Ahead of its September 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft regulations on cybersecurity audits and risk assessments. Public comments will be requested once the formal rulemaking process is kicked off. Accordingly, the draft regulations are subject to change. Below are the key takeaways:
Cybersecurity Audits
- New cybersecurity audit requirement. Certain categories of businesses would be required to perform cybersecurity audits. The Board will consider several options for thresholds that a business must meet in order to be subject to the requirement, such as the number of customers for whom the business has processed personal information in the past year and whether the business reached a certain annual gross revenue.
- Timing. A business subject to the audit requirement would have 24 months from when the rules go into effect to complete its first audit and would be required to complete an audit annually thereafter.
Read more of this article at Inside Privacy.