Independent Cybersecurity Audits Will Be Required For 'Significant Risk' Under CCPA

The California Privacy Protection Agency (CPPA) has unanimously adopted new regulations requiring certain businesses subject to the California Consumer Privacy Act (CCPA) to conduct annual audits of their cybersecurity programs, beginning later this decade.

The new regulations apply to businesses whose processing of personal information presents "significant risk" to consumers' security. This includes businesses that either (i) derive more than 50% of their revenue from selling or sharing personal information or (ii) otherwise meet the CCPA revenue threshold and processed the personal information of at least 250,000 people or the sensitive personal information of at least 50,000 people in the preceding calendar year.

Such companies will be required to select a qualified, objective and independent auditor to evaluate their cybersecurity policies, procedures and practices. If the auditor is internal, it must not participate in business activities that it assesses in a cybersecurity audit, and the highest-ranking auditor must report directly to a member of executive management who does not have direct responsibility for the business's cybersecurity program.

Such cybersecurity audits must assess the implementation and maintenance (including written policies and procedures) of a program that is appropriate to the business's size and complexity and the nature and scope of its processing activities, how the business's cybersecurity program protects personal information and how the business enforces compliance with the program. The regulation also lists a number of components that must be assessed if applicable, including authentication, encryption, account management and access controls, inventories and approval processes, secure configuration, vulnerability scans and penetration testing, audit log management, network monitoring and defenses, antivirus/antimalware protections, and network segmentation, among others.

The audit must follow generally accepted procedures and standards accepted in the profession of auditing, such as those adopted by the International Organization for Standardization. For its part, the business must make available all information in its possession, custody or control that the auditor requests as relevant, and make good faith efforts to disclose and accurately represent all relevant facts.

The auditor must produce a report satisfying a number of criteria, including:

• a description of the cybersecurity program assessed;
• the criteria used for the audit, the specific evidence examined and a justification of the findings;
• an assessment of how the applicable components of the cybersecurity programs help prevent unauthorized processing;
• detailed descriptions of any gaps or weaknesses in policies, procedures or components, and the business's plans to address those; and
• sample copies of any breach notifications to affected consumers or California privacy regulators.

Businesses subject to this regulation must submit a written certification of compliance to the CPPA by April 1 of each year, though they do not need to submit the audit report to the CPPA. The first deadline depends on the size of the business's annual gross revenue:

• businesses grossing over $100 million must certify by April 1, 2028
• businesses grossing between $50 million and $100 million must certify by April 1, 2029
• businesses grossing under $50 million must certify by April 1, 2030