- (a) The cybersecurity audit must assess how the business's cybersecurity program: protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information.
(b) The cybersecurity audit must assess:
- (1) The business's establishment, implementation, and maintenance of its cybersecurity program, including the related written documentation thereof (e.g., policies and procedures), that is appropriate to the business's size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program; and
- (2) Each of the components of a cybersecurity program listed in subsection (c) that the auditor deems applicable to the business's information system.
- (3) How the business implements and enforces compliance with its cybersecurity program as described in subsection (b)(1), the applicable components in subsection (c), and any additional components as set forth in subsection (d).
(c) The cybersecurity audit must assess the following components, if applicable:
(1) Authentication, including:
- (A) Multi-factor authentication (including multi-factor authentication that is resistant to phishing attacks for employees, independent contractors, and any other personnel, service providers, and contractors); and
- (B) If the business uses passwords or passphrases, strong unique passwords or passphrases (e.g., passwords that are at least eight characters in length, not on the business's disallowed list of commonly used passwords, and not reused).
- (2) Encryption of personal information, at rest and in transit.
(3) Account management and access controls, including:
(A) Restricting each person's, account's, or application's privileges and access to personal information to what is necessary for that person, account, or application to perform their duties. For example:
- (i) If the person is an employee, independent contractor, or any other personnel, restricting their privileges and access to personal information to what is necessary to perform the respective job functions of each individual, and revoking their privileges and access when their job functions no longer require them, including when their employment or contract is terminated;
- (ii) If the person is a service provider or contractor, restricting their privileges and access to personal information to what is necessary for the specific business purpose(s) set forth in, and in compliance with, the written contract between the business and the service provider or contractor required by the CCPA and section 7051; and
- (iii) Restricting the privileges and access of third parties to whom the business sells or shares personal information to the personal information that is necessary for the limited and specified purpose(s) set forth within the contract between the business and the third party required by the CCPA and section 7053.
- (B) Restricting the number of privileged accounts, restricting those privileged accounts' access functions to only those necessary to perform the account-holder's job, restricting the use of privileged accounts to when they are necessary to perform functions, and using a privileged-access management solution (e.g., to ensure just-in-time temporary assignment of privileged access).
- (C) Restricting and monitoring the creation of new accounts for employees, independent contractors, or other personnel; service providers or contractors; and privileged accounts, and ensuring that the accounts' access and privileges are limited as set forth in subsections (c)(3)(A) and (B).
- (D) Restricting and monitoring physical access to personal information (e.g., through the use of badges, secure physical file locations, and enforcement of clean-desk policies).
(4) Inventory and management of personal information and the business's information system, including:
- (A) Personal information inventories (e.g., maps and flows identifying where personal information is stored, and how it can be accessed) and the classification and tagging of personal information (e.g., how personal information is tagged and how those tags are used to control the use and disclosure of personal information);
- (B) Hardware and software inventories, and the use of allowlisting (i.e., discrete lists of authorized hardware and software to control what is permitted to connect to and execute on the business's information system); and
- (C) Hardware and software approval processes, and preventing the connection of unauthorized hardware and devices to the business's information system.
(5) Secure configuration of hardware and software, including:
- (A) Software updates and upgrades;
- (B) Securing on-premises and cloud-based environments;
- (C) Masking (i.e., systematically removing or replacing with symbols such as asterisks or bullets) the sensitive personal information set forth in Civil Code section 1798.145, subdivisions (ae)(1)(A) and (B) and other personal information as appropriate by default in applications;
- (D) Security patch management (e.g., receiving systematic notifications of security-related software updates and upgrades; and identifying, deploying, and verifying their implementation); and
- (E) Change management (i.e., processes and procedures to ensure that changes to information system(s) do not undermine existing safeguards).
- (6) Internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and ethical hacking programs).
- (7) Audit-log management, including the centralized storage, retention, and monitoring of logs.
(8) Network monitoring and defenses, including the deployment of:
- (A) Technologies, such as bot-detection, intrusion-detection, and intrusion-prevention, which a business may use to detect unsuccessful login attempts, monitor the activity of authorized users, and detect and prevent unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information; and
- (B) Data-loss-prevention systems (e.g., software to detect and prevent unauthorized access, use, or disclosure of personal information).
- (9) Antivirus and antimalware protections.
- (10) Segmentation of an information system (e.g., via properly configured firewalls, routers, switches).
