THE California Privacy Protection Agency’s cybersecurity audit rule is now in effect, requiring certain businesses to conduct an annual audit. The rule went into effect on 1 Jan. 2026 and covers eighteen different technical and organisational components of an entity’s cybersecurity practice, with firms expected to submit, each calendar year, a written certification that the business has completed an audit report meeting the rule’s standards.
Although the audit report itself does not need to be filed, the requirement to create and certify one is likely to be of high interest to plaintiffs’ counsel. According to IAPP, compliance may entail substantial efforts to identify and rectify cybersecurity shortcomings. The article notes that the audit is likely to become a focal point of plaintiffs’ discovery requests in data breach class actions as they pursue negligence or violations of state data privacy laws.