Are security questionnaires going to be codified as law under CPRA?
A request for your contribution to California's CPRA comment period
Welcome to The Rebuttal, where we read articles on privacy or security and rebut some of the points made by the author.
This week, we are taking a loose interpretation of the term "rebuttal” to mean: respond to a "call for comments.”
As you probably know, the California Privacy Rights Act, the CPRA, is set to go into effect next year. As a bit of background, the CPRA amends the CCPA, the California Consumer Privacy Act. The CCPA has caused a lot of clients to ask, "Do I need a 'Do Not Sell’ button on my website?" And they also ask, "How do I handle a consumer's request for access to their data?” Lots of novel security issues involved in the regulatory requirements imposed by the CCPA.
As I mentioned, the CPRA amends the CCPA in some significant ways. It appears that the California Consumer Privacy Agency ("Agency") is seeking help from the public to interpret those amendments. You can find the call for comments here.
The first topic for public comment seeks recommendations about how to interpret the requirement for businesses to perform annual cybersecurity audits and what processes are needed to make sure those audits are thorough and independent.
They cannot possibly mean that every single California business that processes personal information representing a significant risk to consumer's privacy or security has to undergo a security audit, like a SOC2! But in case they do, I think you all need to share your opinion on that.
My opinion, in case you are wondering, is that such an interpretation will stifle innovation because you can't start a business and spend $100k on a security audit. Nor should you since who would take a security audit of a 2-person startup seriously. I'm looking at you Laura Louthan from Angel Cybersecurity.
But I don't think security questionnaires are the way either. Is there a middle ground? Something like CMMC?
After you comment on the annual audit interpretation, check out the next section too.
It says that if your business is required to send risk assessments to the Agency, it asks for comments about what those risk assessments should cover and how often should they be required. It also seeks comment about how the business actually weighs the benefits of the processing activity against the risk.
Well, that's good for business. Er, or maybe not.
I'm sorry, but, once again, is this whole thing about codifying security questionnaires? Daniel Miessler may not be too happy about that one. Yes, yes, I know that they are clearly referring to privacy impact assessments, similar to the GDPR, but I do think many of the questions from security have to be incorporated. Otherwise, an assessor doesn't know the full extent of the risk.
I am also a little confused about who is making the decision once the weighing of the benefits assessment has been performed. Is the Agency making that decision, or the business itself? Who is deciding if the business got it wrong? So many comments are possible here.
So, I urge you, my cybersecurity colleagues, to provide comments to the Agency. As the professionals who are very familiar with audits and risk assessments, we have to make sure the final guidance benefits from our experience. Please share this post with everyone in our community. The more comments they receive, the better.
Thank you.
Thanks for the update. Requirements in the scope of SOC 2 for ALL businesses will simply fail. There's no way for some of the really small businesses to afford the implementation, audit and operations. Requiring CMMC would be significantly more burdensome, as it appears to be on a path to more rigorous standard and audit process (at least level 3), and there's 700,000 defense suppliers queueing up already. It's critical that regulations balance feasibility with objectives.