With the RSA Cybersecurity Conference right around the corner from our office in San Francisco, it seems only fitting that the March article focuses on cybersecurity. Long gone are the halcyon days of 1991, when the RSA Conference first started. In the fast-moving world of cybersecurity, 2011, or even 2021, feels antiquated. Hackers seem to be one step ahead, using off-the-shelf tools and/or tools freely available on the dark web. From a cybersecurity perspective, agentic AI, at least in the short term, will only further challenge the current dynamics. See Securing and Contracting Agentic AI (Feb. 20, 2026). https://www.stoel.com/insights/publications/securing-and-contracting-agentic-ai.

In cybersecurity, typically, laws and regulations lag market and industry standards and customer expectations. I say typically because some laws and regulations are forward-thinking, usually in terms of their flexibility, and less often, in their specificity. Case in point is Massachusetts’ 201 CMR chapter 17.00: Standards for the protection of personal information of residents of the Commonwealth, available at: https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth. These regulations went into effect on March 1, 2010, and borrowed from the GLBA Safeguards Rule (effective May 23, 2003) and the HIPAA Security Rule (effective April 21, 2005). The regulations required a comprehensive written information security program and contained somewhat prescriptive technical requirements, in considerable contrast to the requirement to implement and maintain commercially reasonable protective measures found in most data breach notification statutes. Put otherwise, if someone was drafting an information security policy in 2010, the Massachusetts regulations were as good a place as any to start.  

Fast forward to March 2026. The world seems to be a far less hospitable place. Trust is in even shorter supply. Verification is paramount. Enter the California Consumer Privacy Act Regulations (the “CCPA Regulations”), effective January 1, 2026: https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf.

Pursuant to the CCPA Regulations, cybersecurity audits must be performed by a business that either (a) derives at least 50 percent of its annual revenues from selling or sharing consumers’ personal information (in effect, a data broker) or (b) (i) satisfies the annual revenue threshold (currently, $26.25 million) and (ii) processed the personal information of at least 250,000 consumers or households or processed the sensitive personal information of at least 50,000 consumers, in each case in the preceding calendar year.

The audit must be performed by an audit professional using audit industry-accepted procedures and standards, such as ISO. If a business does not have a suitable auditor yet, it should consider engaging one as soon as possible.

The first batch of cybersecurity audit reports under the CCPA Regulations are due in just over two years, on April 1, 2028. This deadline applies to businesses with calendar year 2027 gross revenue greater than $100 million and covers January 1, 2027 to January 1, 2028. The next batches are due on the first of April 2029 (gross revenue between $50 million and $100 million) and April 2030 (gross revenue less than $50 million). For the first batch, two years may seem long, but given that the audit year starts in just over nine months, it is just around the corner. The audit requirements are sprawling, but not unexpected. Components to be assessed during the audit include: encryption of personal information, at rest and in transit; strong passwords; audit log management; account management and access control; employee cyber training; patch management; inventory management; log management; segmentation; internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and ethical hacking programs); secure development and coding practices; and incident response management. The audit must assess a business’s cybersecurity program, and specifically whether said program is “appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program.” CCPA § 7123(b)(1). For those in the field, if this is bringing back memories of 2010 (201 CMR ch. 17.00) or 2003 (GLBA Safeguards Rule), you are not alone. The assessment is supposed to be context specific; for example, if the business operates exclusively online, restricting and monitoring physical access will be a null set. The requirements are general; compliance with specific standards, e.g., NIST SP 800-88 for secure document destruction, is not mandated. That said, a seasoned auditor will probe into the technical sufficiency and reasonableness of the protective technological measures. The report mandates a gap analysis and a plan, including a timeframe, to address the gaps. A business may leverage other cybersecurity assessments and audit reports, so long as alone or as supplemented they address the same requirements as the CCPA Regulations.

In preparing for the audit, now is as good a time as any to create a “punch list” of the components to be assessed and to map against current policies and practices. If there has not been a penetration test (not to be confused with website vulnerability scanning) in some time, or ever, now is the time to engage a reputable vendor. If there is a process but no documentation, now is the time to prepare such documentation. If there is a documented process, but it has not been pressure tested, now is the time to do so. An auditor will ask. Plus, even as the CCPA Regulations may not apply to a broad swath of businesses for some time, if there is a cybersecurity incident, rest assured that a state regulator can and will ask about the cybersecurity measures at and after the time of the incident, as will counterparties. Further, cybersecurity (and privacy) laws and regulations are living documents, especially in California, and the trend is for them to become more, not less, stringent. Case in point: the CCPA, which has been amended (and strengthened) many times. In the same vein, an amendment in the next few years to require businesses tasked with performing a risk assessment (triggered, e.g., by a sale or sharing of personal information) to also perform a cybersecurity audit is not farfetched. Last, but not least, concepts (e.g., the accessible deletion mechanism, for data brokers) first enacted in California tend to spread to other states (with similar bills, e.g., in Rhode Island and Vermont), meaning that other states may soon follow with cybersecurity audit requirements.

Where to start? The written information security program, or course.

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.