California's cybersecurity audit rule and its impact for class litigation

Last year, the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit. The rule went into effect 1 Jan. 2026. This pioneering requirement, the first of its kind among state data privacy laws of general applicability, may entail substantial compliance efforts for affected companies to identify and correct cybersecurity shortcomings. While compliance concerns may generate new anxiety, the audit requirement's impact on data breach litigation could have equally significant long-term implications for businesses operating in California. 

The compliance requirements are considerable and complex, covering eighteen different technical and organizational components of an entity's cybersecurity practice. Under the rule, covered entities are required to submit to the agency, each calendar year, a written certification that the business has completed a cybersecurity audit report that meets the rule’s standards.  

Although the report itself does not need to be filed, the need to create and certify one highlights an item of high interest to a plaintiff’s counsel. As a result, the audit will likely become a focal point of plaintiffs' discovery requests in data breach class actions as they seek to prove negligence or violations of state data privacy laws.  

Discovery and privilege

With the rise in cybersecurity, data breaches and privacy-related litigation, plaintiffs are increasingly seeking materials they can leverage to argue that a business’s cybersecurity or privacy-related practices are deficient or negligent in some fashion. Cybersecurity audit reports and risk-assessment narratives will therefore be compelling targets for discovery, particularly when the business must identify gaps in its security posture. Additional materials generated during an audit, such as supporting analyses, drafts, internal communications and documentation showing when risks were identified and how they were addressed, will likewise be of substantial interest.