Comply or risk class-action litigation? IAPP explains:
Last year, the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit. The rule went into effect 1 Jan. 2026. This pioneering requirement, the first of its kind among state data privacy laws of general applicability, may entail substantial compliance efforts for affected companies to identify and correct cybersecurity shortcomings. While compliance concerns may generate new anxiety, the audit requirement’s impact on data breach litigation could have equally significant long-term implications for businesses operating in California.
The compliance requirements are considerable and complex, covering eighteen different technical and organizational components of an entity’s cybersecurity practice. Under the rule, covered entities are required to submit to the agency, each calendar year, a written certification that the business has completed a cybersecurity audit report that meets the rule’s standards.
Although the report itself does not need to be filed, the need to create and certify one highlights an item of high interest to a plaintiff’s counsel. As a result, the audit will likely become a focal point of plaintiffs’ discovery requests in data breach class actions as they seek to prove negligence or violations of state data privacy laws.
Read more at IAPP.
