S3 E44: CCPA Cybersecurity Audits

Audio version

CCPA Cybersecurity Audits

Transcript

Jordan Eisner

All right, welcome to another episode of CompliancePointers and another episode with Matt Dumiak, the Privacy Profit. Matt, good to have you back.

Matt Dumiak

Hey Jordan, how’s it been going?

Jordan Eisner

I guess pretty good. I guess pretty good. Very busy, very busy. I was in San Francisco with you this week. I was in San Diego with you the week prior to that. Yes. I was home the week prior to that, but you were in San Francisco that week. And then I think you were home the week prior to that and I was in Los Angeles. So a lot of California.

Matt Dumiak

Yeah, we spent a lot of time in California over last month.

Jordan Eisner

Which is a topic of discussion today on CompliancePointers. Brought to you by CompliancePoint. I always like to add that in there, but I don’t always do it.

Matt Dumiak

It is.

Jordan Eisner

And for those of you watching or listening for the first time because I think these cyber audits are going to drive a lot of new subscribers, CompliancePoint is an advisory firm, consulting firm, professional services firm, whatever you want to call it, based in metro Atlanta. And we have three different focal groups. One of those is data privacy. The other two are information assurance and cybersecurity. And we provide assessment and ongoing retainer and advisory support. So Matt here is the head of our Data Privacy group. He’s also the head of our marketing compliance group that both live under what we just refer to as privacy or regulatory compliance. But that’s where we’re helping companies with GDPR, state privacy law such as the CCPA, but also some federal laws HIPAA, the FCC‘s Telephone Consumer Protection Act, TCPA, Telemarketing Sales Rule, CAN-SPAM, as well as a handful of different state privacy laws around consumer contact.

Matt Dumiak

Well, I’ll summarize, Jordan.

Jordan Eisner

There you go. So these CCPA cyber audits, cybersecurity audits, this is what we’re going to break down today. We’re going to understand because as soon as you think you might have a hold on the CCPA, they’re one step ahead of you. That step ahead of you is issuing cybersecurity audit requirements. These are pretty far out in terms of when they’re going to be required and that sort of thing, before we even get, yeah, maybe that’s a good starting point. Tell us when this is going to affect, how often organizations are going to need to do these and what they’re going to need to entail.

Matt Dumiak

They are.

Yeah, that sounds good Jordan. Happy to walk through that and who would think that we’re having a privacy podcast topic about a cybersecurity requirement moving forward into the future. So you might be asking yourself as a listener. Well, why aren’t we talking to this CompliancePoint cyber guy and believe me their cyber folks will be involved as well. But given this is driven from the CCPA, there are some privacy components as well as some cybersecurity components. Obviously that we want to call out so.

Jordan Eisner

I thought you were going to say, believe me, I wish you were. Yeah.

Matt Dumiak

Well, and this is a really hot topic right now. mean, Jordan, being that you’re on the sales front and you’re on the front lines hearing from lot of prospects, but also existing clients that you have relationships with, you’re getting a lot of questions around that, this requirement, are you not? Even as you said, I’ll hit on the dates, but you’re getting a lot of questions about this from our law firm partners and some others, right?

Jordan Eisner

Often partners in particular do you do this?  know, there’s certainly a lot of questions around it.

Our organizations, and I think this is a humble brag, I’m not getting a lot of questions about it from our clients. Either they don’t know about it or you and your team are keeping them well aware of it. That’s right.

Matt Dumiak

They’ve been informed. exactly. They don’t feel the panic, the fear, uncertainty, or doubt when they’re with us. So we’re walking them through all these things.

Jordan Eisner

Yes, I like to the latter.

Yes, shameless. Exactly. And that’s no reflection of our law firm partners. They are great. absolutely. A million things are keeping their clients aware of, whereas we’re focused on data.

Matt Dumiak

Well, and we have the benefit of having the cyber experience as well. So it’s a good fit. Exactly right. Yep. It’s exactly right. when we talk about timing, to your point, they are a ways out, but I will highlight, and you’re aware of this as well, Jordan, we are getting requests at this point from organizations that would like to have some form of cyber audit.

Aligned against the cybersecurity audit requirements under the CCPA next year in order to prepare them for What will be a requirement in the following years? So they’re already starting I would call it a dry run or a practice run to say You know, what is this going to look like for us as an organization? So that we’re prepared going into these deadlines and when I say deadlines There are several because they’re based on company size and revenue

Jordan Eisner

Yeah, I saw one where the third number was a three. I don’t even want to think about that decade, but we’re there.

