At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules around the use of automated decision-making technologies that could affect the development of artificial intelligence-based systems and other types of processing of personal information deemed to create a significant risk to consumer privacy.

Data, privacy & cybersecurity counsel Kevin Angle and associates Ashley Fisher and Jessica Grischkan noted in an article for Law360 that the audit would require board-level involvement along with documentation of specific cybersecurity controls, ranging from account management and unique passwords to record retention, which could create a baseline expectations for the agency as to the “reasonable security procedures and practices” required under the CCPA and other statutes. The draft regulations also propose broad definitions of “artificial intelligence” and “automated decision-making” that could bring into their scope a wide variety of products. Prior to training artificial intelligence, businesses could be required to conduct detailed risk assessments and document safeguards in place to protect the privacy of personal information.