01/02/2024

The Rulemaking Process Continues - CPPA Publishes Revised Draft Cybersecurity Audit Regulations

The California Privacy Protection Agency (CPPA) recently published Revised Draft Cybersecurity Audit Regulations (“Revised Draft”) in connection with potential forthcoming regulations that modify data privacy obligations under California law. Currently, the CPPA has not yet begun the formal rulemaking process for cybersecurity audits, risk assessments, or automated decision-making technology. The purpose of the Revised Draft is to facilitate Board discussion and public participation as the CPPA moves forward in the rulemaking process.

The Revised Draft most notably contains proposed regulations that further define the applicability and scope of cybersecurity audits under California law.

Applicability

The Revised Draft maintains the requirement that any business that derives 50% or more of its annual gross revenue from selling or sharing consumers’ personal information must complete a cybersecurity audit; as a new requirement, the proposed regulations in the Revised Draft would expand this cybersecurity audit requirement to businesses that have a certain annual gross revenue and meet one of three thresholds. These thresholds are based on the amount of personal information, sensitive information, and children’s information processed by the business annually. The specific criteria for these thresholds have yet to be determined.

Scope of Cybersecurity Audits

The Revised Draft regulations confirm that the scope of cybersecurity audits, including the requirement that any such audit will assess and document any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect consumers. The Revised Draft provides additional clarity in definitions relating to the scope of cybersecurity audits, including:

• Cybersecurity audit is defined as “shall assess and document any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect consumers.”
• Cybersecurity threat is defined as “any potential unauthorized occurrence on or conducted through a business’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a business’s information systems or any information residing therein.”
• Cybersecurity incident is defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a business’s information systems, that actually or potentially jeopardizes the confidentiality, integrity, or availability of a business’s information systems or any information the system processes, or that constitutes a violation or imminent threat of violation of the business’s cybersecurity program.”

The Revised Draft notes that CPPA staff are meant to propose further revisions to the above based on CPPA board feedback. As the rulemaking process continues, it is likely that the CPPA will continue to tweak the proposed regulations.

If your business is a covered business under the Revised Draft, you should begin to take the appropriate steps to ensure you are in compliance with completion of cybersecurity audits. Contact one of McGrath North’s privacy and compliance experts for all your questions relating to the Revised Draft Cybersecurity Audit Regulations and its latest revisions.