On December 8, 2023, the California Privacy Protection Agency (CPPA) will hold a board meeting seeking public comment on various privacy regulations. The meeting, which will take place on Zoom, will cover several topics listed in its published agenda. The New CPRA Rules Subcommittee will provide an update and present on the Draft Regulations on Automated Decision-making Technology, Risk Assessments, and Cybersecurity Audits. Other topics for discussion include proposed insurance regulations under the CCPA, proposed regulation on the CPPA’s Data Broker Registration Fee under the DELETE Act, and updates on CPPA intergovernmental engagement, legislation, agency proposals, and priorities.
In advance of the meeting, on November 8, the CPPA published an updated draft of its cybersecurity audit regulation (our summary of the initial draft regulation can be found here). As with prior drafts, these regulations are intended to facilitate discussion between the CPPA board members, and the formal rulemaking process has not begun.
Though still only a discussion draft, below are notable changes to the cybersecurity audit regulations:
- Definition of “cybersecurity incident.” The proposed definition of “cybersecurity incident” is broader and now includes an unauthorized occurrence or series of related occurrences that potentially (not necessarily definitively) jeopardize the confidentiality, integrity, or availability of a business’s information systems or any information the system processes. The definition is further broadened to include the unauthorized occurrence (or series of related occurrences) that constitutes a violation or imminent threat of violation of the business’s cybersecurity program. A company’s cybersecurity audit must include an assessment of any risks resulting from any cybersecurity incidents that have or are reasonably likely to materially affect consumers. By broadening the definition in this manner, companies may find it difficult to draw the line as to what is a cybersecurity incident warranting assessment as a part of its cybersecurity audit. For example, company’s security tools may effectively block an attempted deployment of ransomware, however, arguably, the attempt alone potentially jeopardizes the availability of the company’s information systems, and thus would be in scope for the cybersecurity audit.
- Scope of cybersecurity audit. The scope of a cybersecurity audit is not only broader because of the more expansive definition of “cybersecurity incident,” but now also requires businesses to assess and document any risks from cybersecurity threats. “Cybersecurity threats” are broader than “cybersecurity incidents,” as they include any potential unauthorized occurrence on or conducted through a business’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a business’s information systems or any information residing therein.
- Inclusion of independent contractors. The revised regulations require cybersecurity audits to assess and document safeguards to protect personal information as applied to independent contractors and other personnel, not just employees. Notably, the audit must now assess the use of multi-factor authentication that is resistant to phishing attacks for not only employees but for independent contractors as well. The provision requiring assessment of the business’ account management and access controls was also revised to explicitly include independent contractors, noting that access to personal information should be restricted to only that information required to perform the respective job functions. Finally, the audit must now also assess the cybersecurity awareness, education, and training of independent contractors and other personnel, in addition to employees. While these are requirements for what must be assessed in the audit, and not necessarily required controls for the business, these provisions likely provide a roadmap for what the CPPA may consider to be reasonable security. If any of the named safeguards and controls are missing from the business’ cybersecurity program, then the auditor must note in the audit why the business does not have that safeguard in place.
For more information on the upcoming meeting, follow this link to the CPPA’s website.