In late August 2023, the California Privacy Protection Agency (“CPPA” or “Agency”) released a discussion draft of proposed regulations under California’s data privacy law, the California Consumer Privacy Act (“CCPA”). Importantly, the proposed regulations set forth more detailed obligations for company cybersecurity programs, including routinely assessing and filing audits with the CPPA. Though these draft regulations are not yet part of an official rulemaking, the Agency met to discuss the proposed regulations on September 8, 2023, providing additional insight into CPPA’s priorities and what may ultimately be enacted.
During the September 8 meeting, the Agency discussed the proposed provisions relating to cybersecurity audits, weighing the benefits of consumer protection against the burden that would be imposed on companies. Importantly, the Agency discussed the threshold for determining whether a company must comply with the cybersecurity audit provisions, and while it acknowledged that the audits may be burdensome (especially for smaller companies) the risk to consumer security is the Agency’s primary consideration in finalizing this standard. Consumer protection remained a focus of the Agency in its discussion of the draft regulations, noting that companies must consider risks to the consumer during scoping of the audit as well, as opposed to focusing solely on internal risks.
Cybersecurity Audits
If passed, the draft regulations would require that companies perform annual cybersecurity audits where “processing consumers’ personal information presents significant risk to consumers’ security.” The draft regulations tie the likelihood of significant risk to the company’s data processing activities and volume, to the security concerns surrounding consumers’ personal information. There may be a significant risk if a company:
- Derives 50% or more of its annual revenue from selling or sharing consumer’s personal information; or
- Has an annual gross revenue in excess of $25 million, and
- Processed the personal information of 1,000,000 or more consumers or households in the preceding calendar year, or
- Processed the sensitive personal information of 100,000 or more consumers in the preceding calendar year, or
- Processed the personal information of 1,000,000 or more consumers that the company had actual knowledge were under the age of 16 in the preceding calendar year.
The CPPA contemplated whether the audit must 1) assess how the company’s cybersecurity program protects against negative impacts to consumers, or 2) document the threats following cybersecurity incidents that materially affected consumers.
The proposed audits would be performed by a qualified, objective, independent auditor using generally accepted standards and procedures. The draft regulations do not prohibit internal auditors, but additionally requires that the internal auditor report directly to the company’s board of directors or governing body. The auditor must complete its comprehensive review of the company’s cybersecurity program and information systems, and may not primarily rely on assertions or attestations made by the company’s management. Additionally, service providers and contractors are required to assist in completion of the company’s audit. This process would require auditors to:
- Assess and document each component of the business’ cybersecurity program including:
- The establishment, implementation, and maintenance of the cybersecurity program;
- The safeguards the business uses to protect personal information (i.e. authentication, encryption, account management, and access controls); and
- Implementation and enforcement of compliance with all components of the cybersecurity program.
- Identify any gaps or weaknesses in the company’s cybersecurity program;
- Provide the status of any cybersecurity gaps or weaknesses identified in prior audits; and
- Specifically identify any corrections or amendments made since.
Companies in compliance with CPPA regulations should be prepared to undertake robust annual audits. Determining the breadth of the required cybersecurity audits considers the size and complexity of the company, and the nature and scope of its processing activities. But the CPPA has made clear that cursory or surface level audits will not suffice. As the draft regulations stand, companies would have 24 months from the effective date to complete their first required cybersecurity audit.