Business law

CPPA’s Draft Cyber ​​Security Audit and Risk Assessment Regulation


The California Privacy Protection Agency (CPPA) has released its agenda for the September 8 board meeting, which includes (among other topics) a presentation by Draft Cybersecurity Audit Regulations and Draft Risk Assessment Regulations. The formal rulemaking process has not yet begun, but these drafts are being submitted for discussion by the Board, including options for consideration by the Board and public participation. When enacted, these regulations will impose the most stringent audit and risk assessment requirements of any US privacy law on covered companies, service providers, and contractors.

Cyber ​​Security Checklist

It is important that service providers and contractors review this draft to understand what the Consumer Protection Act (CPPA) might think in relation to a cybersecurity audit. This draft includes requirements for service providers and contractors, including assistance companies required to comply with the CCPA/CPRA with the audit regulation.

Takeaways from this initial draft include details regarding scope, timelines, and auditor independence. These details include the requirements that a cyber security audit should have:

  • Evaluate, document, and summarize each applicable component of the covered business cybersecurity program;
  • identify any gaps or vulnerabilities in the cybersecurity program of the covered business;
  • address the status of any vulnerabilities or vulnerabilities identified in any previous cybersecurity audit; And
  • Identify any corrections or modifications to any previous cyber security audit.

Risk assessment list

The draft Risk Assessment Regulation includes important definitions delegated to CPPA in the CPRA language, including artificial intelligence and automated decision-making technology. As with the Cybersecurity Audit Regulation, the Risk Assessment Regulation sets out requirements for service providers and contractors, including assisting companies covered in risk assessments and providing “helpful information” to the consumer about their automated decision-making technology. The Risk Assessment Regulation details specific information that must be included in a risk assessment and requires that every covered company whose processing of personal consumer information represents a “significant risk to consumers’ privacy” conducts a risk assessment prior to initiating such processing. This “treatment” in the draft includes:

  • selling or sharing personal information;
  • processing of “sensitive personal information”, with some exceptions;
  • the use of automated decision-making technology under certain specified circumstances; And
  • Processing consumers’ personal information to train artificial intelligence or automated decision-making technology.

Although these are only drafts for discussion, it is recommended that companies (including service providers and contractors) review them carefully as they are likely to have significant operational impacts.


Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button