Matt Dumiak

Yeah, that’s kind of scary to think about, isn’t it? 2030? Yeah, that’s kind of crazy. the earliest deadline we have is if the business, and I’m kind of referencing the regulation here to make sure I all these little requirements correct, but if the business has annual gross revenue for 2026, more than $100 million, as of January 1st, 2027, they have to have an audit that covers the following audit period. That’s 2027 through January 1st, 2028.  if you can imagine that that’s why organizations are starting to think through this and go, well, we know that we’re going to have to do this for that audit period of January 1st, 2027 through January 1st, 2028, and then submit it, a certification to the agency in California by April 1st of 2028.

We wanna do something in 2026 so we can hit the ground running in 2027 with our audit period and know where we’re at. And I’ll point out as well when we talk about some of the audit requirements, why organizations may wanna get in front of that as well. The second criteria or the second threshold is 50 million to 100 million. That’s when you start going into the April 1st, 2029 deadline.

And then if it’s less than 50 million, Jordan, that’s where we talk about this date that appears to be really far off. But in reality, as we know, we both have small children. Time just seems to be going by really quickly. This is where we get into April 1st, 2030. just to reiterate that there’s an April 1st, 2028 deadline to submit the certification. There’s an April 1st, 2029, for that 50 million, 100 million. And then there’s April 1st, 2030.

Jordan Eisner

A lot of people listening right now are probably thinking, why?

Matt Dumiak

Why is the agency requiring that you have a cybersecurity on it.

Jordan Eisner

Alright.

Matt Dumiak

You can’t have privacy without security, right? Privacy incidents happen all the time or security breaches where a lot of either sensitive or non-sensitive personal information is released to individuals who it doesn’t belong in their hands. And in California, they’ve always been way out in front of that in terms of their being that they were the first comprehensive state privacy law but also some other items under their state laws, you can imagine with like the right to opt out of the sale of personal information and targeted advertising. I think this is just another addition that they obviously see as critical and it makes complete sense. And they go beyond just saying we have to ensure that organizations have appropriate technical and security controls, but to say if you meet certain criteria under this law, i.e. if you have 25 million in revenue or more.

Or if you generate 50% or more of your annual revenue from the sale of personal information, you’re in. You need to do these cybersecurity audits, and you need to do them annually, and you need to certify with us that you’ve done them. And then there’s a whole host of other requirements under that. Yeah.

Jordan Eisner

Okay, what is being assessed or audited?

Matt Dumiak

So it’s obviously a cybersecurity audit. the primary components of this audit are going to be information security focus, things like encryption, access, so access controls, authentication. They’re going to want an auditor to look at or the audit to cover vulnerability and penetration scanning, network monitoring, hardware and software configuration.

All those things that we see in  pretty standard information security audits, and the agency has highlighted as well that  they understand that this requirement is specific under this regulation, but that organizations could or may rely upon a framework or an assessment or an audit that they’ve done under one of the accepted information security frameworks.

They name NIST cybersecurity framework as one of those examples, specifically where many of those things would be covered. But there are some, what we would probably call more pure play, privacy requirements that they’re going to want to look at under these cybersecurity audits as well, which I thought was pretty interesting. Things like, you you hear about  network diagrams and items, topics like that in a cybersecurity audit, but they’re also wanting to see that

The organization included in this audit was a review of their data maps and personal information flows. Data inventories, OK, like personal information. Yeah, you’re starting to get like OK, if you just went into this audit thinking, we do a NIST CSF every year. There’s going to be a gotcha there because you know there’s a crosswalk between the NIST privacy framework and the NIST CSF.

Jordan Eisner

Like a privacy audit.

Matt Dumiak

You know, if an auditor is mature in that regard and says, yeah, we’re going to stack that on top of that thinking, you know, that might be a play. But if someone went in and just said, we’re going to we’re going to we already do the CSF every year and we’re going to accomplish this security cybersecurity audit under the CCPA, problem. Those are some caveats or some nuances there that I would really recommend ensuring are included in the audit. So like you’ve said, it is more of a pure play when we look at through a privacy assessment, we’re looking at an organization’s capability to produce a personal information inventory, personal information data flows, not just network diagrams, data classification. Also an interesting requirement under these audits is a review of contracts. And that’s specifically called out with those access controls, Jordan, where it says if you have any vendors that you’re relying upon for access controls or through sharing with personal information with third parties, making sure that you review those contracts to ensure they include the appropriate terms and that they restrict the level of access to only what that vendor needs or is purely necessary for their business function. Right. And, you know, I’m sure there are some cybersecurity professionals out there that would go to the level of detail to review a contract to ensure that that aligns with whatever the event or whatever the business has agreed to with that vendor. But not all. But that’s something that is specifically called out within these regulations, which I thought was fairly interesting.

