Last year the California Privacy Protection Agency (CPPA) – created by the California Privacy Rights Act of 2020 – released draft regulations related to risk assessments and cybersecurity audits, which will likely go into effect August or September 2024 after a consultation period. The regulations will indirectly impose substantial cybersecurity requirements on companies handling personal data. Although it is currently up to individual companies’ discretion as to how they assess risk and audit cybersecurity, should these drafts be instated, these rigorous regulator expectations will be mandatory for businesses who face significant privacy or security risks associated with consumer data processing.
The CPPA’s draft regulations propose annual cybersecurity audits, aiming to thoroughly evaluate and document each aspect of a company’s cybersecurity program. These audits would identify weaknesses and gaps in the program and address any previously identified issues. The draft outlines specific components that must be assessed, such as multifactor authentication, encryption, secure configuration, and more.
These regulations would establish a uniform set of privacy/security considerations, rather than addressing risk on a case-by-case basis. While companies have some flexibility to propose alternative controls, they must justify how these alternatives provide equivalent protection.
One notable feature in the draft is considering how a company’s cybersecurity program mitigates potential harms to consumers, including economic losses from identity theft or data unavailability due to ransomware attacks. This approach seeks to evaluate if cybersecurity measures effectively reduce harm to consumers.
It is important to note that the August draft is not yet formal rulemaking, and many details are still to be worked out. Determining when a business poses “significant risk to consumers’ privacy or security” remains a key challenge, with tentative criteria based on factors like revenue and consumer impact. Despite these uncertainties, the draft regulations reflect a thoughtful approach, and the final version is expected to retain their core principles.
USEFUL GUIDANCE FOR ORGANIZATIONS GLOBALLY
Focusing here on what privacy risk assessments in particular should include, it would be wise to use the draft regulations on this topic to consistently guide such work. Risk assessments should consist of the following:
-
A concise overview of the processing that poses notable risks to consumer privacy. This summary should outline the business’s intended procedures for managing personal information, including the methods of collection, utilization, disclosure, and storage of said data.
-
The categories of personal information that will be processed (and whether they include sensitive personal information).
-
The circumstances surrounding the processing activity, including the connection between the business and individuals whose personal information will be processed.
-
The reason for processing consumers’ personal information, as well as the compatibility of such purposes with the context in which such personal information was collected (reasonableness).
-
The operational elements of processing personal information. This covers how collection will occur and sources will be sought, how long the business will retain each category of personal information and why, and how its processing aligns with data minimization principles. It will also cover consumer count, technology used in this processing, and any third-party involvement to whom the business will disclose personal information for processing and why.
-
The reason for processing consumers’ personal information. This must be a specific and detailed explanation of the purpose of processing this information, avoiding vague descriptions like “to improve our services” or “security purposes”.
-
A detailed account of the identified benefits of the processing to the business itself, consumers, other stakeholders, and the public. This section should include the magnitude and likelihood of these beneficial impacts, as well as the criteria used for these determinations.
-
The identified negative impacts on consumers’ privacy associated with the processing of personal information, including magnitude, and likelihood of occurrence. These impacts encompass a wide range of possibilities, such as constitutional harms, security risks, discrimination, loss of control over personal information, coercion, exploration of vulnerabilities, economic consequences, physical harm, reputational damage, and psychological distress. The business is required to consider these potential negative impacts and provide specific explanations on how it determined their extent and probability, including the criteria used for these assessments.
-
An outline of the safeguards the business intends to use to address any identified negative impacts. These safeguards should be described in detail, including how they mitigate negative impacts, reduce risks to consumer privacy, and any residual risks that may remain after implementation. At minimum, the business should consider implementing safeguards to protect personal information (encryption, segmentation, access controls), using privacy-enhancing technologies (trusted execution environments, federated learning, etc.), stating their compliance with processing restrictions, and ensuring the de-identification or aggregation of personal information, as appropriate for the processing activity.
-
An assessment of whether the negative impacts (# 8 above), as mitigated by safeguards (# 9 above), outweigh the benefits (# 7 above). The business must provide specific details on how and why it reached this determination, including the influence of any safeguards.
Although these 10 useful components of a risk assessment originate from the California privacy regulator, they provide useful tips for organizations irrespective of jurisdiction when assessing risk, with respect to their own and their service providers’ privacy programs and practices. Such details have never been provided by other data protection regulators. If your organization is struggling with executing effective and practical privacy risk assessments and cybersecurity audits, contact PRIVATECH for professional advice.