Overview

California has introduced a significant cybersecurity audit requirement that will take effect on January 1, 2026. This rule mandates certain businesses to conduct annual audits, potentially increasing litigation risks related to data breaches.

The California Privacy Protection Agency's new regulation is the first of its kind among state data privacy laws, requiring extensive compliance efforts from affected companies to address cybersecurity deficiencies.

Key details

  • The rule was adopted by the California Privacy Protection Agency last year.
  • It requires specific businesses to perform annual cybersecurity audits starting January 1, 2026.
  • Covered entities must submit a written certification each year confirming the completion of an audit report that meets established standards.
  • The audit focuses on eighteen technical and organizational components of cybersecurity practices.
  • While the audit report itself does not need to be filed, it will be of significant interest to plaintiffs in data breach litigation.
  • Cybersecurity audit reports may become key targets in discovery requests during class actions to demonstrate negligence or violations of privacy laws.
  • Materials generated during the audit, including analyses and internal communications, are likely to be scrutinized by plaintiffs.
  • California law does not automatically shield compliance documents from discovery, even if they are prepared with legal counsel.
  • Businesses may face challenges in protecting audit-related materials from being disclosed in litigation.
  • Discovery disputes may arise over preliminary documents, drafts, and internal communications related to the audit process.
  • Companies are encouraged to maintain clear distinctions between legal advice and operational assessments to protect privileged information.
  • A two-track approach, separating compliance activities from legal advice, may help organizations manage legal protections more effectively.

Context

The rise of cybersecurity incidents and privacy-related litigation has prompted increased scrutiny of businesses' cybersecurity practices. The new audit requirement aims to ensure that companies are proactively identifying and addressing potential vulnerabilities.

What happens next

As the January 2026 deadline approaches, businesses in California will need to prepare for the compliance requirements and consider strategies to manage the potential litigation risks associated with the audit process.

What we don't know yet

Details regarding the specific businesses affected by the rule and the exact nature of the audits are not confirmed.