CPPA Releases Draft Cybersecurity Regulations

October 5, 2023

The California Privacy Protection Agency (CPPA) has released draft regulations detailing cybersecurity program audit requirements for businesses that process the personal information of consumers and present a significant risk to consumers’ security. Whether or not an entity presents a “significant risk” is defined by the thresholds of revenue, the volume of consumers and the known age of the consumer. If adopted, this would represent a significant step forward in providing uniform requirements on how a cybersecurity program must be assessed, documented and measured.

Background

The CPPA was formed in 2020 with the objective of adopting regulations for businesses that handle the personal data of consumers. The agency is governed by a five-member board and is responsible for the implementation and enforcement of the privacy protection laws introduced under the California Privacy Rights Act (CPRA).

What do these regulations do?

If enacted, the CPPA’s draft regulations would impose major cybersecurity requirements on covered businesses. It would require an annual audit to assess, document and detail each applicable component of a business’s cybersecurity program, including the identification of any gaps and weaknesses that must be addressed before the next audit cycle.

What components do these regulations cover?

If adopted, several areas across the cybersecurity landscape would be in scope. These areas are not vastly different than what is covered in other industry-wide control frameworks. However, the specificity of components that a cybersecurity program will be audited on establishes a clear picture of what every entity’s program must include. The following cyber elements are specifically listed for assessment and documentation:

What is unique about these draft regulations?

The security measures detailed by the CPPA are defined in a uniform manner. This means that an increased burden would be placed on covered entities to explain the remediation plan for any gaps found during an audit. Covered entities might also have to explain how the current process provides equivalent security to what is outlined if a business doesn’t believe that the control is applicable to them.

Another unique topic that the CPPA includes for consideration is how a business might map “reduction in harm” information to each control. This aims to define whether or not a program component actually reduces the chance of a negative event taking place.

Conclusion

While the CPPA has not yet begun the formal rulemaking process, it has provided these draft regulations to facilitate discussions between the board of directors and the public. Many phases of review, feedback and change are necessary before the adoption of the final regulations. Regardless of the final outcome, this is a compelling start to providing uniform guidance on which components must be covered in a cybersecurity program and what covered entities will need to have in place to ensure the privacy of consumer data.