California's Privacy Regulator Had A Busy November, Cybersecurity Audits And Insurance Edition: What Does It Mean For Businesses?

In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.

Cybersecurity Audits

The proposed rules address the cybersecurity audit obligations anticipated under CCPA (1798.185(15)). The new proposed rules incorporate much of what was contemplated in the August 2023 version, but do also make some changes. These are detailed below:

• Applicability: Adopted from the August version of the proposed rules, if adopted, companies will be required to conduct a cybersecurity audit and submit it to the CPPA if they are engaging in processing personal information in such a way that there is "significant risk" to someone's privacy or security.
• Timing: The first audit would need to be done within 24 months of the effective date of the proposed regulations. It must be then done annually thereafter. These obligations have not changed from the prior proposal.
• Process: Adopted from the prior version of the proposed rules, the audit would need to be done by independent auditors. They can be either external or internal professionals who are qualified and use "generally accepted" audit standards. Audit results must be presented to the board or management. They, in turn, must certify the audit findings and that they did not attempt to influence its conclusions.
• Contents: As was required by the previous version of the rules, the audit would need to evaluate the effectiveness of the program and identify any gaps and remediation steps taken. It would also need to specifically name the auditors and their qualifications (and they must certify the audit). The audit must evaluate a myriad of items that make up the company's cybersecurity program. This includes authentication, encryption, virus controls, hardware and software security, access controls, and more. It will also need to document the company's written cybersecurity program and its appropriateness to the size and complexity of the business's data processing activities. If the company has had a reportable breach, the audit would also need to -among other things- include a copy of the notice made to impacted individuals and regulatory authorities. The audit must also evaluate how a company prepares for and handles data security incidents. The updated version of the rule adds unauthorized access and unauthorized activity resulting in the loss of personal information to the definition of a "security incident." The updated rules also remove the requirement to include the number of hours each auditor worked on the audit.

Applicability to Insurance Industry

The proposed rules also clarify when CCPA applies to those in the insurance industry. Namely, if CCPA provides greater consumer protections than the Insurance Code and the information is not otherwise subject to the Insurance Code. For example, when information is collected not in connection with an insurance transaction. The agency gives examples, including when the insurance company uses website visitor information to serve targeted ads across multiple company sites. In that instance, the company must honor GPC signals and opt-out requests.