California Privacy Protection Agency Draft Regulations on Risk Assessments and Cybersecurity Audits
By Neal Butala
Pursuant to Civil Code Section 1798.185(a)(15), the California Privacy Protection Agency (CPPA) has recently issued a pair of proposed California Privacy Protection Act (CCPA) regulations for discussion and public comment. The two regulations focus on cybersecurity audits and risk assessments for covered businesses.
Specifically, the cybersecurity audit regulation requires businesses that process a consumer’s personal information, where such processing poses a significant risk to a consumer’s privacy or security, to perform an annual cybersecurity audit. The factors to considered in determining whether processing may present a significant risk to the security of a consumer’s personal information includes the size and complexity of the business and the nature and scope of the processing activities.
The risk assessment regulation requires businesses to regularly submit a risk assessment to the CPPA of their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits and risks of processing to the consumer, the business, other stakeholders, and the public. The purpose of the risk assessment is to restrict the processing of a consumer’s personal information if the risks to the privacy of the consumer outweigh the benefits.
Though still in draft form, there are several key concepts that may help businesses in their strategic planning as the CPPA works to release a final version of the regulations. Of critical importance to businesses in evaluating their responsibilities under these regulations, the CPPA has not finalized which businesses will be covered. For example, the cybersecurity audit requirement would only apply if a business derived more than 50% of its annual revenue from selling or sharing personal information or meets one of the other three proposed criteria (i.e. processed the personal information of a yet to be determined number of consumers; has annual revenue in excess of a yet to be determined threshold; or has a yet to be determined number of employees).
On the other hand, the risk assessment regulations would apply to businesses if a business: sells or shares personal information; processes sensitive personal information; uses automated decision-making technology; processes the personal information of a person under the age of 16; processes personal information to monitor employees, contractors, and job applicants; processes the personal information of consumers in publicly available spaces to monitor behavior, location, movement, or action; or processes personal information to train artificial intelligence or automated decision-making technology.
Therefore, businesses should pay close attention to their data processing activities to determine if they will be required to conduct an annual cybersecurity audit, annual risk assessment, or both. Should a business be required to conduct a cybersecurity audit and/or annual risk assessment, the regulations set forth the frequency and manner in which the audit and assessment must be completed.
Cyber Security Audit Requirements:
If a business is required to conduct a cybersecurity audit, the first cybersecurity audit would need to be completed 24 months from the effective date of the regulation. After the initial audit, a business would be required to complete a cybersecurity audit at least annually and ensure there are no gaps in the time periods covered by each subsequent audit.
The cybersecurity audit must be completed by a qualified, objective, independent auditor using procedures and standards accepted in the profession of auditing. The auditor can be either internal or external but must exercise impartial and objective judgment. If the auditor is internal to the business, the auditor must report audit issues directly to the board of directors or governing body and not to the management that has direct responsibility for the business’ cybersecurity program.
Scope of Audit
The CPPA is evaluating options concerning the scope of a cybersecurity audit. One option would require a cybersecurity audit to assess and document how a business protects against unauthorized access, destruction, use, modification, or disclosure of personal information; impairment of a consumer’s control of their personal information resulting from unauthorized access to personal information; the economic harm resulting from unauthorized access to personal information; physical harm resulting from unauthorized access to personal information; psychological harm resulting from unauthorized access to personal information; and reputational harm from unauthorized access to personal information. Another option up for consideration is more limited in that a cybersecurity audit would need to assess and document risks from cybersecurity threats that have materially affected or are likely to materially affect consumers. The CPPA has not decided which option (if any) to move forward with.
In addition, the cybersecurity audit has to address various components of a business’s cybersecurity program including:
- the establishment, implementation, and maintenance of a cybersecurity program;
- safeguards used by the business to protect personal information such as authentication (including multi-factor authentication), encryption, zero trust architecture, account management and access controls, inventory and management of personal information, secure configuration of hardware and software, vulnerability scans and testing, audit-log management;
- network monitoring and defenses;
- antivirus and antimalware protections, segregation of an information system; limitation and control of ports;
- cybersecurity awareness and training;
- secure development and coding best practices;
- oversight of service providers and third parties; retention and destruction of personal information;
- security incident response practices;
- and business continuity and disaster recovery plans.
The cybersecurity audit must also document the effectiveness of each of the components of the business’s cybersecurity program, identify any gaps or weaknesses, and document a remediation plan if a gap or weakness is identified.
