CPPA’s Draft Cybersecurity Audit Regulation – Everything You Need To Know

With the CPPA’s draft cybersecurity regulation in the pipeline, staying ahead of the curve is more critical than ever. In this article, you’ll learn about its proposed mandatory audits, technical requirements, and what they mean for your business.

Let’s get started!

Table of Contents

  1. The beginnings of California Privacy Protection Agency (CPPA)
  2. CPPA’s draft cybersecurity: The rulemaking process
  3. Groundbreaking requirements
  4. CPPA’s draft cybersecurity: Mandatory safeguards
  5. Additional technical safeguards
  6. Integrated approach 
  7. California Privacy Protection Agency’s draft cybersecurity: Getting ready
  8. Key takeaways

California Privacy Protection Agency (CPPA): The beginnings

Born in the heart of California, the California Privacy Protection Agency (CPPA) is a testament to the state’s unwavering commitment to protecting the privacy rights of its residents.

Established in November 2020, this agency was designed to be at the forefront of the battle against data breaches, unauthorized use of data, information protection, and the ever-expanding digital footprint.

But what sets CPPA apart from its predecessors?

The answer lies in its dedication to adapt and innovate, keeping pace with the ever-evolving landscape of data privacy. While the California Consumer Privacy Act (CCPA) laid the foundation for individual data protection, CPPA takes one step further, addressing the pressing need for robust cybersecurity measures.

The draft for the Cybersecurity Audit Regulation represents a bold stride towards ensuring that organizations not only respect individuals’ privacy but also secure their data from the increase of cyber threats.

CPPA’s Draft Cybersecurity: The Rulemaking Process 

On September 8, 2023 Board meeting, there was an extensive discussion about the applicability of the audit requirement. Some board members stressed the need for a cybersecurity audit rule that applies to all businesses and is gradually implemented. 

NOTE: The CPPA clarified that it has not started the formal rulemaking process. The goal of this board meeting was for the subcommittee to consider feedback from the CPPA and come back with a revised draft of the cybersecurity audit rule at the next board meeting.

Although the Agency has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decision-making technology. The draft shows the intention to implement extensive obligations for businesses that are legally mandated to undergo comprehensive cybersecurity assessments.  

The draft presents a language very similar to well-known information security standards, such as ISO 27001. It creates a broad definition that might impact most of the organizations doing business in California:  

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5. 

It also sets the technical tone of the document by including information security jargon in the definition section, such as: 

  • Multi-factor authentication 
  • Penetration test 
  • Privileged Account 
  • Zero Trust Architecture. 

These are a few examples of technical aspects that differentiate the CPPA’s draft from existing privacy regulations. 

Groundbreaking Requirements  

Let’s discuss an alternative approach to safeguarding data and ensuring privacy. This approach differs from regulations such as Europe’s General Data Protection Regulation (GDPR) and Brazil’s General Personal Data Protection Act (LGPD).

Here are the key differentiators:

  • Emphasis on Cybersecurity: While GDPR and LGPD touch upon cybersecurity, the CPPA’s draft regulation places a more explicit emphasis on it. It requires organizations to undergo regular cybersecurity audits to assess the effectiveness of their security measures. This is a notable departure from GDPR and LGPD, which primarily focus on data protection principles and data subject rights.
  • Mandatory Audits: The CPPA’s Cybersecurity Audit Regulation mandates cybersecurity audits for certain organizations, whereas GDPR and LGPD do not explicitly require cybersecurity audits as standard practice. This makes the CPPA’s approach more prescriptive and directive in ensuring that organizations are actively assessing and enhancing their cybersecurity posture.
  • Risk-Based Approach: CPPA’s draft regulation adopts a risk-based approach to cybersecurity, requiring organizations to evaluate and mitigate risks that could lead to data breaches. This approach is aligned with modern cybersecurity best practices, encouraging organizations to proactively identify and address vulnerabilities.
  • Incident Response Planning: CPPA’s regulations place a strong emphasis on incident response planning. Organizations subject to CPPA audits are required to have robust incident response plans in place, ensuring that they are well-prepared to respond to and mitigate data breaches.
  • Coordinated Efforts with Other Regulations: GDPR and LGPD primarily operate independently, and organizations must separately comply with each. CPPA, on the other hand, aligns with GDPR in certain areas, allowing organizations to harmonize their compliance efforts to some extent. This coordination is intended to facilitate compliance for organizations that operate globally.  

