top of page

California Cybersecurity Audit Rules Expected in 2024 as Agency Debates Draft

The final version of California's cybersecurity audit rules is not anticipated until at least next year, according to a tentative timeline discussed during deliberations by the state's privacy rulemaking agency. These draft cybersecurity regulations are part of the broader changes to California's data privacy law, the California Consumer Privacy Act (CCPA), introduced under the California Privacy Rights Act. The California Privacy Protection Agency (CPPA) was established to develop and enforce these regulations.

California Cybersecurity Audit Rules Expected in 2024 as Agency Debates Draft

In a meeting held on Friday, the five-member CPPA board focused on two primary aspects of the cybersecurity rules: which businesses should be mandated to conduct annual audits and the specific components that should be included in these audits.

The cybersecurity regulations are part of the second set of rules being drafted by the CPPA, with the first package originally scheduled for enforcement on July 1. However, due to a court ruling granting companies additional time to comply, its enforcement was postponed until March 2024.

California's CCPA was one of the first comprehensive privacy laws in the United States, and it has prompted other states to follow suit with their own privacy regulations. As more states introduce their privacy laws, it is creating a complex patchwork of compliance requirements for businesses.

Under the draft cybersecurity rules, any business generating 50 percent or more of its revenue from selling or sharing consumer personal data would be subject to these regulations. The CPPA board is also considering additional criteria, including annual revenue thresholds, the handling of personal data for California households, the processing of sensitive personal information, and the processing of personal information for individuals under the age of 16.

One noteworthy aspect of the proposed rules is their focus on conducting cybersecurity audits "enterprise-wide." While many companies already have mechanisms for specific audits, such as for employee data protection, these new regulations would necessitate a broader approach.

Another unique feature is the consideration of psychological harm as a potential impact of cybersecurity incidents. This expands the scope of audits to include risks affecting individuals' mental well-being, a dimension not commonly included in cybersecurity assessments.

The CPPA board plans to form a working group to further refine the preliminary rules based on the discussions during the meeting. Additionally, they will seek economic impact reports for the proposed options to inform their decision-making process. Once the board votes and approves a final version of the cybersecurity rules, they will open them for public comment. Businesses will then have a two-year window to achieve compliance once the final rules are approved.

As the CPPA continues to deliberate and refine these cybersecurity regulations, it underscores the ongoing efforts to strengthen data privacy and security measures, which are becoming increasingly critical in today's digital landscape.


637 views0 comments


bottom of page