California adopts Cybersecurity Audit Rule, outlining 'reasonable' cybersecurity

On 24 July, the California Privacy Protection Agency approved a rule requiring many businesses that collect consumers' personal information to complete an annual cybersecurity audit. By requiring these audits to consider specific cybersecurity practices, the rule effectively represents the agency's definition of what constitutes the "reasonable" cybersecurity that is required under California law.

Why did the CPPA issue this rule? Because the state's voters required it, in the California Privacy Rights Act adopted by referendum in 2020. That measure amended the California Consumer Privacy Act to require the CPPA to issue regulations requiring businesses "whose processing of consumers' personal information presents a significant risk to consumers' privacy or security to … perform a cybersecurity audit on an annual basis." The law directs the CPPA to define the scope of the audit and establish "a process to ensure that audits are thorough and independent."

What constitutes a "significant risk" triggering application of the audit requirement? Again, the statute provides the framework, specifying that the factors to be considered in determining when processing may result in a significant risk to security "shall include the size and complexity of the business and the nature and scope of processing activities."