California will audit cybersecurity

Most businesses hear “cybersecurity audit” and assume it is optional, or something you do after a breach.

California is moving in the opposite direction. The California Privacy Protection Agency finalized regulations that require certain businesses to complete cybersecurity audits and submit a written certification of completion on a phased schedule tied to revenue.

For covered businesses, the certification deadlines are April 1, 2028 (over $100 million), April 1, 2029 ($50 million to $100 million), or April 1, 2030 (under $50 million).

What makes this harder than people expect is scope. The audit is driven by California personal information and sensitive personal information, including data that lives in HR systems, recruiting tools, payroll providers, benefits vendors, and cloud platforms.

The proof pressure point is simple. If you cannot explain what was in scope and why, and you cannot support conclusions with real evidence, the audit becomes a credibility problem before testing even begins.

If your organization may fall into a covered revenue band, it is worth pressure testing scope and ownership now, while the timeline is still yours to control.

This post shares general information based on common patterns I see in California workplaces. It is not legal advice, does not create an attorney-client relationship, and outcomes depend on specific facts — no lawyer can guarantee a result. Past results do not guarantee or predict future outcomes. AI may have been used to create this post. All content reviewed by a CA attorney before publication. This post may be attorney advertising.

Michael Trust Law, APC, 703 Pier Avenue, Ste. B367, Hermosa Beach, CA 90254: michaeltrustlaw.com