As California regulators set new parameters on cybersecurity rules, businesses should adapt for implementation to minimize their risk for lawsuits and government actions.
The California Privacy Protection Agency (CPPA) is establishing an extensive set of new privacy and cybersecurity standards for business under the California Consumer Privacy Act (CCPA), David Keating, leader of the Technology & Privacy Group and co-leader of the Privacy, Cyber & Data Strategy Team at Alston & Bird, told the Northern California Record by email.
“One set of draft regulations would create new cybersecurity audit standards that broaden the reach of cyber audit requirements beyond industry-specific rules, such as for financial institutions, to any business, in any industry sector, that processes personal data and is subject to the CCPA,” Keating said. “The CPPA has also drafted what would be landmark new regulations for 'automated decision making technologies' (ADMT), including technologies that fall under the broad umbrella of artificial intelligence. The latter establishes new rights for consumers to request information about how data is processed, including by certain AI tools, to opt out from this processing in certain scenarios, and to request deletion of associated personal data.”
In terms of what the draft rules apply to, Keating noted they cover three issues that the CCPA has empowered the Agency to regulate: privacy risk assessments, cybersecurity audits, and automated decision making technologies.
The proposed risk assessment standards are designed to require businesses to perform detailed assessments of the data privacy implications of new products before they hit the market. California in this respect is carrying forward a trend of requiring privacy assessments in other U.S. states, including Virginia and Colorado, and in the European Union.
“The proposed ADMT rules are a clear shot at regulating certain aspects of AI technologies, and include requirements for algorithmic transparency for consumers and consumer choice in whether to be subject to the use of these technologies in certain contexts,” Keating said. “The proposed rules for cybersecurity audits seek to mandate detailed internal assessments of businesses’ cybersecurity posture in an attempt to reduce risk to consumers. These three regulations are in a sense consumer-protection measures, as much as they are privacy measures.”
These three proposed regulations each go beyond existing standards in the U.S., Keating said.
“The CPPA is proposing to require privacy assessments in a broader set of circumstances than under standards in Virginia and Colorado, and which require a more extensive review than the standards in those two states,” Keating said.
The closest analog to the cybersecurity audit rules is probably the New York Department of Financial Services’ (NYDFS) cybersecurity regulation, he said.
“The CPPA’s draft standards do not go quite as far as what’s required by NYDFS, but they apply to a much broader category of businesses,” Keating said. “The draft ADMT regulations, however, are groundbreaking. Here California is on the cutting edge of important issues concerning the use of artificial intelligence and consumer rights in the U.S.”
Keating noted the most significant risk is enforcement by the CPPA or the California Attorney General’s office.
“Both agencies have been staffing up with talented attorneys and have been building subject matter expertise in privacy and cybersecurity,” Keating said. “Potential penalties for noncompliance are substantial.”
Yet another risk for businesses are the plaintiff’s attorneys seeking to bring direct claims against businesses for failures to comply.
“These claims face an uphill battle as the CCPA purports to prohibit private rights of action except in limited circumstances involving certain types of data security breaches,” Keating said. “That hasn’t kept plaintiff’s attorneys from trying, however, and the courts have not yet issued any final precedential rulings on the various theories plaintiff’s attorneys have been pursuing.”
And what could trigger either a regulatory action or a lawsuit under these draft rules?
“The most likely trigger will be in the event of an incident or problem that becomes public, such as a cyberattack or a new product or service that collects or processes personal data in a way that catches the attention of privacy advocates or the media,” Keating said. “We could expect the CPPA to explore whether the business conducted the required type of privacy assessment before product launch, and/or whether any AI components of the product or service align with the CPPA’s proposed standards on transparency and consumer choice.”
There is not yet an effective date for the proposed rules, but operative dates will be finalized prior to adoption by the CPPA, Keating said.
“Businesses should be prepared to conduct robust cybersecurity audits of their operations on the timeline ultimately adopted by the CPPA,” Keating said. “These will be significant undertakings for many companies which will involve significant costs.”
“Companies also need to ensure they have implemented effective privacy governance programs that include screening new products and services for privacy risks, and to start inventorying their AI and ADMT products and services to enable gap assessments to the standards in the draft regulations,” Keating said. “Consumers should be prepared to receive a new flurry of privacy policy updates from businesses that are taking steps to comply with the proposed standards.”