California’s Proposed Changes to the CCPA: A Deep Dive into Risk Assessment and Cybersecurity Audit Draft Requirements
In an era of increasing concerns over data privacy and security, the California Privacy Protection Agency (CPPA) has taken a significant step forward in addressing these issues by releasing draft regulations on cybersecurity audits and risk assessments. As data breaches and privacy violations continue to make headlines, the need for comprehensive and robust privacy regulations becomes more apparent. The proposed regulations aim to create a framework that ensures businesses take the necessary precautions to protect consumers' personal information and mitigate the risks associated with data processing.
The draft regulations, released in connection with the CPPA's September 8, 2023 board meeting, are intended to facilitate board discussion and public participation, allowing for input and feedback before the formal rulemaking process begins. While these drafts are not yet final, they provide valuable insight into the potential direction and scope of the forthcoming regulations, which are poised to have a significant impact on businesses, service providers, and contractors operating within California.
As we delve deeper into the details of these draft regulations, it is essential to understand the key components of risk assessments and the implications they may have for businesses and their compliance obligations. In the following section, we will explore the requirements and scope of risk assessments as outlined in the draft regulations.
RISK ASSESSMENTS
A crucial aspect of the draft regulations revolves around risk assessments, which serve as a means to evaluate the potential risks to consumers' privacy resulting from businesses' data processing activities. Drawing inspiration from the data protection impact assessments required by the GDPR and the data protection assessments mandated by the Colorado Privacy Act, the CPPA's draft regulations propose a comprehensive framework for businesses to follow.
Extensive Compliance Obligations for Businesses. The draft regulations emphasize the need for businesses to conduct thorough risk assessments, highlighting the extensive compliance obligations they must adhere to. These assessments are designed to ensure that businesses are fully aware of the potential risks associated with their data processing activities and take appropriate measures to mitigate them.
Scope of Risk Assessments. The draft regulations outline seven specific instances in which businesses would be required to conduct risk assessments. These include:
Requirements for Completing Risk Assessments. To ensure businesses conduct comprehensive risk assessments, the draft regulations propose a detailed set of requirements that businesses must follow. These include considering thirteen (or potentially fourteen) topics, with many of these topics containing multiple sub-topics. Additionally, businesses using automated decision-making technology are subject to further requirements, as outlined in the draft regulations.
As the draft regulations continue to evolve and take shape, businesses must remain vigilant in staying up-to-date with the latest developments. In the next section, we will discuss the proposed cybersecurity audit regulations and their implications for businesses.
CYBERSECURITY AUDITS
Another critical component of the draft regulations is the introduction of cybersecurity audits, which aim to operationalize the CCPA's information security provisions. These audits are designed to ensure that businesses take the necessary steps to protect consumers' personal information and maintain a secure environment for data processing.
Scope of Businesses Required to Complete Cybersecurity Audits. The draft regulations propose specific criteria for determining which businesses must complete cybersecurity audits. One category of covered businesses includes data brokers, defined as businesses that derive 50% or more of their annual revenue from selling or sharing personal information. However, the draft regulations also identify additional potential categories based on factors such as the amount and type of personal information a business processes, its gross revenue, and its number of employees.
Requirements for Conducting Cybersecurity Audits. To ensure that businesses conduct thorough and effective cybersecurity audits, the draft regulations establish extensive requirements that businesses must follow. These requirements include the use of qualified, objective, and independent professionals to conduct the audits, as well as the implementation of comprehensive information security measures by the businesses subject to the audit requirements.
Notice of Compliance. Businesses that are required to complete a cybersecurity audit must submit to the CPPA either a written certification of compliance with the regulatory requirements during the 12 months covered by the audit or a written acknowledgment of noncompliance, which includes the identification of areas of noncompliance and a remediation timeline. This submission must be signed by a member of the board or governing body or, if none exists, the business’s highest-ranking executive with the authority to bind the business.
Recommended by LinkedIn
With the proposed regulations on risk assessments and cybersecurity audits, businesses, service providers, and contractors operating within California must be prepared to adapt to the potential changes and challenges these regulations may bring. In the following section, we will discuss the implications of these draft regulations for various stakeholders and the steps they can take to ensure compliance.
IMPLICATIONS FOR BUSINESSES, SERVICE PROVIDERS AND CONTRACTORS
As the draft regulations on cybersecurity audits and risk assessments continue to take shape, it is crucial for businesses, service providers, and contractors to understand the potential impacts these regulations may have on their operations and compliance obligations.
Review of Draft Regulations. Stakeholders are advised to carefully review the draft regulations to gain a better understanding of the CPPA's intentions and expectations regarding cybersecurity audits and risk assessments. This review process will allow businesses, service providers, and contractors to identify areas where they may need to adjust their current practices or implement new measures to ensure compliance with the proposed regulations.
Preparation for Extensive Audit and Risk Assessment Requirements. The draft regulations indicate that businesses subject to these regulations will need to implement and maintain extensive information security requirements and conduct thorough risk assessments. As a result, businesses, service providers, and contractors must be prepared to invest time and resources into understanding and complying with these requirements, as well as developing strategies to mitigate any potential risks associated with their data processing activities.
CONCLUSION
The CPPA's draft regulations on cybersecurity audits and risk assessments signal a significant shift in the data privacy landscape, emphasizing the need for businesses to prioritize the protection of consumers' personal information and implement robust security measures. If these regulations are promulgated into law, businesses, service providers, and contractors will need to adapt to new practices and requirements to ensure compliance.
Key new practices that businesses may need to adopt include:
The draft regulations presented by the CPPA highlight the growing importance of data privacy and security in today's digital landscape. Businesses, service providers, and contractors must remain vigilant and proactive in staying informed about the development of these regulations and adapting their practices accordingly. By doing so, they can not only ensure compliance with the forthcoming regulations but also demonstrate their commitment to protecting consumers' personal information and fostering a secure and trustworthy digital environment.
ABOUT THE AUTHOR
Scott Allendevaux has a doctorate in law and policy from Northeastern University and is senior practice lead of law and policy at Allendevaux & Company. He can be reached at sallen@allendevaux.com.