Californias cybersecurity audit rule and its impact for class litigation IAPP

pThis article explores Californias new cybersecurity audit requirement and its potential to increase litigation risk for covered businessesppCharles WesterhausppCIPPE CIPPUS CIPM FIPppAssociateppFaegre Drinker Biddle and Reath LLPppLukas StoutenourppAssociateppFaegre Drinker Biddle and Reath LLPppCraig HeerenppPartnerppFaegre Drinker Biddle and Reath LLPppLast year the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit The rule went into effect 1 Jan 2026 This pioneering requirement the first of its kind among state data privacy laws of general applicability may entail substantial compliance efforts for affected companies to identify and correct cybersecurity shortcomings While compliance concerns may generate new anxiety the audit requirements impact on data breach litigation could have equally significant longterm implications for businesses operating in California ppThe compliance requirements are considerable and complex covering eighteen different technical and organizational components of an entitys cybersecurity practice Under the rule covered entities are required to submit to the agency each calendar year a written certification that the business has completed a cybersecurity audit report that meets the rules standards  ppAlthough the report itself does not need to be filed the need to create and certify one highlights an item of high interest to a plaintiffs counsel As a result the audit will likely become a focal point of plaintiffs discovery requests in data breach class actions as they seek to prove negligence or violations of state data privacy laws  ppWith the rise in cybersecurity data breaches and privacyrelated litigation plaintiffs are increasingly seeking materials they can leverage to argue that a businesss cybersecurity or privacyrelated practices are deficient or negligent in some fashion Cybersecurity audit reports and riskassessment narratives will therefore be compelling targets for discovery particularly when the business must identify gaps in its security posture Additional materials generated during an audit such as supporting analyses drafts internal communications and documentation showing when risks were identified and how they were addressed will likewise be of substantial interest ppImportantly shielding these materials from discovery may be difficult While there may be goodfaith arguments to limit the discovery of such materials such as a claim of privilege or attorney work product over materials prepared by or for a lawyer courts have often been unwilling to treat materials prepared for these types of purposes as protected from discovery ppIndeed California Consumer Privacy Act audits and risk assessments are not automatically privileged While California law preserves traditional evidentiary privileges such as attorneyclient privilege and attorney work product the statute does not provide any shield or discovery limitation for compliance documents If an audit is primarily conducted as a business or regulatory exercise rather than to obtain legal advice it may be treated as fully discoverable As a result businesses should anticipate being required to disclose a cybersecurity audit and certain supporting materials prepared as part of the CCPA certification and handle those materials accordingly  ppEven when companies believe the final audit report is defensible discovery fights often focus on what came before it Drafts internal emails risk scoring worksheets and preliminary gap analyses are fertile ground for plaintiffs arguing that the company knew of specific vulnerabilities chose not to remediate them and downplayed those risks in the final audit ppIt begs the question What can a company subject to the CCPA do to combat the risk of crafty lawyering that paints such a narrative Companies may want to consider additional precautions such as maintaining clear divisions and limited handling of any legal work product from more traditional compliance and business analysis to foster a sense of control and readiness  ppCompanies should carefully document the audit process clearly distinguish legal advice from operational assessments and maintain a structured record to prevent unfavorable inferences during litigation Particularly sophisticated companies have begun to take a twotrack approach as upheld in several data breach cases where more traditional regulatory compliance and operational activities proceed on one side while legal advice and attorney work product remain on the other This separation can help organizations doing business in California feel more in control of their legal protections and proactive in safeguarding privileged informationppThe risk that opposing counsel could obtain copies of up to five years of cybersecurity audits during discovery may disincentivize companies from fully participating in cybersecurity audits The risk of resource and costintensive class action litigation whether the claim has merit may be especially impactful for startup businesses that may not yet have as robust a cybersecurity program or legal team as more established companies The intersection of audit requirements and data breach litigation may create an environment where organizations are more hesitant to candidly document undesirable findings ppHowever as in judo the martial art where an individual uses an opponents weight to their advantage entities can view the weight of a cybersecurity audit as an opportunity to build a strong defense against claims of cybersecurity negligence or regulatory violations This perspective can help the audience feel optimistic about leveraging an audit as a strategic tool in litigation defense ppA strong showing in a cybersecurity audit conducted under an approved cybersecurity framework such as those issued by the US National Institute of Standards and Technology International Organization for Standardization or Center for Internet Security demonstrates that the organization has invested time talent and infrastructure to minimize not eliminate cybersecurity risk A cybersecurity audit can help eliminate actual compliance gaps as well as perceived gaps where ambiguous discussions about cybersecurity readiness could paint an incorrect picture of what is otherwise a robust and appropriate security posture ppNo defense system is perfect but one goal of a company audit is to provide a clear evidencebased picture of its cybersecurity practices to rebut any claims of negligence and deter litigationppThis content is eligible for Continuing Professional Education credits Please selfsubmit according to CPE policy guidelinesppCharles WesterhausppCIPPE CIPPUS CIPM FIPppAssociateppFaegre Drinker Biddle and Reath LLPppLukas StoutenourppAssociateppFaegre Drinker Biddle and Reath LLPppCraig HeerenppPartnerppFaegre Drinker Biddle and Reath LLPppTagspp5 Jan 2026pp24 July 2025pp25 July 2025pp17 April 2026ppThe IAPP is a policy neutral notforprofit association founded in 2000 with a mission to define promote and improve the professions of privacy AI governance and digital responsibility globallyppCertificationppTrainingppMembershipppConferences and EventsppCommunityppNews and resourcesppCertificationppTrainingppMembershipppConferences and EventsppCommunityppNews and resourcesppGlobal headquartersppPortsmouth NH USppEMEA officeppBrussels BelgiumppANZ officeppSydney Australiapp 2026 IAPP All rights reservedp