California’s Cybersecurity Audit Rule and Its Impact for Class Litigation

Partner Craig Heeren and associates Charles Westerhaus and Lukas Stoutenour co-authored an article titled “California’s Cybersecurity Audit Rule and Its Impact for Class Litigation.” 

The authors described how a new rule from the California Privacy Protection Agency, which requires certain businesses to conduct an annual cybersecurity audit, could have potential long-term implications for companies operating in the state. Under the rule, companies are required to submit to the agency a written certification that the business has completed a cybersecurity audit report that meets the rule’s standards. The authors added that the report could become focal point for plaintiff’s discovery requests in data breach class actions as they seek to prove negligence or violations of state data privacy laws. 

In order to minimize discovery risk, the authors advise companies take a proactive approach to ensuring cybersecurity audits are completed under acceptable and well-recognized standards, with the goal of using the audit as an opportunity to build a strong defense against claims of cybersecurity negligence or regulatory violations.

“A strong showing in a cybersecurity audit conducted under an approved cybersecurity framework, such as those issued by the U.S. National Institute of Standards and Technology, International Organization for Standardization or Center for Internet Security, demonstrates that the organization has invested time, talent and infrastructure to minimize, not eliminate, cybersecurity risk,” the authors added. “A cybersecurity audit can help eliminate actual compliance gaps as well as perceived gaps, where ambiguous discussions about cybersecurity readiness could paint an incorrect picture of what is otherwise a robust and appropriate security posture.”