CPPA Discusses Draft Cybersecurity Audit and Risk Assessment Regulations
The first dedicated privacy regulator in the United States discussed draft regulations when it comes to cybersecurity audits and risk assessments. While lawmakers continue to go back and forth in Washington D.C., the California Privacy Protection Agency (CPPA) discussed a litany of draft regulations at their September 8th meeting. The CPPA was created after California voters approved Proposition 24 in November 2020. The agency, which is governed by a five-member board, discusses and then implements and enforces privacy protection laws. As for the draft regulations discussed at their latest meeting, the draft regulations were formed this past summer after a public hearing earlier in the year. At the 6+ hour meeting, the CPPA Board went back and forth on audit regulations.
In the first part of the discussion, the board discussed cybersecurity audit regulations; specifically, which businesses would be under these cybersecurity audit regulations, who could audit these businesses and the required components of the audit. Under the draft regulations, businesses processing significant amounts of personal information would have to conduct annual cybersecurity audits. Generally speaking, the threshold for businesses to require an audit was discussed as a business with annual gross revenues exceeding $25 million and a business that has processed the personal information of 100,000 or more customers. The Board is also considering other thresholds like employee and customer thresholds. As for the auditors, they would have to be independent, but the independent portion in the draft states that “the auditor may be internal or external to the business but shall exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit…” The auditor must document the business’s cybersecurity program, including authentication, encryption, access controls, monitoring, training, vendor oversight and incident response. Furthermore, the auditor would have to assess risk to security and privacy, including unauthorized access or destruction of information.
The second portion of the discussion on the board’s end dealt with regulations for risk assessments related to cybersecurity audits and automated decision-making technology (ADMT). Under the draft regulations, businesses would have to provide a summary of how they will process personal information, including how they collect, use, disclose and retain that information. The personal information would have to be categorized and businesses must identify whether they include sensitive personal information. However, the regulations do not provide a specific definition of sensitive personal information. Businesses would also have to provide context of processing, including the relationship between the business and the consumers whose personal information is being processed. The purpose of processing personal information must be described with specificity while businesses must also identify the benefits resulting from the process to the business, the consumer, the public and other stakeholders. Negative impacts and risks must be identified and described as well under the CPPA’s regulations.
Overall, the regulations laid out in the CPPA’s September meeting are to ensure businesses have adequate safeguards and practices in place to protect the personal information of consumers. Despite the lengthy meeting, draft regulations weren’t finalized. In fact, public comment on these regulations are still open as the CPPA remains in the beginning stages of potential rulemaking. Ultimately, the draft proposes mandatory cybersecurity audits and risk assessments for qualifying businesses in the state of California. We could learn more about the regulations at next month’s CPPA meeting, which as of right now, hasn’t been scheduled.
If you have questions about AI and how the rapidly changing legal landscape could affect your company. Reach out to BABL AI, they can answer all your questions and more.