CPPA’s draft brings a prescriptive approach to data security, while GDPR and LGPD set foundational principles for data protection. That represents more strict requirements and surveillance, and not much ability to “get away with” the regulation.   

Businesses will have 24 months to align their Information Security Compliance Programs to the requirements once the text becomes law. After that, annual audits will be mandatory.  

CPPA’s Draft Cybersecurity: Mandatory Safeguards 

CPPA’s safeguards are designed to enhance data security, and they are very different from the existing required controls from GDPR. We will provide a summary of each requirement, compare them with similar GDPR requirements, and provide a few examples of implementation:  

1) Authentication: 

CPPA: Requires multi-factor authentication (MFA) resistant to phishing attacks and strong unique passwords/passphrases. 

GDPR: While GDPR encourages strong authentication, it doesn’t provide specific password criteria or MFA requirements. 

Example: Employees should use MFA when accessing sensitive systems, such as a combination of a password, a smart card, or a fingerprint scan. Passwords should be at least eight characters long, not on a common password list, and not reused. 

2) Encryption

CPPA: Demands encryption of personal information at rest and in transit. 

GDPR: GDPR also requires data encryption but doesn’t specify encryption methods as explicitly as CPPA. 

Example: Personal data stored on servers should be encrypted using industry-standard encryption algorithms. Data transmitted over networks should be encrypted using secure protocols like TLS. 

3) Zero Trust Architecture

CPPA: Emphasizes Zero Trust Architecture with encrypted and authenticated connections within the information system. 

GDPR: GDPR doesn’t explicitly mention Zero Trust but emphasizes data protection through various means, including access controls. 

Example: Implementing Zero Trust may involve treating all network traffic as untrusted. Requiring authentication and encryption for all network communications in all locations. 

4) Account Management and Access Controls

CPPA: Mandates restrictions on privileges and access for employees, service providers, contractors, and third parties. 

GDPR: GDPR also requires access controls and privileges but does not provide as detailed guidance on privilege restrictions as CPPA. 

Example: Employees should have access only to data necessary for their job roles, with access revoked upon role changes or termination. Service providers should access data only as specified in their contracts. 

5) Inventory and Management

CPPA: Requires inventories of personal information, hardware, and software, as well as hardware and software approval processes. 

GDPR: GDPR mandates data mapping and documentation of processing activities but does not specify hardware and software inventories as explicitly as CPPA. 

Example: Organizations should maintain detailed records of where personal data is stored and the technology used. They must also establish a procurement process to replace any aging software or hardware. 

6) Secure Configuration

CPPA: Enforces secure hardware and software configurations, patch management, and change control. 

GDPR: GDPR touches on security measures but does not prescribe specific configurations and change management procedures as CPPA does. 

Example: Organizations should regularly update software, apply security patches promptly, and have a change management process to prevent unauthorized changes. 

Additional Technical Safeguards

The CPPA introduces additional safeguards, such as vulnerability scanning, audit-log management, network monitoring, and disaster recovery plans.

Examples: Vulnerability scans should be conducted regularly, logs stored centrally, networks monitored for suspicious activities, and disaster recovery as well as data backup plans should be in place. 

CPPA’s draft is also very prescriptive about the implementation and management of the following processes:  

1) Incident Management

CPPA: The CPPA’s draft regulation places significant importance on incident management. It defines a security incident as an occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information it processes. It mandates the development of an incident response plan and testing of security incident response capabilities. 