Jordan Eisner

Yeah, so very cyber in nature, then it starts to draw on privacy elements, which is a bit unique.

Matt Dumiak

Exactly right where if you’re not paying attention

Jordan Eisner

I don’t know why these companies are like, hey, who’s doing this? Because it’s unique expertise.

Matt Dumiak

Exactly right. And it can be an internal auditor or external. Yeah, it can be internal or external. I wanted to call it.

Jordan Eisner

Okay, that’s good to know.

How often do you have to do them when you do them? That’s the other thing I didn’t ask on earlier. I you had something you just wanted to add there, but somebody was me every three years. Did you already mention that?

Matt Dumiak

That’s the risk assessment. So the cyber audit would be annually, and then you certify that you’ve done it. Yeah. OK. Yeah, the risk assessments, those are, anything, every three years unless something material changes with that assessment. One thing I wanted to call out with the internal auditor thing, I think you’ll find this pretty interesting, is you can use an internal auditor. And these are the kind of administrative details that

Jordan Eisner

That’s it.

Matt Dumiak

I think that the agency is going to take seriously and when you have some experience going through like FTC consent order, like decrees and helping an organization navigate those assessments under that, you really pay attention to some of these really detailed requirements is that if you use an internal auditor,  the so internal auditor to maintain the auditor’s independence, the highest ranking auditor must report directly to a member of the business’s executive management team.

So what does that look like?  A member of, and then I wanted to go through this, a member of the business’s executive management team also needs to conduct the highest-ranking auditors performance review and determine the auditors compensation.

So I thought that was kind of an interesting nuance there to think through, you know, I know we’re realizing that.

Jordan Eisner

Companies will creative about how they do that.

Matt Dumiak

Yeah, absolutely. know, find the way and the agency so they have to conduct the internal auditors performance review, right and determine their compensation. And you’re right, like the agency encourages this a lot. You hear this from industry that they’ve come out with these obligations that look really challenging and not that that’s the most challenging, but they come out with challenging obligations and they say, well, figure it out. The agency, right? You’re clever, you’re smart, and I don’t mean that in a demeaning way like it’s.

it’s a capitalist society, figure it out. How are you going to make it work? So I thought that was an interesting nuance there that if you’re going to, when you think about, well, it’s easy, we’ll do it internally, that’s fine. But make sure that those workflows are in place to make sure that they,  you know, the performance review and those types of things are conducted in that. And then also, and also in another comp, not a complication per se, but you’ve got to look out for conflict of interest as well. If you do this internally.

So, and they call that out in these regulations as well in terms of if, you know, they need to be an independent auditor, they can’t be involved as well in, you know, you got the cook and the critic kind of situation here that we talk through a lot with our clients, Jordan, right, is they can’t be involved in the cybersecurity program and then go and audit their own work. So what does that look like to the lines of delineation?

Some organizations are large enough to have an internal audit function where that would be relatively for all all intents and purposes. I think that would be relatively straightforward, but some don’t. And I think they’re going to read that it can be an internal. What’s that? A lot don’t. Yeah. And so, you know, publicly traded organization may, but, you know, a lot don’t. And they’re going to read that and go forth with it. And then they’re going to read some of the more detailed requirements here and you know we just I wanted to call it out in this episode just to make sure we didn’t that’s an easy gotcha I think yeah say yeah we were thinking internal would be there out to go it’s easy enough and then there’s some nuances here that need to be called out and thought about

Jordan Eisner

What are the gotchas for nuances?

Matt Dumiak

Yeah, and we’ve talked about like the data classification or data inventory, data map. Some of this is administrative, but minimum of five years after completion, there are records that need to be maintained. And then within the audit, and this kind of falls under a roadmap kind of consideration, would be if there are gaps that are found there needs to be a documented and you need to document in this audit what the plan is to fix those gaps. So the to get feedback from the business about what the plan is and the timeline to fix any gaps that they reveal. So you’re kind of at that point you’re you’re trying to strike a balance as an auditor of you’re going to get those questions from your business clients as an auditor even like well how long would this typically take like those types of things that you need to have conversations with, but also be prepared as the auditor and the business to have those types of conversations because that’s one of those audit components is not only just black and white is this in place or not in place and the company has a gap, but also what is the plan beyond that, right? And you don’t have to submit this audit, the full-blown audit to the agency.

