New CPPA draft regulations address AI, cybersecurity audits, and risk assessment
The California Privacy Protection Agency (CPPA) was established by the California Privacy Rights Act of 2020 (CPRA) in order to implement and enforce the CPRA. Recently, the CPPA published updated draft regulations in several areas, notably the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations. Many updates consider the implications of Artificial Intelligence (AI) and Automated Decision-making Technology (ADT). The audit and assessment requirements will go into effect 24 months after the effective date of the final regulations which are not expected until late 2023 at the earliest.
As everything published by the CPPA has so far been for discussion purposes and comment only, everything considered in this article is subject to change.
Cybersecurity Audits
The CPPA’s duties include the ability to require annual cybersecurity audits for all processors of personal information (PI) where that processing presents ‘significant risk to consumers’ privacy or security.’[1] Service providers or contractors, that collect PI pursuant to contracts with a business, may be required to assist those businesses with their audits, including making all information available that a cybersecurity auditor deems necessary. Providers may also have to help a business communicate ADT-related information to consumers. In addition, any company collecting PI or owning PI about a California resident must implement reasonable security procedures to protect the PI, as well as require third-party entities receiving that PI to do so as well, if not already compliant.
The audit is a detailed process and, at minimum, requires:[2]
- An independent auditor, internal or external, who may not be involved in the business’ cybersecurity program or other business activities reviewed during the audit. If internal, the auditor may not perform the audit under supervision of anyone with direct responsibility for the cybersecurity program.
- The auditor to have access to all relevant information, as determined by the auditor.
- The business to disclose, and not misrepresent in any manner, all relevant facts.
- The audit to articulate specific scope, criteria and evidence for decisions and assessments. The auditor must explain the appropriateness and sufficiency for findings, and may not rely primarily upon assertions by management.
- Assess, document and summarize all cybersecurity program components, and specifically identify present issues, past issues and corrections to past issues.
- The auditor’s qualifications.
- An attestation of independent review.
- The audit to be reported to the business’ highest body.
- The highest body to sign a statement confirming the independence of the review and the authority of the signing body.
- The auditor must retain all documents for at least 5 years.
The CPPA acknowledges that audits, and their costs, are not a one size fits all program. Audits of cybersecurity programs shall be conducted with reasonable consideration of each business, including its size as well as the modernity and cost of the cybersecurity programs. The CPPA is evaluating a second prong to determine how a cybersecurity program protects against either:[3]
- Unauthorized access, destruction, use, modification, disclosure or loss of availability
- Impaired consumer control
- Economic harm
- Physical harm
- Psychological harm, and
- Reputational harm
Or
- Cybersecurity incidents, and
- Cybersecurity threats
In addition, audits shall assess 3 components of a cybersecurity program, including (1) the establishment, implementation and maintenance of the program itself, (2) safeguards to protect PI and (3) implementation of the prior two stages. The CPPA is particularly concerned about sufficient safeguards, providing an extensive list of factors to consider including:
- Authentication, including MFA;
- Encryption of PI;
- Zero trust architecture;
- Account management/access controls, including limiting access by necessity and restricting creation of privileged and/or new accounts;
- Inventory and management of PI;
- Secure configuration of hardware;
- Vulnerability scans, pen-testing and vulnerability disclosure;
- Audit-log management;
- Network monitoring and defense;
- Antivirus and antimalware;
- Segmentation of information systems;
- Limitation and control of ports, services and protocols;
- Cybersecurity awareness, education and training;
- Coding development and best practices;
- Oversight of third parties;
- Retention and disposal schedules;
- Incident response management; and
- Business continuity or disaster-recovery plans
The audit shall assess the effectiveness of the 3 steps, identify gaps or weaknesses and document the business’ plan to address those issues. The audit should also include descriptions of any prior notifications regarding privacy or data processing, in any jurisdiction, as well as remediation measures, descriptions of any prior notifications under the Information Practices Act of 1977 and/or to the California Attorney General, and descriptions of any PI security breaches.
