Preparing for Compliance: California’s Draft Cybersecurity Audit Regulations

fireworks, explosion, burst-8240035.jpgIntroduction 

As the California Privacy Protection Agency (CPPA) prepared for its board meeting scheduled for September 8, 2023, the privacy landscape is abuzz with anticipation. This heightened interest stems from the recent release of two pivotal documents by the CPPA: the draft Cybersecurity Audit Regulation and the draft Risk Assessment Regulation. Despite their preliminary status, these draft rules unveil a comprehensive set of obligations, offering an initial glimpse into the potentially stringent compliance requirements that lie ahead for businesses operating within California’s privacy framework. 
The draft Cybersecurity Assessment Regulation represents a proactive initiative by the California Privacy Protection Agency (CPPA), underpinned by its authority derived from Civil Code section 1798.185. This authority allows the CPPA to issue regulations targeting businesses involved in processing consumers’ personal information, particularly those posing significant privacy or security risks. 
Under subdivision (a)(15), the CPPA can require these businesses to conduct annual cybersecurity audits, defining the audit scope and ensuring independence. 
Determining risk factors considers business size, complexity, and data processing nature. Civil Code section 1798.100, subdivision (e), establishes the reasonable security requirement for businesses collecting personal information. It mandates suitable security measures to protect against unauthorized access, destruction, use, modification, or disclosure.
In this article, we will delve deeper into the extensive obligations outlined in the Cybersecurity Audit Regulations, providing an early insight into the rigorous compliance demands that businesses may soon face.

Draft Cybersecurity Audit Regulations

Compliance Requirement for Service Providers and Contractors
In accordance with § 7050, Service Providers and Contractors, it is mandatory for any service provider or contractor, operating under a written contract with the business, to adhere to the following compliance requirements:
  1. Cooperation in Cybersecurity Audit: Service providers and contractors are obliged to collaborate with the business in facilitating the completion of a cybersecurity audit as outlined in Article 9. This entails making all pertinent information accessible to the business’s appointed auditor, as deemed necessary by the auditor for the comprehensive execution of the business’s cybersecurity audit.
  2. Accurate Representation: Service providers and contractors must refrain from any form of misrepresentation that could potentially affect the outcome of the business’s cybersecurity audit. This encompasses not providing false or misleading information in any manner that the auditor deems pertinent to the successful completion of the audit.
Additionally, under § 7051, Contract Requirements for Service Providers and Contractors, service providers and contractors are required to assist the business in the following areas:
  1. Cybersecurity Audit Assistance: Collaborate with the business to facilitate the completion of the business’s cybersecurity audit as stipulated in Article 9.
  2. Risk Assessment Support: Provide assistance to the business in conducting its risk assessment as specified in Article 10.
  3. Automated Decision-Making Technology Information: Aid the business in furnishing meaningful information to consumers regarding its Automated Decision-Making Technology.

Requirement to Complete a Cybersecurity Audit

Per § 7120, every business must complete a cybersecurity audit if its processing of consumers’ personal information poses significant security risks, as outlined in subsection (b). 
Significant risk factors include:
  1. Meeting the threshold defined in Civil Code section 1798.140, subdivision (d)(1)(C), wherein the business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information in the preceding calendar year.
  2. Meeting the threshold specified in Civil Code section 1798.140, subdivision (d)(1)(A), which involves annual gross revenues exceeding twenty-five million dollars ($25,000,000) as of January 1 of the calendar year, along with processing specific volumes of personal information, sensitive personal information, or personal information of minors in the preceding calendar year. Alternatively: Processing personal information of one million or more consumers or households; OR Processing sensitive personal information of 100,000 or more consumers; OR Processing personal information of 100,000 or more consumers aged less than 16 years in the preceding calendar year.
  3. The business has annual gross revenues in excess of [TBD]. OR The business had more than [TBD] employees.

