Déjà Vu All Over Again: The CPPA Releases Draft Regulations on Cybersecurity Audits and Risk Assessments (Part 1 of 2)

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) released a set of draft regulations on cybersecurity audits and risk assessments. For those who recall the multiple rounds of the CPPA’s draft CCPA regulations, it may feel like you’ve been here before. And, given the multiple caveats the CPPA stamped all over this set of draft regulations, we expect to see you here again.

While the drafts include disclaimers cautioning readers that they are subject to change and “intended to facilitate Board discussion and public participation” at the CPPA Board’s upcoming September 8, 2023, meeting, they nevertheless signify that considerable new obligations for businesses subject to the CCPA are close at hand.

In this two-part series of posts, we break down the implications of these drafts, starting with the Draft Cybersecurity Audit Regulations.

Only certain businesses will need to complete cybersecurity audits.

The CPRA gave the CPPA authority to adopt regulations requiring certain “businesses whose processing of consumer’s personal information presents significant risk to consumers’ privacy or security” to the CPPA. The statute did not, however, explain what types of processing would fall within this heightened risk category. Rather, to determine what types of processing activities are in-scope, the CPPA was instructed to consider factors such as the size and complexity of the business and the nature and scope of the business’s processing activities.

The draft regulations provide a better idea of what might constitute high risk processing by identifying categories of potentially in-scope processing activities for the Board to consider. Those include:

  • Processing by a business that, in the preceding calendar year, derived 50% or more of its annual revenue from selling or sharing consumers’ personal information.
  • Processing by a businesses with annual gross revenues in excess of $25,000,000 that, in the preceding calendar year:
    • processed the personal information of one million or more consumers;
    • processed the sensitive personal information of 100,000 or more consumers; or
    • processed the personal information of 100,000 or more consumers whom the business knows to be under the age of 16.

Alternatively, the draft regulations suggest that the Board could decide any processing activities whatsoever fall within the high-risk category if the business has sufficiently high annual gross revenue or employs a sufficiently high number of employees. While there is no word on what the revenue or employee thresholds would be if these options are selected by the CPPA Board for inclusion in the final regulations, large companies should be aware they are likely—one way or another—to find themselves subject to extensive cybersecurity audit requirements in California.

Service providers and contractors won’t get off scot-free.

In addition to the obligations proposed for businesses engaged in high-risk processing activities, the draft regulations would also impose requirements—both directly and through mandatory terms for their contracts with businesses—to cooperate with businesses’ cybersecurity audits.

The draft regulations suggest this cooperation take the form of providing all relevant information that the business’s cybersecurity auditor identifies as necessary to complete the audit. The draft regulations also suggest that any misrepresentations that a service provider or contractor makes to a cybersecurity auditor would constitute not just a breach of contract, but also a direct violation of the regulations.

Businesses can use internal auditors, but doing so may be impractical.

As currently drafted, the regulations would allow in-scope businesses to use either an internal or external auditor so long as the auditor is “qualified, objective, [and] independent.”  The regulations further narrow the pool of available auditors, however, by limiting the types of activities auditors can engage in beyond the required CCPA cybersecurity audits. For example, the draft regulations preclude a business from using an auditor who develops, implements, or maintains the business’s cybersecurity program, and also suggest it would be inappropriate to utilize an auditor who prepares the documents or participates in any of the business activities that the auditor may review in current or subsequent cybersecurity audits.

From a practical perspective, businesses may not have employees with the expertise to conduct this type of once-a-year audit who are not otherwise involved in the development, implementation, or maintenance of their cybersecurity program. For these businesses, compliance with this audit requirement will require additional expenditures for an outside auditor to achieve compliance with the proposed regulations.

Businesses should expect they will have to tattle on themselves.

Among the most notable aspects of the draft regulations is a self-reporting obligation that will, in effect require businesses to disclose any failure to comply with the regulations’ requirements.

The draft regulations provide that all businesses that are required to complete a cybersecurity audit will also be required to file a written certification with the CPPA that the business complied with the regulations’ audit and documentation requirements during the year covered by the audit. Alternatively, in the event of non-compliance, businesses will be required to file a written acknowledgement of non-compliance that identifies the areas of non-compliance and provides either a remediation timeline or confirmation of remediation.

The certification or acknowledgement would then need to be signed by either a member of the business’s board or governing body, or, if no such entity exists, the business’s highest-ranking executive with authority to bind the business. Businesses should thus take advantage of the expected long runway for compliance with the cybersecurity audit requirements (proposed to be 24-months from the effective date of the regulations) to ensure their compliance posture is demonstrably in alignment with the CPPA’s expectations.

In Part 2 of this series, we’ll explore the CPPA’s Draft Risk Assessment Regulations.  If you have questions in the meantime, please feel free to contact any member of the Wyrick Robbins Privacy and Data Security Practice Group.