California Privacy Protection Agency (CPPA) Publishes Revised Draft Cybersecurity Audit Regulations in Advance of December Board Meeting

On November 8, 2023, the CPPA published an updated draft of its cybersecurity audit regulations, intended, in part, to facilitate board discussion and public participation during the upcoming CPPA board meeting. The meeting is scheduled for December 8, 2023, at 9:00am PST, and is open to the public.

The new draft regulations focus on three main areas for cybersecurity auditing:

1. Who the regulations will apply to.
2. The threats that cybersecurity audits should identify.
3. The scope of non-employee personnel’s involvement in audits.

Will It Apply to Your Business?

The revised regulations maintain the requirement that any business deriving 50% or more of its annual gross revenue from selling or sharing personal information must complete a cybersecurity audit. However, the latest revision eliminates any language that suggested the regulations would apply to certain businesses based solely on their gross revenue or number of employees.

Instead, this draft outlines a new cybersecurity audit requirement for businesses with an annual gross revenue in excess of $25 million who also meet one of three personal information processing thresholds. The three categories for these processing thresholds include one for general personal information, one for sensitive personal information, and one for personal information of consumers under the age of 16. The precise threshold numbers for this applicability framework will likely be a topic of discussion during the December 8 board meeting.

Threats & Other Harms That Cybersecurity Audits Need to Detect

The initial draft regulations included two options for the types of cybersecurity threats and harms that auditing should detect. The revised draft offers only one option for threat assessment, which requires cybersecurity audits to “assess and document any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect consumers.” The new draft also notes that the CPPA will “propose further revisions to this subsection based on Board feedback” during the December 8 meeting.

The definition for a “cybersecurity incident” has been expanded in the new revised draft to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a business’s information systems, that actually or potentially jeopardizes the confidentiality, integrity, or availability of a business’s information systems or any information the system processes, or that constitutes a violation or imminent threat of violation of the business’s cybersecurity program.”

The revised draft also requires businesses to assess and document any risks from “cybersecurity threats,” which are defined as “any potential unauthorized occurrence on or conducted through a business’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a business’s information systems or any information residing therein.”

Expanding the Regulations to Include Requirements for Non-Employee Personnel

The revised regulations widen the general scope of cybersecurity audits by requiring businesses who perform them to assess and document not only internal safeguards that protect personal information but also those safeguards maintained by independent contractors and other personnel. In cooperating with cybersecurity audits, non-employee personnel may be required to provide necessary information to auditors and must refrain from misrepresenting any relevant facts.

This new obligation for service providers and independent contractors to comply with CCPA regulations and assist businesses in various activities like cybersecurity audits, risk assessments, and the implementation of security procedures is one of the proposed revisions that will likely generate much discussion and debate in the December 8 board meeting.

Additional Information

You can find more information on virtually attending the CPPA board meeting on their 2023 Meetings & Events Schedule page, and their October 2023 Draft Cybersecurity Audit Regulations document details how these regulation and how they might affect your company.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.