- (11) Limitation and control of ports, services, and protocols.
- (12) Cybersecurity awareness, including how the business maintains current knowledge of changing cybersecurity threats and countermeasures.
- (13) Cybersecurity education and training, including training for each employee, independent contractor, and any other personnel to whom the business provides access to its information system (e.g., when their employment or contract begins, annually thereafter, and after a personal information security breach, as described in Civil Code section 1798.150).
- (14) Secure development and coding best practices, including code-reviews and testing.
- (15) Oversight of service providers, contractors, and third parties to ensure compliance with sections 7051 and 7053.
- (16) Retention schedules and proper disposal of personal information no longer required to be retained, by (A) shredding, (B) erasing, or (C) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.
(17) How the business manages its responses to security incidents (i.e., its incident response management).
- (A) For the purposes of subsection (17), “security incident” means an occurrence that actually or imminently jeopardizes the confidentiality, integrity, or availability of the business's information system or the personal information the system processes, stores, or transmits, or that constitutes a violation or imminent threat of violation of the business's cybersecurity program; unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information is a security incident.
(B) The business's incident response management includes:
- (i) The business's documentation of predetermined instructions or procedures to detect, respond to, limit the consequences of, and recover from malicious attacks against its information system (i.e., the business's incident response plan); and
- (ii) How the business tests its incident-response capabilities; and
- (18) Business-continuity and disaster-recovery plans, including data-recovery capabilities and backups.
- (d) Nothing in this section prohibits a cybersecurity audit from assessing components of a cybersecurity program that are not set forth in subsections (b) or (c).
(e) The cybersecurity audit report must:
- (1) Describe the business's information system; and identify (A) the policies, procedures, and practices that the cybersecurity audit assessed; (B) the criteria used for the cybersecurity audit; and (C) the specific evidence examined to make decisions and assessments, such as documents reviewed, sampling and testing performed, and interviews conducted. The cybersecurity audit report must also explain why assessing those policies, procedures, and practices; using those criteria; and examining that specific evidence justify the auditor's findings.
- (2) Identify the applicable components in subsection (c), and any additional component assessed in accordance with subsection (d); describe how the business implements and enforces compliance with the policies and procedures in subsection (b)(1), the applicable components in subsection (c), and any additional component assessed in accordance with subsection (d); and explain their effectiveness in preventing unauthorized access, destruction, use, modification, or disclosure of personal information; and preventing unauthorized activity resulting in the loss of availability of personal information.
- (3) Identify and describe in detail the status of any gaps or weaknesses of the policies and procedures in subsection (b)(1), the applicable components in subsection (c), and any additional component assessed in accordance with subsection (d), that the auditor deemed to increase the risk of unauthorized access, destruction, use, modification, or disclosure of consumers' personal information; or increase the risk of unauthorized activity resulting in the loss of availability of personal information.
- (4) Document the business's plan to address the gaps and weaknesses identified and described pursuant to subsection (e)(3), including the timeframe in which it will resolve them.
- (5) Identify any corrections or amendments to any prior cybersecurity audit reports.
- (6) Include the title of up to three qualified individuals responsible for the business's cybersecurity program.
- (7) Include the auditor's name, affiliation, and relevant qualifications.
- (8) Include a statement that is signed and dated by the highest-ranking auditor that certifies that they completed an independent review of the business's cybersecurity program and information system, exercised objective and impartial judgment on all issues within the scope of the cybersecurity audit, and did not rely primarily on assertions or attestations by the business's management.
- (9) If the business provided notification to affected consumer(s) pursuant to Civil Code section 1798.82, subdivision (a), include a sample copy of the notification(s), excluding any personal information; or a description of the notification(s).
- (10) If the business was required to notify any agency with jurisdiction over privacy laws in California of unauthorized access, destruction, use, modification, or disclosure of personal information; or unauthorized activity resulting in the loss of availability of personal information, include a sample copy of the notification(s), excluding any personal information; or a description of the required notification(s), the date(s) and details of the activity that gave rise to the required notification(s), and any related remediation measures taken by the business.
- (f) A business may utilize a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose, provided that it meets all of the requirements of this Article, either on its own or through supplementation. For example, a business may have engaged in an audit that uses the National Institute of Standards and Technology Cybersecurity Framework 2.0 and meets all of the requirements of this Article.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).