based in Connecticut, or those that produce products or services targeted to Connecticut residents will need to comply with the new Connecticut Data Privacy Act (CTDPA). Like the CPA, the CTDPA will give consumers in CT the right to access, correct, or delete personal data, as well as the right to opt out of data processing.
Cybersecurity Maturity Model Certification (CMMC)
After several years and many revisions, the Cybersecurity Maturity Model Certification (CMMC) is expected to start appearing in Department of Defense contracts in May 2023.
The CMMC was developed to strengthen the cybersecurity posture of contractors and subcontractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC is a framework that specifies three cybersecurity maturity levels with certain processes and practices required for an organization to achieve compliance. Organizations wanting to do business with the federal government will need to meet specific compliance levels depending on the type of work to be done and the agencies involved.
Learn More: CMMC 101 Webinar
Foresite Principal Consultant and Information Security Officer, Tom Allen, discusses what businesses need to know about upcoming CMMC regulations.
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
In March 2022, the U.S. Securities and Exchange Commission (SEC) issued the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements. This proposed regulation, which is expected to take effect in April 2023, would require public companies to disclose their governance abilities for cybersecurity including:
- Which board members have cybersecurity expertise
- What processes they have in place to educate their board on cyber risks
- How their business strategy addresses cyber risks
- How they’re sharing updated on reported cybersecurity incidents
- Ensuring they report cybersecurity incidents within 4 business days of discovery
Utah Consumer Privacy Act (UCPA)
Utah has also developed its own state-level privacy act with the Utah Consumer Privacy Act (UCPA). The UCPA is very similar to other state-level acts like the CPA and CTDPA with the biggest difference being which organizations it applies to. The UCPA will not apply to organizations with annual revenues of less than $25 million so small businesses will not be impacted. The law take effect on December 31, 2023.
Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, just under 2 years after being passed. The law gives consumers the right access their personal data and request its deletion while also requiring companies to conduct data protection assessments. Organizations that control or process the data of 100,000+ consumers in a calendar year OR 25,000+ consumers while making more than 50% of their gross revenue from the sale of that data are required to comply.
Will there be more cybersecurity regulations introduced in 2023?
While it’s hard to say for sure, it seems very likely.
Cybersecurity regulation is typically driven by the need to address emerging threats and vulnerabilities in the digital landscape. With the increasing frequency and severity of cyberattacks, many governments around the world have been implementing new cybersecurity regulations and strengthening existing ones.
In 2023, it is possible that we will see continued efforts to regulate cybersecurity. This may include new laws and regulations designed to address emerging threats and protect critical infrastructure, as well as increased enforcement of existing regulations. It is also possible that we may see increased collaboration between governments and private sector entities to develop and implement cybersecurity best practices.
Ultimately, the extent of cybersecurity regulation in 2023 will depend on a wide range of factors, including the level of threat posed by cyberattacks, the political and economic climate in different regions of the world, and the effectiveness of existing cybersecurity measures.
Prepare for 2023 cybersecurity regulations
Tristin Zeman
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.