California cybersecurity audit rule scope begins taking shape at CPPA meeting
A final version of California’s cybersecurity audit rules likely won’t be released until later next year at the earliest, according to a rough timeline discussed by the state’s privacy rulemaking agency, which debated a preliminary draft of the rules Friday.
The draft cybersecurity rules were approved among sweeping amendments to the state’s 2020 data privacy law under the California Privacy Rights Act. The changes to the California Consumer Privacy Act (CCPA) created the California Privacy Protection Agency (CPPA) to write and enforce the rules.
The five-member CPPA board mainly debated two aspects of the cybersecurity rules Friday: which businesses should be required to conduct annual audits and what should be included in those audits.