Furthermore, the cybersecurity audit must document any incidents concerning unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information and requiring notice to any agency with jurisdiction over privacy laws in California, other states, territories, or countries. Additionally, if a business is required to provide notice to consumer of a data breach incident pursuant to Civil Code Section 1798.82 or a personal information security breach as described in Civil Code Section 1798.150, the cybersecurity audit must include details of the incident and a description of the notices.
A business required to complete a cybersecurity audit under the regulations will have to submit a written certification of compliance to the CPPA signed by a member of the board or governing body.
The cybersecurity audit regulations impose substantial assessment and reporting requirements on covered businesses. Businesses should not take these obligations lightly and should preemptively evaluate their existing cybersecurity programs to ensure compliance by the time initial audits are required to be completed under the regulation.
Risk Assessment Requirements:
If a business is required to conduct a risk assessment, it would need to do so before it engages in any one of the following:
- sells or shares personal information;
- processes sensitive personal information;
- uses automated decision-making technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities;
- processes the personal information of a person under the age of 16;
- processes personal information to monitor employees, contractors, and job applicants; processes the personal information of consumers in publicly available spaces to monitor behavior, location, movement, or action; or processes personal information to train artificial intelligence or automated decision-making technology.
The CPPA is evaluating whether to require businesses to review and update their risk assessment at least once every three years, or, alternatively, as necessary except in connection with automated decision-making technology, in which case the risk assessment would need to be reviewed at set intervals (e.g. annually/biannually/once every three years).
Scope of Risk Assessments
If a business is required to complete a risk assessment, the risk assessment must include:
- a summary of the processing that presents significant risk to consumers’ privacy;
- the categories of personal information to be processed;
- the context of the processing activity;
- the consumers’ reasonable expectations concerning the purpose for processing their personal information;
- the operational elements of the processing including the business’s planned method for collecting, using, disclosing, retaining, or otherwise processing personal information, how the business’s processing of personal information complies with data minimization, how long the business will retain each category of personal information and why, the approximate number of consumers whose personal information the business plans to process, the technology to be used in the processing, and the names of the service providers, contractors, or third parties to whom the business discloses or makes available the consumers’ personal information for the processing;
- the purpose of processing consumers’ personal information;
- the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public; the negative impacts and, the safeguards that the business plans to implement, to consumers’ privacy associated with the processing, including the sources of these negative impacts; and
- an assessment of whether the negative impact to a consumer’s privacy is outweighed by the benefit resulting from the processing.
The CPPA is also considering additional requirements for businesses that intend to process personal information for use with automated decisionmaking technology. The requirements may include an explanation of the following:
- why the business is using or seeks to use the automated decisionmaking technology;
- the personal information processed by the automated decisionmaking technology;
- the output(s)secured from the automated decisionmaking technology and how the output(s) will be used;
- the steps the business has taken to maintain the quality of personal information processed by the automated decisionmaking technology;
- the logic of automated decisionmaking technology; how the business evaluates the use automated decisionmaking technology for validity, reliability, and fairness; and
- the degree and details of any human involvement in the use of automated decisionmaking technology.
Furthermore, if a covered business has processed or is processing personal information to train artificial intelligence or automated decisionmaking technology the business must explain the appropriate uses of the artificial intelligence or automated decisionmaking technology.
If a business determines that the risk to a consumer’s privacy outweighs the benefits from the processing of a consumer’s personal information, it must not process a consumer’s personal information.
A risk assessment completed under the regulations must be made available to the CPPA and/or Attorney General’s Office upon request. The business will also be required to submit an abridged version of the risk assessment, certified by a designated executive, annually to the CPPA.
Again, the risk assessment regulations impose substantial operational and reporting requirements on covered businesses. Businesses should take these obligations seriously and should preemptively evaluate their processing of consumers’ personal information to ensure their risk assessments comply with the regulations.
We are monitoring the evolution of these regulations closely. Considering the substantial regulatory framework which already applies to regulated financial institutions, we believe the CPPA should consider an exemption for those entities. Nonetheless, we have our concerns that the CPPA will not carve out a clear exemption. We are available to assist any financial institution who wishes to submit a request, backed up by legal analysis, to the CPPA regarding the need for a clear exemption for regulated financial institutions from the scope of these regulations.