The California Privacy Protection Agency (CPPA) has released draft regulations governing risk assessments and cybersecurity audits, imposing significant cybersecurity requirements on businesses that collect or process personal data belonging to Californians. This is a significant step in that it imposes specific, prescriptive requirements on businesses, rather than penalizing outcomes, such as a data breach.
The California Privacy Rights Act (CPRA) of 2020 created the CPPA and empowered it to create regulations to enforce CPRA, including a requirement that businesses “whose processing of consumers’ personal information presents significant risk to consumer privacy or security to … perform a cybersecurity audit on an annual basis.” The proposed regulations are a big step forward in requiring businesses to take proactive security measures, in that each audit must:
- Document each applicable component of an entity's cybersecurity program
- Identify any gaps or weaknesses in that program
- Address the status of gaps or weaknesses identified in any prior audit
Organizations whose cybersecurity programs do not include all components listed under the regulation have an affirmative obligation to explain why the component is not necessary to the business's protection of personal information and how the safeguards the business has in place provide at least equivalent security.
The draft is not yet final, but as a first step in the process, it is yet another signal that businesses must do more than merely avoid major mishaps to comply with modern privacy regulations; they must adopt and implement strong cybersecurity postures.
Based on the Federal Trade Commission’s cybersecurity requirements, these regulations list the components of organizations’ cybersecurity programs that audits must “assess and document with specificity”:
- Multifactor authentication
- Strong passwords
- Zero-trust architecture
- Privilege restrictions
- Secure configuration
- Patch management
By specifying these components—and requiring explanations of why any may be absent—the CPPA is in effect telling organizations what they must include in their cybersecurity program.
The CPPA’s Draft Cybersecurity Audit Regulations will have a massive impact on businesses, services providers, and third parties, regardless of whether they will be directly subject to the cybersecurity audit requirements set forth in the draft. While the draft regulations propose various levels of stringency and scope for the audits, they signal that the CPPA is not interested in check-the-box cybersecurity compliance. As drafted, businesses who meet the (low) threshold for having to complete a cybersecurity audit based on their “high risk” processing activities will have to undergo the audit for their entire data ecosystem, not just those assets and activities that are involved in the high-risk processing. Since the draft regulations would require service providers and contractors to assist businesses in completing their cybersecurity audits, we should expect businesses to push audit requirements down to vendors who process any personal information regardless of whether the service provider is itself subject to the audit requirements.