California's new privacy rules may reshape the evidentiary landscape

Recently finalized regulations under the California Consumer Privacy Act (CCPA) ("regulations") introduce sweeping requirements for cybersecurity audits, risk assessments and related reports. While much attention has focused on compliance burdens, these requirements also have the potential to reshape the evidentiary landscape in connection with organizations' cybersecurity and privacy practices.

Among other obligations, the regulations require:

·         Annual cybersecurity audits, including written audit reports. The regulations require detailed audit reports supported by specific evidence and testing, which must describe in detail the status of any gaps or weaknesses deemed to increase risk, including security breaches. A member of executive management must submit a written certification of audit completion to the California Privacy Protection Agency ("CalPrivacy"), and the business must retain all relevant documents for at least five years.

·         Regular risk assessments documenting processing activities, negative privacy impacts and planned safeguards. A business must retain risk assessment reports for as long as the processing continues or for five years after completing the assessment, whichever is later. A member of executive management must submit information regarding the assessment to CalPrivacy, including whether the assessment involved processing sensitive personal information. CalPrivacy and the California attorney general can require a business to submit its full assessment report.

These obligations necessarily require companies to create and maintain records reflecting cyber and privacy risks. Businesses that approach the new CCPA requirements with a litigation-aware compliance strategy will be better positioned to manage potential risk. Below are practical risk mitigation steps businesses can take as they operationalize the cybersecurity audit and risk assessment processes:

·         Align audit/assessment processes with privilege strategies. While attorney-client privilege is unlikely to attach to the final reports required under the regulations, businesses can do much to help maintain privilege in preparation for and during the audit/assessment processes themselves, in an effort to best protect against the disclosure of privileged documents. For example, businesses may want to conduct a separate, privileged "pre-audit" or "pre-assessment" in preparation for the subsequent mandatory one. Businesses should involve legal counsel early when planning and structuring audits/assessments, evaluate whether and how attorney-client privilege or work-product protections may apply, and carefully delineate legal advice versus business records. Non-legal staff involved with audits/assessments should be educated on best practices for preserving privilege.

·         Assess recordkeeping practices. Establishing a clear process for drafting and reviewing audit/assessment-related documentation can also help minimize risk. Importantly, documentation should be accurate, precise and contextualized, while avoiding conclusory or overly broad statements that could be misinterpreted. Although certain information will need to be included to meet compliance requirements, businesses should consider focusing on including information necessary to meet regulatory requirements, while leaving unnecessary details behind. In addition, for accepted risks, companies may want to identify the justification and any relevant compensating controls that are necessary to contextualize the decision. Critically, involving both the legal and security teams in developing and finalizing documentation will help ensure records are both accurate and appropriately framed to mitigate unnecessary exposure.

·         Memorialize risk acceptance protocols. Similarly, businesses should establish clear processes for documenting how risk decisions are made, including appropriate stakeholder involvement and approval pathways. Ensuring that risk acceptance decisions are consistently documented and aligned with the organization's broader risk management framework can help promote clarity and consistency across audit and assessment records. As noted above, memorializing appropriate context for these decisions is important, particularly as institutional knowledge can diminish over time.

·         Promote consistency across documentation. It is equally important to ensure that audit reports, risk assessments, policies and related materials are aligned in how they describe and address associated risks, and perhaps more importantly, risk acceptances. Inconsistencies across this documentation can create confusion and potentially undermine the effectiveness or defensibility of otherwise well-supported findings.

·         Strengthen remediation governance and oversight. Companies may also consider documenting remediation plans and timelines and establishing formal processes to track audit findings and any safeguards identified in assessments. These processes should include a clear designation of ownership of remediation tasks and progress tracking, while prioritizing remediation of high-risk findings. Briefing protocols can also help facilitate informed decision-making by ensuring executives and audit/assessment signatories understand findings, associated risks and key remediation efforts.

·         Stress-test incident response procedures against audit/assessment findings. Businesses will also want to be sure that incident response procedures account for previously identified vulnerabilities, privacy risks and known system limitations, including any findings related to third-party vendors.

The CCPA's audit and assessment requirements have the potential to create a more formalized record of an organization's cybersecurity practices and risk management decisions. Businesses that take a deliberate, coordinated approach to these requirements will be better equipped to ensure that this documentation is accurate, consistent, and appropriately contextualized to reflect the organization's practices, helping to mitigate potential litigation exposure.