Example: An organization should establish an incident response plan that outlines specific procedures for detecting, responding to, limiting the consequences of, and recovering from security incidents. Regular testing of this plan ensures readiness. Incident response should also include documentation, reporting, and notification to relevant parties as per legal requirements. 

2) Business Continuity

CPPA: CPPA’s draft regulation underscores the importance of business continuity and disaster recovery plans. It specifies the need for data recovery capabilities and backups. 

Example: An organization should develop comprehensive business continuity and disaster recovery plans that include processes for data recovery and backup strategies. These plans should ensure that essential business operations can continue in the event of disruptions, such as natural disasters or cyberattacks. 

Tips For an Integrated Approach 

As the California Privacy Rights Act (CPRA) will mandate cybersecurity audits, organizations might be able to leverage existing ISO 27001:2022 and SOC 2 Type II controls. The controls provide a robust framework and could well align with CPRA mandates and help avoid duplicate work.

ISO 27001:2022 is an internationally recognized standard, and reviewing the controls under the light of CPRA requirements provides several advantages.

  • Risk Assessment: ISO 27001 emphasizes a comprehensive risk assessment process, helping you identify and prioritize cybersecurity risks specific to your organization. 
  • Controls and Documentation: The standard offers a comprehensive set of technical, administrative and physical controls. If you have those implemented, most likely, you will have the majority of CPRA requirements covered. 
  • Audits: ISO already requires annual audits. We won’t know if the regulation will specify a certification body or audit plan until the CPRA is finished. In this case, a combined audit is best to reduce business disruptions and costs. 

The same applies to organizations with an existing SOC 2 Type II Program. This attestation standard is designed to assess the effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy of customer data. A scope very much aligned with CPRA’s audit requirements. 

California Privacy Protection Agency’s Draft Cybersecurity: Getting Ready

So what separates CPPA from other regulations? It’s all about their commitment to evolving with the times and how prescriptive they are. Their draft for the Cybersecurity Audit Regulation sets the tone for what is about to come in the privacy world.   

Privacy authorities want to make sure organizations implement an efficient cybersecurity program, and they want to keep their eyes on that. While it’s not official yet, it’s clear they’re gearing up to mandate extensive cybersecurity obligations on businesses.   

It won’t be just about checking boxes. CPPA wants incident response plans that can handle the different phases of a data breach. They want multi-factor authentication, strong data encryption, zero-trust architecture, and granular access control.   

Want Better Compliance?

Save yourself the headache of manually managing GRC and schedule a demo with our team and see how you can streamline NIST SP 800-53 and FedRAMP compliance.

In the end, CPPA is shaking up the privacy and security game and, finally, giving us something new.

With CPPA preparing to introduce groundbreaking cybersecurity requirements, now is the time to prepare your organization for compliance. Don’t get caught off-guard.

Contact us today to learn more about how you can align your cybersecurity efforts with CPPA mandates, or book a demo to see StandardFusion’s GRC platform in action! 

Key Takeaways

  • While the California Consumer Privacy Act (CCPA) set a base for individual data protection, CPPA is advancing cybersecurity measures further. The Cybersecurity Audit Regulation draft signifies CPPA’s efforts in ensuring organizations respect privacy and protect data against cyber threats. 
  • Compared to GDPR and LGPD, CPPA emphasizes mandatory cybersecurity audits, risk-based strategies, incident response planning, and coordination with other regulations. Businesses will have a 24-month window to align with these requirements. 
  • The CPPA draft is explicit about the implementation and management of processes like incident management and business continuity. It requires procedures like multi-factor authentication, robust data encryption, zero-trust architecture, and granular access control. 
  • CPPA’s regulations have elements aligning with international standards like ISO 27001:2022 and SOC 2 Type II controls, allowing businesses to leverage existing frameworks and reduce redundancy in compliance efforts.