Search for:
Debevoise Data Blog
CCPA

California Privacy Protection Agency Begins CCPA Rulemaking for Cybersecurity Audits

By: , , and

Earlier this month, staff at the California Privacy Protection Agency (the “Agency” or “CPPA”) put forward Draft Cybersecurity Audit Regulations (“the Draft”) for the CPPA Board’s consideration.  While the Agency has yet to begin formal rulemaking, the Draft suggests an ambitious role for the Agency in setting cybersecurity norms for entities covered by the CCPA and echoes requirements found elsewhere in other recent cybersecurity rulemaking from the FTC and NYDFS.  Although the Draft is focused narrowly on an audit requirement, in practice, the Draft conveys specific, expected cybersecurity safeguards.  Companies conducting gap assessments, risk assessments, or benchmarking against the recent proliferation of cybersecurity rules might consider adding the Draft to the list of safeguards to consider.

In this blog post, we outline the primary measures contemplated by the Draft and offer thoughts on how it stacks up against recent rulemaking by the FTC and NYDFS.

Background

The CCPA, as amended by the CPRA, directed the CPPA to issue regulations on various topics, including regulations that require businesses to perform a cybersecurity audit on an annual basis if their “processing of consumers’ personal information presents significant risk to consumers’ privacy or security.”  The regulations must include “the scope of the audit and establishing a process to ensure that audits are thorough and independent.” Further to this mandate, as part of the Agenda materials for the CPPA Board’s September 8, 2023 meeting, the Agency released the Draft.

Proposed Scope: Who is Covered?

It is not yet clear which businesses would be required to conduct audits as the Agency provided the Board with a menu of options for discussion.  The Agency appears to have determined that businesses deriving more than one half of their annual revenues from selling or sharing personal information should conduct audits.  Additionally, the Agency proposed a few other options with to-be-determined thresholds tied to (1) volume of data processed, measured by overall number of consumers’ personal information, sensitive information, or volume of children’s data processed; (2) annual gross revenues; or (3) number of employees.

Several of these thresholds, if adopted, could result in the cybersecurity audit requirements extending to businesses whose data was largely exempt from the CCPA—such as large healthcare institutions, financial institutions, and insurers.

The Draft—similar to the proposed amendments to NYDFS Part 500—proposes an annual cybersecurity audit, consistent with the statutory requirement found in the CCPA.  The Draft provides that if the business has engaged in an audit that meets the requirement of the Article, it need not complete a duplicative audit, but it must document how its assessment meets the requirements of the Draft.

Audit Requirements

The Draft provides that business subject to the audit requirement conduct an annual audit using a qualified independent professional, who can be internal or external.  The Draft prescribes specific requirements to ensure the auditor’s independence, including specific requirements for internal auditors.  The Draft further provides how the audit must be conducted, and that the audit shall be reported to the board, governing body, or highest-ranking executive.  The audit must include a description of any required regulatory notifications arising out of security incidents, and related remediation, akin to an incident log.

The meat of the draft is found in the Scope of Cybersecurity Audits section, where the Agency has listed out specific areas that must be covered and assessed under the audit. Specifically, the Draft suggests the audit cover the following components of a businesses’ cybersecurity program:

  • Authentication, including multi-factor authentication and strong passwords;
  • Encryption of personal information at rest and in transit;
  • Zero trust architecture;
  • Access controls, including restriction of employees, service providers, and third parties’ privileges to only personal information that is necessary;
  • Personal information and hardware and software inventories;
  • Secure configuration of hardware and software, including masking by default in web applications, patch management and change management processes;
  • Scanning, including vulnerability scans and penetration testing;
  • Centralized logs;
  • Network monitoring, including intrusion and bot detection and data loss preventions;
  • Antivirus;
  • Network segmentation;
  • Limits on control of ports, services and protocols;
  • Cyber awareness and training;
  • Secure development practices;
  • Vendor oversight;
  • Retention schedules and proper disposal of personal information; and
  • Incident response plans and policies, including business continuity and disaster recovery plans.

The Draft recognizes that some of the foregoing safeguards may not be applicable, it suggests that if not applicable, the audit should explain “why the component is not necessary to the business’s protection of personal information and how the safeguards that the business does have in place provide at least equivalent security.”

Finally, the Draft requires that businesses completing cybersecurity audits must provide to the Agency a certification that the business complied with the requirements during the 12 months that the audit covers, or an acknowledgement that the business did not comply with specific requirements and a planned remediation roadmap.  It is unclear whether this certification is meant to cover merely compliance with the audit requirement itself, or with the underlying safeguards that the Draft calls for.  The certification must be signed by a member of the board or governing body, if one exists.  The Draft is silent as to whether and when the Agency can seek copies of such audits and what protections might be available to shield them from public disclosure once in the Agency’s possession.

Something Borrowed and Something New?

Those familiar with the newly-revamped FTC Safeguards Rules and the NYDFS Part 500 cybersecurity rules will recognize a number of specific requirements, although in some ways the Draft goes beyond existing regulations potentially forging a new national standard.

Like the FTC Safeguards Rules and current Part 500, with respect to system access the Draft would impose multi-factor authentication and access controls but also adds an express password complexity requirement and expressly calls for a “zero-trust architecture.”

Similarly, like the FTC Safeguards Rules and Part 500, the Draft calls for retention schedules and proper disposal of personal information, and like the proposed amendments to Part 500, it would require an asset inventory, adding to this a data inventory and hardware and software approval processes.

Other areas of high-level overlap among the FTC Safeguards Rules and Part 500 include vendor oversight, incident response plans, and vulnerability testing.  And like the proposed amendments to NYDFS Part 500, the Draft would impose a specific data-inventory requirement and business continuity plans to be part of incident response planning.

Other requirements not expressly found in the FTC Safeguards Rules or Part 500 are segmentation, antivirus and antimalware, and limitation and control of ports, services and protocols, as well as the data incident log.

Finally, the annual notice of compliance (or acknowledgement of non-compliance) echoes the certification of compliance provisions found in NYDFS’s Part 500 (and its proposed amendments).  Unlike Part 500, however, the Draft would require such certification or acknowledgement to be signed by a member of the board rather than its CISO or CEO.  It is unclear whether this is meant to heighten the Board’s oversight role of cybersecurity or reflect the fact that the audit findings must be presented to the Board.

What Next?

Given that the draft is only in nascent form, it is likely premature for companies to start benchmarking against its requirements.  Instead, in-house counsel at businesses that may have to conduct such audits—and even those that will not— may be best served by participating in the regulatory process once it is formally underway, either through a trade group or on the businesses’ behalf.  Action items could include speaking with stakeholders to understand what components, if any, may be particularly burdensome for the business and what areas of the regulations would benefit from additional clarity.  Feedback from this inquiry may help inform potential comment letters once formal draft regulations are issued.

 

To subscribe to our Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Related Posts