CCPA Cybersecurity Audits and Risk Assessments

The California Privacy Protection Agency (CPPA) issued draft regulations on risk assessment and cybersecurity audits under the CCPA (California Consumer Privacy Act) as amended by the California Privacy Rights Act (CPRA).

The draft rules on cybersecurity audit regulations are part of the rulemaking process arising from the CPRA amendments, which granted the Agency the right to set specific rules in compliance with specific provisions of the act. The CPPA releases draft regulations for CCPA data privacy issues. You can see the full list of CCPA regulations here.

It is important to note that the actual rulemaking process is not done yet. According to the note in the draft regulations, "The Agency has not yet started the formal rulemaking process for cybersecurity audits, risk
assessments, or automated decision-making technology. The draft text in this document is intended
to facilitate Board discussion and public participation and is subject to change."

Simply put, it means that parts of the new regulations are subject to CPPA board meeting decisions and are subject to preliminary comments on proposed rulemaking. That means they may be changed eventually.

Nevertheless, we read them for you and extracted the most important requirements. You need to know them because the draft regulations provide an idea of what will be required for compliance with the CCPA once the text is finalized and becomes obligatory for CCPA-bound businesses.

There are two separate documents:

• One that lays down the rules on how to conduct risk assessments and
• One on cybersecurity audit requirements and how to conduct a cybersecurity audit properly.
  

Who must conduct a CCPA Risk Assessment?

Every CCPA-covered business whose processing of personal information of consumers poses a significant risk to consumers' privacy. The regulations also prescribe what processing activities are considered to present significant risk to consumers, which include:

• Selling or sharing personal information;
• Processing sensitive personal information;
• Using automated decision-making technology that impacts the rights of consumers, including "the provision or denial of financial or lending services, housing, insurance, education, enrollment or opportunity, criminal justice, employment or contracting opportunities or compensation, healthcare services, or access to essential goods, services, or opportunities";
• Processing the personal information of children younger than 16 years of age;
• Processing of personal information in the employment or contractor context, including but not limited to "keystroke loggers, productivity or attention monitors, video or audio recording or live-streaming, facial or speech recognition or detection, automated emotion assessment, location trackers, speed trackers, and web-browsing, mobile applications, or social media monitors;
• Processing personal information collected in publicly accessible places for the purposes of tracking, such as "wi-fi or Bluetooth tracking, radio frequency identification, drones, video or audio recording or live-streaming, facial or speech recognition or detection, automated emotion assessment, geofencing, location trackers, or licenseplate recognition, and
• Processing personal information to train artificial intelligence or automated decision-making technology.

In all these cases, the processing of personal information presents a significant risk to consumers; therefore, you need to assess your risks.

What must a CCPA Risk Assessment contain?

The CCPA risk assessment must include the following elements:

• A short summary of the processing activities that pose significant risk to consumers
• The categories of personal information to be processed and whether they include sensitive personal information
• The context of the processing activities, including the relationship between the business and the consumers
• The consumers’ reasonable expectations concerning the purpose of processing their
  personal information
• The methods of processing personal information, including methods of collection, disclosure, use, sharing, etc.
• An explanation of how the business applied the data minimization principle
• Data retention periods
• Volume of processing personal data
• The technology used for processing
• The third parties with whom the personal information will be shared for processing purposes
• The processing purposes
• Detailed description of the benefits, including the magnitude and probability of the benefits and the reasons behind such expectations
• Detailed description of the negative impacts on consumers’ privacy associated with the processing, including the sources of these negative impacts, the likelihood of occurring, and the reasons behind such expectations The draft regulations further delve into what negative impacts every business must consider when conducting a risk assessment exercise:
  undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined
• Safeguards for data security, how risks are mitigated, and whether the benefits of processing outweigh the negative impacts and risks.

The risk assessment must be updated every time there are changes to privacy practices that would affect its content.

What Are the Additional Requirements for Risk Assessments for Automated Decision Making?

On top of the previously mentioned risk assessment content requirements, businesses that process data for automated decision-making, such as credit scoring companies, recruitment companies, and others, need to include a bit more information.

