ARTICLE
17 December 2024

California's Privacy Regulator Had A Busy November, Cybersecurity Audits And Insurance Edition: What Does It Mean For Businesses?

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.
United States California Privacy

In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.

Cybersecurity Audits

The proposed rules address the cybersecurity audit obligations anticipated under CCPA (1798.185(15)). The new proposed rules incorporate much of what was contemplated in the August 2023 version, but do also make some changes. These are detailed below:

  • Applicability: Adopted from the August version of the proposed rules, if adopted, companies will be required to conduct a cybersecurity audit and submit it to the CPPA if they are engaging in processing personal information in such a way that there is "significant risk" to someone's privacy or security.
  • Timing: The first audit would need to be done within 24 months of the effective date of the proposed regulations. It must be then done annually thereafter. These obligations have not changed from the prior proposal.
  • Process: Adopted from the prior version of the proposed rules, the audit would need to be done by independent auditors. They can be either external or internal professionals who are qualified and use "generally accepted" audit standards. Audit results must be presented to the board or management. They, in turn, must certify the audit findings and that they did not attempt to influence its conclusions.
  • Contents: As was required by the previous version of the rules, the audit would need to evaluate the effectiveness of the program and identify any gaps and remediation steps taken. It would also need to specifically name the auditors and their qualifications (and they must certify the audit). The audit must evaluate a myriad of items that make up the company's cybersecurity program. This includes authentication, encryption, virus controls, hardware and software security, access controls, and more. It will also need to document the company's written cybersecurity program and its appropriateness to the size and complexity of the business's data processing activities. If the company has had a reportable breach, the audit would also need to -among other things- include a copy of the notice made to impacted individuals and regulatory authorities. The audit must also evaluate how a company prepares for and handles data security incidents. The updated version of the rule adds unauthorized access and unauthorized activity resulting in the loss of personal information to the definition of a "security incident." The updated rules also remove the requirement to include the number of hours each auditor worked on the audit.

Applicability to Insurance Industry

The proposed rules also clarify when CCPA applies to those in the insurance industry. Namely, if CCPA provides greater consumer protections than the Insurance Code and the information is not otherwise subject to the Insurance Code. For example, when information is collected not in connection with an insurance transaction. The agency gives examples, including when the insurance company uses website visitor information to serve targeted ads across multiple company sites. In that instance, the company must honor GPC signals and opt-out requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More