You have to certify that you the business needs to certify that they’ve conducted it and some other things within that about, well, who and who signed off on it and who needs to submit it and that type of thing, like a member of the executive team.  Excuse me, but where there might be questions or complaints, that’s where I think the agency will have the power to request that type of thing. And they’re gonna go through that audit, I believe, with a fine-tooth comb to say, okay.

It’s one thing to say that you took a look at MFA or that you have a password policy and some other common things. did you, you who conducted this? Do you have a timeline? Do you have a roadmap? Are you following that roadmap? Do you have records for five years? Like all of those types of things that they’re going to be empowered to ask for that I think could be an easy oversight for businesses.

Yeah, and they give some hints to like they say that the business uses passwords and the passwords are at least eight characters in length. I would pay attention to that type of thing. Right, it says EG, so it’s not it’s not in quote, you know, it’s not a I think it’s a suggestion for and I’m not a lawyer, but it’s strongly recommended.

Jordan Eisner

Example right doesn’t EG mean for example IE means as in?

Matt Dumiak

Yes, that’s right. So for example.

Jordan Eisner

Nobody once told me that and it just sounded right. It could be totally wrong.

Matt Dumiak

We could do, you know, I listen to another podcast that does a fact check at the end of every episode. So what we could do is cut and then we could go through and say, okay, did we get those movie quotes right? Was Dumiak right about the deadline or the timeline? Did Jordan get EG versus IE right? And we could have a conversation about that too, if you want. That could be maybe like a 2026 initiative.

Jordan Eisner

Big time production.

Matt Dumiak

Yeah, it is so. They’re going to look at like code reviews and testing. I know that’s part of a cybersecurity audit, but that’s a flavor of privacy by design.

Jordan Eisner

A lot to unpack here. aside from what you said, it totally makes sense organizations starting on this already doing some of this work hiring companies have come in so they can have their ducks in a row by the time they start to become requirements out of California. Anything else that you would recommend organizations consider or you know, I mean, besides don’t delay.

Matt Dumiak

Don’t delay. No, mean, I review it carefully. Work with. An auditor that has experience both in the privacy and security space. Not to toot our own horn here, but yeah, and we’re calling these out to be helpful as well, but we do, but also because they look they were there. Easy things that could trip you up if you’re not careful when you’re looking at it. And the right, know these the cybersecurity audits are are in regulations that include a couple other things. Automated decision making and risk assessments.

They’re in 127 pages from the agency. So they’re kind of almost about two-thirds of the way down. It might be as you read those late at night, it might be easy to doze off and get confused and think that you’re in the cyber audits, but you’re in the risk or you’re in the automated decision. know, that would be my recommendation as well. Make sure you’re in the right section when you’re reading it. Take diligent notes.

But yeah, don’t, you know, I think those timelines out there with April 1st of 2028, 29 and 30 can lower you into a false sense of lag, you no pun intended here, but a false sense of security in terms of how much time you have to  conduct it and learn from it. And it wouldn’t be a bad idea to do some type of tabletop or dry run and even work with outside counsel to look at the certification and the obligations and the report to make sure it includes all the components of it to make sure everybody’s aligned with what you’re gonna do once those requirements do kick in, which is gonna be, you know, here before we know it.

Yeah, after next year, you know, they’re going to your and it’s a tight timeline because the audit period, as you know, it’s going to be January 1st, 2027 to January 1st, 2028. That’s the look back. That’s the audit period. And you have to submit it by April 1st, 2028. But they want that audit period to be that that 2027 year. So looking back at that as well, again, it’ll be here before we know it.

Jordan Eisner

Matt that was very informative.

Matt Dumiak

Good, I’m glad you enjoyed it. I know people don’t know they can listen to this any time of day, but it’s a little bit later in the day here after a very busy day.

Jordan Eisner

Yeah, I think it’s a lot to unpack too. It is it is You know, we’ll promote it out there on the channels and for those of you listening and making it this far You probably have questions Please don’t hesitate to reach out. You can email us directly at connect at CompliancePoint.com Visit our website a lot of material a lot of resources on there. That’s where we find this podcast, but also webinars blog posts and other really helpful information that we try and keep ungated for people to come and see and leverage and utilize. Then Matt and myself, both pretty active on LinkedIn, we’d welcome any messages that way, especially if it means we can get you helped and on your way with this. Until next time everybody, thanks again Matt and everybody be well.

Matt Dumiak

Yeah, it’s good to be here.