Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

On 24 July, the California Privacy Protection Agency approved a rule requiring many businesses that collect consumers’ personal information to complete an annual cybersecurity audit. By requiring these audits to consider specific cybersecurity practices, the rule effectively represents the agency’s definition of what constitutes the “reasonable” cybersecurity that is required under California law.

Why did the CPPA issue this rule? Because the state’s voters required it, in the California Privacy Rights Act adopted by referendum in 2020. That measure amended the California Consumer Privacy Act to require the CPPA to issue regulations requiring businesses “whose processing of consumers’ personal information presents a significant risk to consumers’ privacy or security to … perform a cybersecurity audit on an annual basis.” The law directs the CPPA to define the scope of the audit and establish “a process to ensure that audits are thorough and independent.”

What constitutes a “significant risk” triggering application of the audit requirement? Again, the statute provides the framework, specifying that the factors to be considered in determining when processing may result in a significant risk to security “shall include the size and complexity of the business and the nature and scope of processing activities.”

The CPPA has now expanded on this in the new rule, establishing that a business’s processing of consumers’ personal information presents significant risk to consumers’ security if (1) the business derives 50% or more of its annual revenues from selling or sharing consumers’ personal information, or (2) the business has annual gross revenues in excess of $26,625,000 (that number gets adjusted periodically for inflation) and processed, in the preceding calendar year, the personal information of 250,000 or more consumers or households or the sensitive personal information of 50,000 or more consumers.

The rule adopted on 24 July states that every business required to complete a cybersecurity audit must do so using a qualified, objective, independent professional using procedures and standards accepted in the profession of auditing. The auditor may be internal or external to the business but must exercise objective and impartial judgment on all issues within the scope of the audit and must be free to make decisions and assessments without influence by the owners, managers, or employees of the business being audited. If a business uses an internal auditor, the highest-ranking auditor must report directly to a member of the business’s executive management team who does not have responsibility for the business’s cybersecurity program. (This is a change from an earlier draft, which would have required the auditor to report to the business’s board of directors or governing body.)

Under the rule, no finding of any cybersecurity audit may rely primarily on assertions or attestations by the business’s management. The audit report must identify the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted. The report must identify and describe in detail the status of any gaps or weaknesses in the business’s cybersecurity program. Moreover, it must document the business’s plan to address the gaps and weaknesses identified.

Finally, the independent audit report must “explain the effectiveness” (an earlier draft said “assess and document the effectiveness”) of the cybersecurity measures adopted by a business “in preventing unauthorized access, destruction, use, modification, or disclosure of personal information; and preventing unauthorized activity resulting in the loss” of its availability. “Effectiveness” would seem to be the auditor’s judgement call, and is likely to vary from auditor to auditor, because right up until the moment a breach is discovered, many cybersecurity programs might look effective.

What are “reasonable” security practices for personal information?

California is one of 31 states with laws requiring businesses collecting personal information to implement “reasonable” security practices (and/or procedures or measures) to protect the data from unauthorized access, destruction, use, modification, or disclosure. Most of these laws say that the measures must be appropriate to the nature of the information and some also say “appropriate to the nature and size of the business.” But beyond that, most of the state laws do not define what is “reasonable” security. Instead, reasonableness must be discerned from the settlement agreements in data breach cases brought by the sates, where respondents agree to implement long lists of security measures. These settlements vary from case to case and their contents evolve over time, leaving an uncomfortable (but perhaps unavoidable) degree of uncertainty around the data security obligation.

The new CPPA rule is also indirect, but at least it offers one single list of cybersecurity practices that those doing business in California can work from. The rule does this by specifying the components of a business's cybersecurity program that an audit must assess, “if applicable.” These include multi-factor authentication (including MFA that is resistant to phishing attacks for employees, service providers, and contractors); strong passwords; encryption of personal information at rest and in transit; account management and access controls (including restricting each person’s, account’s, or application’s privileges and access to what information is necessary for that person, account, or application to perform their duties, restricting the number of privileged accounts, and restricting and monitoring the creation of new accounts for employees or contractors); taking inventory of data flows, hardware, and software; secure configuration; patch management; vulnerability scanning; logging; training; and more.

Altogether, I count at least two dozen specific controls that the audit must address.

The items on the list in the CPPA rule should surprise no one: all, I think, have appeared in data breach settlements entered into by the U.S. Federal Trade Commission and state attorneys general. What is new is that, rather than being imposed case-by-case, the security measures are defined uniformly.

However, none of the listed controls is required.

Indeed, it is the auditor who determines which cybersecurity measures are applicable to a business’s information system. Under the rule, a business’s cybersecurity program must be appropriate to the business’s size and complexity and the nature and scope of its data processing activities, “taking into account the state of the art and cost of implementing the components of a cybersecurity program.”  The final rule dropped a provision in an earlier draft that would have required the audit, if a component was deemed unnecessary, to explain why and how the safeguards the business has in place provide at least equivalent security was dropped.

What’s next?

The CPPA’s approval of the rule is not the last step in the California rulemaking process. The agency now needs to submit the rule to the state Office of Administrative Law, which reviews the CPPA’s process to ensure compliance with the California Administrative Procedure Act. 

When do businesses need to begin doing these audits? The rule establishes a fairly generous phase-in period: a business must complete its first cybersecurity audit report no later than April 1, 2028, if the business’s annual gross revenue for 2026 was more than $100,000,000, in which case the audit must cover the period from January 1, 2027 through January 1, 2028; no later than April 1, 2029, if its revenue for 2027 was between $50,000,000 and $100,000,000), in which case the audit must cover the period from January 1, 2028 through January 1, 2029; and no later than April 1, 2030, if its revenue for 2028 was less than $50,000,000, in which case the audit must cover the period from January 1, 2029 through January 1, 2030.  

One final point. There is no requirement under the rule for businesses to submit their audit reports to the CPPA. The rule only requires covered entities to submit to the agency every calendar year a written certification that the business has completed the cybersecurity audit. However, the agency and the state attorney general have to power to subpoena audit reports, including as part of an investigative sweep. Plus, it is likely that the audit reports will become the target of plaintiffs’ discovery requests in the private class action lawsuits that often follow announcement of a data breach.