In August 2023, the California Privacy Protection Agency issued draft regulations on risk assessments and cybersecurity audits. The regulations, if adopted, would have the indirect effect of imposing significant cybersecurity requirements on companies collecting or otherwise processing personal data.
The California Privacy Rights Act of 2020 created the CPPA and charged it, in effect, with adopting regulations on a multitude of topics. These included “regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to … perform a cybersecurity audit on an annual basis.” The statute specifies that the CPPA regulations must define the scope of the audits and establish a process to ensure they are thorough and independent.
The CPPA’s cybersecurity audit draft, if pursued, would effectively impose major cybersecurity requirements on covered businesses. It would do so by requiring the annual audit to assess, document and summarize each applicable component of an entity’s cybersecurity program, specifically identify any gaps or weaknesses in that program, and address the status of gaps or weaknesses identified in any prior audit.
Over nearly four pages, the draft specifies the components of a business’s cybersecurity program that an audit must assess and document “with specificity.” These include multifactor authentication, strong passwords, encryption, zero-trust architecture, privilege restrictions, secure configuration, patch management, logging and more. Under the CPPA draft, if a company believes any of the listed components is not applicable, the audit shall document and explain why the component is not necessary to the business’s protection of personal information and how the safeguards the business has in place provide at least equivalent security.
By specifying what the audit must cover, the draft regulations indirectly tell covered entities what their cybersecurity program must consist of. The list in the CPPA draft is not innovative: it is similar to the controls required by the U.S. Federal Trade Commission in its cybersecurity settlements or by the state attorneys general in blockbuster enforcement actions, like the one against Equifax.
What is new is that, rather than being imposed case-by-case, the security measures are defined uniformly. The fact that a company has the discretion to develop alternative controls is small comfort, since the burden of explaining how the alternative provides at least equivalent security shifts to the business.
The draft also contains an interesting idea, broken out as a separate option for consideration by the CPPA board. The idea is to have the audit assess and document how a business’s cybersecurity program protects against certain negative impacts on consumers’ security. These include economic harm, for example the direct and indirect costs of identity theft or the loss of availability of data as a result of ransomware.
This seems to get at the hardest, but most important question in cybersecurity: does any configuration of cybersecurity measures actually reduce harms? We do know, for example, that multifactor authentication is effective. While the contemplated audit would contain a checklist of security measures, the draft seems to say the audit should also map controls to harm reduction. If that idea stays in the final regulations, and if it is taken seriously, and (the biggest “if” of all) if auditors figure out how to map controls against harms, it would be a cybersecurity gamechanger.
A lot remains to be worked out before the August draft becomes final. Indeed, the CPPA specified that the drafts it released in August do not represent even the beginning of formal rulemaking. That is yet to come.
Among other key questions, defining when a business’s processing of data “presents significant risk to consumers’ privacy or security” remains to be determined. The draft tentatively outlines some thresholds based on annual gross revenues, the number of consumers affected or other measurements. Nonetheless, it is clear a lot of thought went into the CPPA drafts, and the final product is likely to retain their essence.