(a) A business must complete its first cybersecurity audit report no later than:
- (1) April 1, 2028, if the business's annual gross revenue for 2026 was more than one hundred million dollars ($100,000,000) as of January 1, 2027. The business's audit would cover the period from January 1, 2027, through January 1, 2028.
- (2) April 1, 2029, if the business's annual gross revenue for 2027 was between fifty million dollars ($50,000,000) and one hundred million dollars ($100,000,000) as of January 1, 2028. The business's audit would cover the period from January 1, 2028, through January 1, 2029.
- (3) April 1, 2030, if the business's annual gross revenue for 2028 was less than fifty million dollars ($50,000,000). The business's audit would cover the period from January 1, 2029, through January 1, 2030.
- (b) After April 1, 2030, if on January 1 of one year, a business meets the criteria of section 7120 for the preceding year, the business must complete a cybersecurity audit that covers the next 12 months, and the business must complete its cybersecurity audit report for that period by April 1 of the following year. For example, if Business A meets the criteria in section 7120 as of January 1, 2035, Business A's audit would cover the period from January 1, 2035, through January 1, 2036, and Business A would have to complete its cybersecurity audit report by April 1, 2036.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).