Draft Regulations on Risk Assessments and Cybersecurity Audits Released by CPPA

The California Privacy Protection Agency (CPPA) released draft regulations on risk assessments and cybersecurity audits. While the drafts are designed to “facilitate board discussion and public participation,” they provide some initial insight into the CPPA’s thoughts about these topics. The risk assessment draft regulations are similar to the data protection impact assessments that both the GDPR and the Colorado Privacy Act (CPA) require. Please note, these regulations are in draft form and have not yet been finalized or approved.

The draft regulations demonstrate the CPPA’s purpose to establish extensive requirements for businesses subject to these regulations. Here is a breakdown of what will be required if the risk assessment and cybersecurity audit regulations are enacted.

Risk Assessments

The draft regulations state that all businesses that process consumers’ personal information in a manner that “presents significant risk to consumers’ privacy” are required to conduct a risk assessment before initiating that processing. The draft identifies the following seven actions as a significant risk to consumers’ privacy:

1. Selling or sharing personal information.
2. Processing sensitive personal information. There is an exemption for employee and independent contractor data, including employment authorization information, payroll, health plans, and other benefits.
3. Using Automated Decisionmaking Technology in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities.
4. Processing the personal information of consumers that the business has actual knowledge of are less than 16 years of age.
5. Processing the personal information of consumers who are employees, independent contractors, job applicants, or students using monitoring technology such as keystroke loggers, productivity or attention monitors, video or audio recording, live-streaming, facial or speech recognition or detection, automated emotion assessment, location trackers, speed trackers, web-browsing, mobile-application, or social-media monitors.
6. Processing the personal information of consumers in publicly accessible places using technology to monitor consumers’ behavior, location, movements, or actions. Examples include Wi-Fi or Bluetooth tracking, radio frequency identification, drones, video or audio recording, live-streaming, facial or speech recognition or detection, automated emotion assessment, geofencing, location trackers, or license plate recognition.
7. Processing the personal information of consumers to train artificial intelligence or Automated Decisionmaking Technology.

Draft regulations feature the following requirements for conducting risk assessments that are similar to the Colorado Privacy Act but include some new categories. We have provided a summary of the requirements below, but you can read the requirements in detail here.

1. A short summary of the processing that presents a significant risk to consumers’ privacy that includes how the business will collect, use, disclose, and retain personal information.
2. The categories of personal information to be processed and whether they include sensitive personal information.
3. The context of the processing activity, including the relationship between the business and the consumers whose personal information will be processed.
4. The consumers’ reasonable expectations concerning the purpose for processing their personal information, or the purpose’s compatibility with the context in which their personal information was collected.
5. A description of the processing operations.
6. The purpose of processing consumers’ personal information.
7. The benefits resulting from the processing to the business, the consumer, other stakeholders, and the public.
8. The negative impacts on consumers’ privacy associated with the processing.
9. The safeguards the business plans to implement to address the negative impacts identified.
10. The business’s assessment of whether the negative impacts when mitigated by the safeguards outweigh the benefits.

The draft regulations also note that the board will discuss additional requirements for businesses using Automated Decisionmaking Technology. Businesses will need to provide information on why they are using such technology, the personal information processed, the personal information generated, and how they will maintain the quality of the personal information processed by the Automated Decisionmaking Technology.

Also under board consideration is requiring businesses that use personal information to train Artificial Intelligence or Automated Decisionmaking Technology to provide information on the safeguards in place to ensure the personal information is being used as intended.

The draft regulations require businesses to make risk assessments available to the CPPA or state Attorney General upon request. Businesses would also be required to submit to the CPPA on an annual basis a summary of the business’s risk assessments and a certification by a designated executive that the business has complied with the CCPA’s risk assessment requirements.

Cybersecurity Audits

The draft regulations on cybersecurity audits state that the scope of which businesses will need to complete audits is an area for board discussion. Thresholds up for discussion include percentage of revenues derived from the sale of personal information, amount of personal information processed, gross revenues, and number of employees.

The draft states organizations can use an external or internal auditor to conduct the cybersecurity audits. The draft regulations include rules for using an internal auditor, including that the auditor must only report to the business’s board of directors or governing body, not to business management that has direct responsibility for the cybersecurity program. If no such board or equivalent body exists, the internal auditor shall report to the business’s highest-ranking executive who does not have direct responsibility for the business’s cybersecurity program.

The draft regulations identify the following requirements for cybersecurity audits. Full details can be viewed here.

1. Assess and document how the business’s cybersecurity program considers and protects against negative impacts on consumers’ security from unauthorized access.
2. Identify the qualified employees responsible for the cybersecurity program.
3. Identify the safeguards the business uses to protect personal information from internal and external risks to the security, confidentiality, integrity, or availability of personal information including:
   • Multi-factor authentication and strong password management
   • Encryption of personal information at rest and in transit
   • Zero trust architecture
   • Account management and access controls
   • Inventory of personal information and information systems
   • Hardware and software configuration
   • Vulnerability scans and penetration testing
   • Log management
   • Network monitoring
   • Antivirus and antimalware protections
   • Segmentation testing
   • Cybersecurity training
   • Code review and testing
   • Vendor management
   • Retention schedules and policies
   • Incident response plans
   • Business continuity and disaster recovery plans

The draft regulations also require the cybersecurity audit to identify any gaps in the business’s cybersecurity program, address the status of any gaps identified in any prior cybersecurity audit, and identify any corrections or amendments to any cybersecurity audits previously conducted.

The draft states that businesses will have 24 months from the effective date of these regulations to complete their first cybersecurity audit. After completion of the first cybersecurity audit, subsequent audits shall be completed annually. Businesses must submit written certification regarding the cybersecurity audit identifying the 12 months the audit covers.

CompliancePoint has a team of privacy and security professionals that can help your organization design and implement programs that will achieve compliance with the GDPR, CCPA, and all state privacy laws. Contact us at connect@compliancepoint.com to learn more.