It’s October, Cybersecurity Awareness month, and I thought this would be a good talk about the recently finalized cybersecurity requirements issued by the California Privacy Protection Agency(CPPA) for the California Consumer Privacy Act(CCPA). These regulations are the first time a State level privacy law has been very descriptive on what they expect and I suspect it will serve as a blueprint for other States in the future.
Note: The following talks about regulations and security. You are advised to seek out qualified counsel or security personnel to assist you with your specific situation.
The cybersecurity requirements begin on page 88 of the finalized regulations and will require that companies subject to the CCPA attest to the CPPA by:
- April 1, 2028, if the business makes over $100 million;
- April 1, 2029, if the business makes between $50 million and $100 million; or
- April 1, 2030, if the business makes less than $50 million.
So while the initial glance at these deadlines may cause businesses to think they have time prior to enforcement, it’s worth noting the scope of the assessments before drawing such a conclusion. Depending on the current state of a cybersecurity program, there may be considerable work to be undertaken in order to pass an audit. That work effectively cuts down the time that may be available to begin preparing.
What’s in an assessment?
The regulations make clear that if a audit is required, it must assess how the business established, implemented and maintains it’s security program. The auditor (discussed below) must evaluate specific things as defined by regulations, as well as anything else they feel applicable to the business.
The audit must assess – if applicable:
- Authentication – and makes note of Multi-Factor Authentication and specific password requirements.
- Encryption – both at rest and in transit
- Account Management and Access Controls
- Inventory and Management of personal information used by the business’s information system
- Secure configuration of hardware and software (including items such as patching, cloud, and change management)
- Internal and External vulnerability scans, and penetration testing.
- Audit-Log Management
- Networking monitoring and defenses, including items like Data Loss Prevention systems, bot detection intrusion detection and intrusion presentation.
- Anti-Virus / Malware protections
- Segmentation of the system (firewalls, routers, switches)
- Limitation and control of ports, services and protocols
- Cybersecurity awareness (how the business maintains knowledge of current cyber threats and countermeasures)
- Cybersecurity education and training (inclusive of contractors)
- Secure Development and coding best practices, inclusive of code reviews and testing.
- Oversight of service providers and contractors (Third Party Risk Management)
- Data Retention Schedules and proper disposal of personal information.
- How the business manages responses to security incidents (Incident Response Plans)
- Business-continuity and disaster recover plans.
Depending on the current state of a cyber program it can easily take some organizations years to design and implement all of the above. It is strongly encouraged to begin work early to ensure you have enough time.
The Audit Report
California has two pages of requirements for information on what the report must contain. Notably, if the business undertakes other audits (such as SOC 2 Type II or ISO 27001) it may be able to reuse those, provided it also meets all the requirements under the CCPA regulations.
Certification
The business will be required to conduct an audit and submit certification to the agency no later than April 1st of the following year the business was required to complete the audit.
Notably however, this attestation must be completed by a member of the business’s executive team that is responsible for cybersecurity audit compliance, has sufficient knowledge of the audit to provide accurate information and has the authority to submit to the agency. The executive would have to submit the information under penalty of perjury. This is a shift in risk and liability that should be discussed with the executive team well in advance of the mandatory submission deadlines.
Choosing an Auditor
California also has requirements over who can be considered an qualified auditor. It will be critical for businesses to ensure their auditors have the proper qualifications prior to undertaking an audit.
Auditors are required to be qualified, objective, and independent. They must use the procedures and standards of the profession of auditing such as those from one of the following organizations:
- American Institute of Certified Public Accountants (AICPA)
- The Public Company Accountability Oversight Board (PCAOB)
- The Information Systems Audit and Control Association (ISACA), or
- International Organization for Standardization (ISO)
It should be noted several of the above organizations have mandatory work requirements to qualify as a certified auditor. ISACA for instance has the Certified Information Systems Auditor certification. This certification has a 5 year work experience requirement, but waivers for education in the field can reduce this. The important thing to realize here is not just anyone can qualify for auditor certification. It typically requires work experience and business will need to verify this while selecting an auditor.
They additionally need knowledge of cybersecurity and how to audit a businesses cyber program. While the regulations do not go into much detail here, I would venture this would be best reflected in degree work and / or professional certifications in cybersecurity.
The regulations do state however, that the auditor can be internal. However, if this is the case the auditor must be independent. Effectively the team responsible for security can’t check their own homework or take direction from management.
The auditor will evaluate the program based on the specific evidence provided by the business, but can not rely primarily on the assertations of the businesses management. This means that the team responsible for compliance will need to have everything documented for the auditor. This documentation process can consume large amounts of time and so I encourage affected companies to begin work in preparation sooner rather than later.