- (a) Each calendar year that a business is required to complete a cybersecurity audit pursuant to this Article, it must submit to the Agency a written certification that the business completed the cybersecurity audit as required by this Article.
- (b) The business must submit the certification no later than April 1 following any year that the business is required to complete a cybersecurity audit.
(c) The written certification must be completed by a member of the business's executive management team who:
- (1) Is directly responsible for the business's cybersecurity-audit compliance;
- (2) Has sufficient knowledge of the business's cybersecurity audit to provide accurate information; and
- (3) Has the authority to submit the business's certification to the Agency.
(d) The written certification must be completed and submitted to the Agency via its website at https://cppa.ca.gov/. The certification must include:
- (1) The business's name and point of contact for the business, including the contact's name, phone number, and email address.
- (2) A statement that the business has completed the cybersecurity audit.
- (3) The time period covered by the cybersecurity audit, by month and year.
- (4) An electronically signed attestation to the following statement: “I attest that I meet the requirements of California Code of Regulations, Title 11, section 7124, subsection (c), to submit this certification. Under penalty of perjury under the laws of the state of California, I hereby declare that the information contained within and submitted with this certification is true and correct and that the business has not made any attempt to influence the auditor's decisions or assessments regarding the cybersecurity audit.”
- (5) The name and business title of the person submitting the certification, and the date of the certification.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).