§ 7121 lays forth the Timing Requirements for Cybersecurity Audits:

  1. Businesses must complete their initial cybersecurity audit within 24 months of the effective date of these regulations.
  2. Subsequent cybersecurity audits must be conducted annually, ensuring no gaps between audits.
To ensure the thoroughness, independence, and integrity of cybersecurity audits within businesses critical conditions are laid forth in § 7122:
  1. Businesses must engage qualified, objective, and independent professionals (auditors) to perform cybersecurity audits, adhering to accepted auditing procedures and standards.
  2. Auditors, whether internal or external, must maintain objectivity and impartiality throughout the audit process.
  3. Internal auditors must report audit issues directly to the business’s board of directors or governing body, ensuring independence from management responsible for cybersecurity.
  4. Businesses must provide auditors with all relevant information, ensuring transparency.
  5. Businesses must disclose all pertinent facts to auditors and refrain from misrepresentation.
  6. Audits must define scope, criteria, and specific evidence examined, justifying their appropriateness based on business size, complexity, and processing activities.
  7. Cybersecurity audit findings must primarily rely on specific evidence, not management assertions.
  8. Audits must assess, document, and identify gaps or weaknesses in the cybersecurity program, addressing the status of prior gaps and specifying corrections or amendments.
  9. Auditor qualifications, hours worked, and certification of independent review must be included in the audit report.
  10. Auditors’ signed and dated statements certifying independent review and impartial judgment must be part of the audit.
  11. Audit reports must be submitted to the business’s board of directors, governing body, or the highest-ranking executive responsible for cybersecurity.
  12. A signed statement from a board member or executive certifying non-influence and understanding of the audit findings must be included.
  13. Auditors must retain relevant documents for at least five years after completing the audit.

Scope of Cybersecurity Audit

These compliance requirements ensure a comprehensive assessment of the business’s cybersecurity program are addressed under § 7123 as follows: 
  1. Assess and Document Cybersecurity Program: The cybersecurity audit must comprehensively evaluate and document the business’s cybersecurity program. This program should align with the business’s size, complexity, processing activities, and consider industry best practices while also considering cost constraints.
  2. Protect Against Negative Impacts: The cybersecurity audit must assess how the cybersecurity program safeguards against specific negative impacts to consumers’ security, including unauthorized access, destruction, use, modification, or disclosure of personal information, and other impacts such as economic, physical, psychological, and reputational harm. OR The cybersecurity audit must evaluate risks arising from cybersecurity threats, including those stemming from cybersecurity incidents that have materially affected or may reasonably affect consumers.
  3. Assess and Document Program Components: The cybersecurity audit should assess and document various components of the cybersecurity program, specifically: Establishment, implementation, and maintenance of the cybersecurity program, including responsible personnel and board approvals.Safeguards for protecting personal information against internal and external risks.Various security measures encompassing authentication, encryption, access controls, inventory management, secure configurations, vulnerability management, audit logs, network defenses, antivirus protection, and more.Oversight of service providers, contractors, and third parties, ensuring compliance.Proper data retention and disposal procedures.Incident response management. Business continuity and disaster recovery plans. For each applicable component, the cybersecurity audit must describe how the business implements and enforces compliance.
  4. Effectiveness Assessment and Gap Identification: The cybersecurity audit should evaluate the effectiveness of the components in preventing unauthorized access, destruction, modification, or disclosure of personal information and unauthorized activity leading to data unavailability. It should identify and detail any gaps or weaknesses found.
  5. Notification Requirements: If the business was required to notify authorities or agencies due to unauthorized access, destruction, modification, or disclosure of personal information or unauthorized activity leading to data unavailability, the cybersecurity audit must include descriptions of these notifications, including dates and remediation measures taken.
  6. Consumer Notifications: If the business provided notifications to affected consumers or the Attorney General as required by law, the cybersecurity audit should describe these notifications.
  7. Personal Information Security Breaches: The cybersecurity audit should include details and dates of any personal information security breaches.
  8. Duplicate Audits: If the business has previously conducted a cybersecurity audit that meets the requirements of this Article, it is not required to duplicate the audit. However, it must provide a specific explanation of how the previous audit aligns with the Article’s requirements, addressing subsections (a) to (e) with specificity. If the previous audit does not meet all requirements, it must supplement the audit with the necessary information to meet these requirements.

Compliance Notification Requirement under § 7124  

Businesses subject to cybersecurity audits under this Article must provide the Agency with one of two submissions: 
(1) a written certification confirming compliance with Article requirements over the audit’s 12-month period, or 
(2) a written acknowledgment detailing noncompliance with specific Article sections and subsections, including the nature and extent of noncompliance, along with a timeline for remediation or confirmation of remediation completion. 
These submissions, signed by a board member, governing body member, or the highest-ranking executive with binding authority, must specify the audit’s 12-month coverage period and be sent to the Agency in a manner and timing yet to be determined.

Author: Kosha Doshi, Final Year Student at Symbiosis Law School, Pune and Legal Intern Data Privacy and Digital Law at EU Digital Partners.