They need to explain in plain language:

• Why does the business use automated decision-making?
• What data is processed?
• The logic behind the decision-making
• How the business evaluates the quality of the outputs and others
  

What Are the Additional Risk Assessment Requirements for Training Artificial Intelligence?

On top of all the requirements mentioned above, if a company uses personal data to train AI or automated decision-making tools and shares them with others, it must give a clear explanation of how others should properly use the AI or tool. The business must document in its risk evaluation how it has shared or intends to share the necessary information with others and the safety precautions it has put in place or intends to put in place to ensure that others use the AI or automated tool correctly.

If you use personal data to develop AI or automated decision-making tools and sell them to other businesses, you must give those businesses all the needed information so they can carry out their own risk evaluations and put them on paper.

Learn how artificial intelligence (AI) impacts personal data protection and how to comply with GDPR and CCPA regulations while using AI. Discover key insights on privacy, risks, and essential compliance steps

Who Must Conduct the CCPA Cybersecurity Audit?

Some businesses must conduct cybersecurity audits to prove compliance with the CCPA. It is not yet clear who will have the duty to do so.

The proposed regulations propose a threshold of at least 50% of revenue derived from sales or shared personal data. However, we can expect more alternative thresholds to be added. The possible ones include the number of employees, annual revenue, and the number of consumers whose personal data has been processed by the business.

What Do the CCPA Cyber Audit Regulations Require?

There are a few basic requirements that cybersecurity audits must meet:

• To use a qualified, objective, independent cybersecurity professional to audit the business' systems using procedures and standards generally accepted in the profession of auditing within 24 months from the day of the coming into effect of the regulations related to cybersecurity audits
• The business must provide all the facts necessary for an independent audit
• Identify any gaps and weaknesses in the systems and measures for correction
• Be signed and dated by each auditor and sent to the business management to be signed by the manager, which is considered a certification by a designated executive of the business
• Submit to the CPPA a written certification that the business complies with the CCPA cyber audit requirements or a written acknowledgment that the business has not fully complied yet, along with details on how the weaknesses will be addressed.
  

What Must CCPA Annual Cybersecurity Audits Contain?

The CCPA draft regulations related to cybersecurity prescribe the scope of the audits. The cybersecurity audit will evaluate and record the company's cybersecurity measures, considering its size, complexity, and data processing activities, while also considering current technology and the costs of implementation.

It is not clear yet whether only certain activities will fall under the audit scope or all the processing of personal data.

The audit must specifically evaluate and record different parts of the company's cybersecurity measures. If a component isn't relevant, the audit will note and explain why it isn't needed for protecting personal information and how the existing safeguards offer equal security.

The proposed components include multi-factor authentication, encryption, zero-trust architecture, secure configuration of hardware and software, audit-log management, training, and other safeguards you would expect in cybersecurity programs.

The assessment shall list all the safeguards one-by-one and explain how each one is being used. If it is not used, then you need to explain why it is not applicable.

It must also contain details on the notifications if any, and details on the persons conducting the audit.

Finally, the audit needs to point out existing weaknesses that pose a threat to consumers' data privacy or even present a significant risk to consumers.

Does the CCPA Apply to Your Business?

After the CPRA amendments to the CCPA, it applies to every company in the world if:

• They collect the personal data of California residents and
• They (or their parent company or a subsidiary) exceed at least one of the following three thresholds:

1. Annual gross revenue of at least $25 million,
2. Obtains consumers' personal information from at least 50,000 California residents, households, and/or devices per year, or
3. At least 50% of their annual revenue is generated from selling California residents’ personal data.

Final Thoughts

To prepare for the duties arising from the regulations on cybersecurity audits and risk assessment, we propose that you be prepared no matter what, because:

• If you doubt whether the CPPA would require your business to conduct a risk assessment or if you are required to complete an audit of your cybersecurity systems, the safe way to go is to be proactive and do the work.
• The draft regulations would also go through some changes, but nonetheless, they would affect your business if you conducted any data processing described in this article.
• The audit covers safeguards that all privacy-conscious and security-conscious businesses would implement anyway.

These regulations have at least a few months to come into effect. We'll keep you updated on their requirements.