Online cybercriminal activity has been rampant for at least the last couple of decades. The media and news are full of stories and reports about hacking, ransoms, cybertheft, denial of service attacks, and other forms of online criminal behavior. At the federal level, lawmakers have enacted laws that criminalize such behavior and that require reporting and compensation when consumer data is stolen. Similar laws exist at the State level.

California regulators have gone a step further and have proposed requiring that businesses conduct annual cybersecurity audits and submit compliance certifications. The new regulations have been proposed by the California Privacy Protection Agency (“CPPA”), which was created to enforce and issue regulations related to the California Consumer Privacy Act (“CCPA”) (and its various amendments). The CCPA is generally focused on consumer data privacy, but part of the CCPA mandates that businesses maintain a certain level of appropriate and reasonable cybersecurity for consumer data that is collected and retained. The proposed regulations are expected to be approved and will begin taking effect in April 2028.

Privately-conducted and internal cybersecurity audits are “normal” for businesses that have any sort of large online presence or that use computer systems for any significant proportion of business operations. However, such audits are now officially being mandated by the proposed California CPPA regulations. Since many States have enacted consumer data privacy statutes and since many of those statutes have similar cybersecurity requirements, it is reasonable to assume that the CPPA’s regulations will serve as a template for other States.

As noted, under the regulations, audits will be mandatory and must be conducted annually. In addition, “compliance certificates” related to the audits must be filed annually with the CPPA. Further, audits must now be done by “qualified, objective, independent professionals using accepted auditing standards.” The auditors can still be internal to the organization, but must have the training and experience to use the “accepted auditing standards.”

The regulations require assessment of a long list of potential cybersecurity issues, including the following:

• Proper and state-of-the-art equipment
• Software tested against “back-doors” and other vulnerabilities
• Added software protections against viruses/malware
• Configuration of data systems — including hardware, software, and all devices
• Configuration and network monitoring and defenses, network segmentation,
• Controls on employee and vendor use of their own devices/software
• User authentications — employee, third-party, vendor ,and consumer (where applicable)
• Encryption where needed (such as for personal data)
• Access controls — for physical locations, for each device, and for wireless/online access
• Personnel training
• Contractual mandates — employee, third-party, vendo,r and consumer
• Data inventories, use, disposal/destruction schedules, etc.
• Vulnerability testing
• Logs of actual and attempted cybercriminal efforts — both external and internal
• Incident responses
• Recovery and remediation policies and testing

For what it is worth, this is an excellent list of how cybersecurity can be created by new businesses or those without existing cybersecurity policies. Assuming final approval, the CPPA regulations will go into effect on April 1, 2028, for businesses with over $100 million in annual gross revenue, on April 1, 2029, for businesses with over $50 million in annual gross revenu,e and on April 1, 203,0 for all other businesses.

Contact the Cybersecurity and Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Cybersecurity and Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.