The California Privacy Protection Agency (CPPA) recently released draft regulations that would require companies which process personal information (PI) in California to conduct regular cybersecurity audits and risk assessments. If adopted, the regulations could impose significant requirements on a wide array of companies across industries subject to the California Consumer Protection Act of 2018 (CCPA).

Threshold Question

Under the draft regulations, cybersecurity audit and risk assessment requirements would be triggered when a company’s processing of PI “presents significant risk to consumers’ privacy or security.” The “significant risk” assessment must occur before any processing takes place or when a company materially changes its processing activities.

Activities that may present “significant risk” include: selling or sharing PI; processing sensitive PI (with exceptions); using automated decision-making technologies to provide services; processing PI of persons under 16 years old; processing PI of employees, job applicants, or students to monitor them; processing PI from publicly-accessible locations; and processing PI to train artificial intelligence.

Cybersecurity Audits

If applicable, a company would be required to conduct an annual cybersecurity audit that:

• Summarizes and assesses the company’s cybersecurity program against specific safeguards (listed below);
• Identifies gaps or weaknesses in the cybersecurity program;
• Identifies steps taken (or to be taken) to address such weaknesses; and
• Corrects any errors in previous audits.

The safeguards against which a company’s program would be assessed include: authentication, encryption, zero-trust architecture, account management, data inventory management, patch management, vulnerability scans, logging, network and antivirus protection, segmentation, and training (including incident response training).

While these safeguards are not novel and largely reflect recommendations already seen in other governmental guidance (e.g., FTC breach settlements, state AG enforcement actions, NIST Cybersecurity Framework, CIS 20 Controls), this would be the first time such safeguards are effectively mandated through broad uniform cybersecurity standards.

If a company determines that any particular safeguard is inapplicable to its business model or considerations, the audit must explain why the safeguard is not necessary to protect personal information and provide evidence of equivalent security measures in place.

Risk Assessments

In addition to the annual cybersecurity audit, the new regulations would also require companies that trigger the requirement to conduct an annual risk assessment of their processing activities.

The risk assessment process should include all relevant stakeholders involved in the company’s processing and use of personal information—both internal parties and external parties, e.g., service providers, contractors, and third parties. The risk assessment would cover many of the existing mandates under California law already required to process PI (e.g., clear and detailed notice of collection, purpose, and processing activities). Moreover, companies would need to include operational details of the processing, benefits the company receives from processing, potential negative impacts on consumers’ privacy, and safeguards in place to minimize such negative impacts. Additional information would be required from any companies that use PI to train artificial intelligence or use automated decisionmaking technology.

Mitigation of Consumer Harm

In a more nuanced way, the draft regulations also introduce a unique new framing of security and privacy standards—namely, that companies may soon be asked in the cybersecurity audits and assessments to describe how their program specifically mitigates consumer harm that could stem from the company’s processing of PI. This new framing could instigate a broader shift in the fundamental philosophy of privacy and security: moving away from grading compliance based on a checklist of controls and instead toward the tailored reduction of tangible harm.

Conclusion

While the CPPA’s released drafts are just preliminary versions, they are a clear indication of the agency’s intent to establish stricter and more comprehensive cybersecurity and risk standards in California. Businesses subject to the CCPA should begin to proactively review and assess their cybersecurity programs to determine what security measures they may need to update or adapt to align with these forthcoming regulatory requirements. They should also ensure recordation of the appropriate information about data processing activities to conduct sufficient risk assessments.

If you would like to discuss your organization’s approach to cybersecurity strategy and CPPA compliance, please contact a member of Baker Botts’ Privacy & Cybersecurity team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.