California's privacy laws are the gifts that keep on giving. The state regulator released draft regulations in 2023 that, if made effective, would require covered businesses to conduct an annual cyber security audit. Such audits would have to be done by an outside, independent auditor and cover a prescribed list of security measures and benchmarks. The draft regulations would also require those companies to self-certify compliance to the regulator each year. We should know more next year about the direction the draft regulations will take.
Why It Matters
The draft regulations would require only companies whose processing of personal information presents a “significant risk” to California consumers to undergo the audit and certification process. This threshold requirement may exempt many small businesses: the agency proposes to define “significant risk” by the size of the business (measured in both revenue and the amount of personal information processed), rather than by the purposes for which it uses personal information. However, small businesses that provide services to large enterprises may be subject to customer contract requirements to comply with the security provisions (even if they do not have to conduct an annual audit). The regs are unusually detailed regarding specific security measures, and thus could make life difficult even for companies that are not directly regulated.
/Passle/61f3627a0c51c3165820f0e7/MediaLibrary/Images/5ff4a070535488111cdbfec9/2024-01-17-18-25-18-859-65a81b8e3f5d760a89621ac7.png)