A cyber audit assessment for one law or regulation may be applied as the audit for CPPA regulations if it meets all requirements for a CPPA audit.[4] In addition, the CPPA anticipates lowering the number of businesses who potentially would be subject to an annual cybersecurity audit.[5] Current thresholds apply to companies making 50% or more of its annual income from selling PI, but the CPPA is considering:[6]
- Annual gross revenues exceeding $25 million AND
- Processing annually the PI of 1 million or more consumers/households; or
- Processing annually the sensitive PI of 100,000 consumers, or
- Processing annually the PI of 100,000 consumers and the business has actual knowledge were under 16 years old during the processing
- Annual gross revenues (amount TBD)
- Number of employees (amount TBD)
The CPPA is considering these size and income thresholds in part to minimize the burden on smaller entities.
Finally, each business subject to an audit must annually provide a written certification that the business did or did not comply with the requirements and, if not, identify specific noncompliance and remediation plans.
Risk Assessment
The CPPA’s duties will also include the ability to require regular risk assessments for processors of personal information.[7] Service providers, that collect PI pursuant to contracts with a business, may be required to assist those businesses with their risk assessments. Risk assessments must be performed before any processing of PI that “presents significant risk to consumers’ privacy”, which includes:[8]
- Selling or sharing personal information;
- Processing sensitive personal information (with employment-based exceptions);
- Using ADT;
- Processing the information of children under the age of 16;
- Using technology to monitor the activity of employees, contractors, job applicants, or students;
- Processing PI of consumers in publicly accessible places using technology to monitor behavior, location, movements, or actions; or
- Processing PI to train AI or ADT.
The risk assessments themselves must be evaluated and updated at least once every 3 years, possibly as often as annually.[9] In addition, businesses must update their assessment whenever any ‘material’ change in processing occurs, with the CPPA identifying 15 such changes including purpose of processing, consumers’ reasonable expectations, negative impacts, and output(s) of ADT.
Risk assessments will have broad scope and should include representatives from across the business’ organizational structure, including product, compliance and other teams, as well as external parties, including service providers as well as academics or even consumers. The assessments currently include 9 elements:[10]
- Summary of processing
- Categories of PI
- Context of processing
- Consumers’ reasonable expectations about purposes of processing of PI
- Operational elements, including 6 criteria at minimum
- Purpose of processing PI
- Negative impacts to privacy from processing PI
- Safeguards to address those negative impacts
- Assessment of whether negatives, plus safeguards, are outweighed by the benefits
- Processing is not allowed if the risks outweigh the benefits[11]
The CPPA drafts added an additional element concerning benefits from processing PI to business, consumer, stakeholders and the public, expanded element #7’s negative impact analysis with 9 specific criteria, and proposed a further 3-4 elements concerning specific internal and external parties engaged in the risk assessments.
When a business has the potential for multiple risk assessments, a single risk assessment may be performed on comparable activities, which must be similar processing activities presenting similar risk to consumer privacy. A risk assessment for another law or regulation may be substituted for the CPPA assessment if it meets all requirements. Records of risk assessments must be provided to the CPPA and/or California Attorney General on request, with a summary submitted annually, and kept for 5 years.
Automated Decision-making Technology
Any business using ADT for processing has additional proposed provisions to consider as well.[12] An ADT-using business’ risk assessment should include “a plain language explanation of”:[13]
- The purpose for ADT usage;
- The PI Processed;
- The output(s) secured from ADT and usage;
- The steps to maintain quality of PI during ADT processing;
- The ADT logic;
- The business evaluation of the ADT “validity, reliability, and fairness”, with numerous specific sub points;
- Why the business didn’t used third-parties for its risk assessment preparation, if applicable;
- Degree and details of human involvement with ADT; and
- Safeguards to address negative impacts to privacy from processing PI specific to ADT.
Finally, any business that wants to process PI in order to train AI or ADT must explain its purposes for doing so, as well as document its risk assessment any safeguards, to consumers and to any recipient-businesses using AI/ADT from the processing company.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkin’s national data privacy and cybersecurity team.
[1] Civil Code section 1798.185, subdivision (a)(15)(A)
[2] §7122
[3] §7123(b)
[4] §7123(h).
[5] https://www.law.com/radar/card/california-regulator-might-narrow-who-has-to-conduct-annual-cyber-audits-403-92840/
[6] §7120
[7] Civil Code section 1798.185, subdivision (a)(15)(B)
[8] §7150(b)
[9] §7156
[10] §7152
[11] §7155
[12] §7153.
[13] The CPPA explicitly and repeatedly list ‘a plain language explanation’ for every point and some sub-points listed in the draft proposals.