AI_chatbot_1200x600_GettyImages-1472037495

In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.

Part 4 focuses on what happens next: how CalPrivacy and other regulators are likely to use these audits in enforcement, what that means for senior leadership, and the governance structures needed to support defensible certifications.

Before turning to the mechanics of certification, it helps to take a step back. The CCPA’s cybersecurity audit requirement rests on a broader governance challenge, but what exactly do we mean by “cybersecurity governance”?

I.  Cybersecurity Governance: The Frame Around the Audit

Cybersecurity governance is the structure a business uses to:

  • Set cybersecurity priorities and risk appetite.
  • Assign responsibility and allocate resources.
  • Escalate issues and track remediation.
  • Evaluate whether the program is actually working and aligned with legal obligations.

This extends beyond technical safeguards to include the people, processes, and oversight that drive day‑to‑day security decisions. It addresses who has authority to make risk decisions, what information is regularly reported to senior leadership and the board, and how those stakeholders challenge, validate, and document management’s assumptions. It also encompasses how the company measures performance (e.g., metrics, testing, independent assessments), responds to audit findings and incidents, and verifies that its actual security posture is consistent with its public statements, contracts, and regulatory commitments.

This focus on governance is also consistent with broader regulatory and industry trends. NIST’s Cybersecurity Framework 2.0 added “Govern” as a core function, and the SEC’s cybersecurity disclosure rules require public companies to describe risk management and governance, not just report incidents. The CCPA cybersecurity audit regime sits squarely in this governance space: it is as much about how the organization runs security as it is about the controls themselves.

II. From Internal Audit Process to Enforcement Record

On its face, the CCPA’s cybersecurity audit regime is a compliance obligation. Covered businesses must:

  • Conduct an annual cybersecurity audit.
  • Prepare a written audit report.
  • Share that report with executive management.
  • Maintain supporting records for at least five years.
  • Submit a written certification to CalPrivacy, signed by a senior executive.

In practice, those same materials can become powerful evidence in an enforcement action.

Businesses do not automatically file their audit reports with CalPrivacy. However, CalPrivacy can request, subpoena, or otherwise obtain the audit report, the certification, and the underlying workpapers and records — and businesses should expect that it will likely do so in situations such as:

  • After a reportable security incident.
  • In response to whistleblower complaints.
  • In response to consumer complaints.
  • When there are signs that a company’s cybersecurity posture is weak (such as repeated incidents, significant vendor failures, or public statements that do not match observed practices).

Once CalPrivacy has an audit file, it has a structured record of the company’s cybersecurity story, including what risks were identified, what was reported to senior leadership, and what remediation the organization committed to. At that point, the audit stops being an internal exercise and becomes a chronological roadmap CalPrivacy can trace to see what the company knew, when it knew it, and how (or whether) it followed through.

III. The Certification: What It Really Puts on the Line

The certification is where the audit regime becomes personal for senior leadership.

The executive who signs the certification is not promising perfection. They are not saying every control works flawlessly or that no vulnerabilities exist. Instead, they are representing, under penalty of perjury, that:

  • The cybersecurity audit was conducted in accordance with CCPA regulations.
  • The information in the audit submission is true and correct.
  • The signer is an appropriate executive (responsible for cybersecurity audit compliance, sufficiently knowledgeable about the audit, and properly authorized).
  • The business did not improperly influence the auditor’s decisions or assessments and respected the auditor’s independence.

Viewed through an enforcement lens, the certification is a regulator-facing statement about the integrity of the audit process and the accuracy of the audit report. If CalPrivacy later sees a disconnect between what the certification implies and what the underlying records show, it has focused questions for the signer:

  • What did you review before signing?
  • What did you understand about unresolved gaps?
  • How did you get comfortable that the submission was accurate?

Those questions tie directly to governance. They assume the company has a process that gives the signer a reliable, documented view of the program’s current state. Without that process, the certification can become a point of vulnerability for both the organization and the individual executive.

IV. The Importance of “Showing Your Work”

Even before the first CCPA cybersecurity audits come due in 2028, one expectation is clear: CalPrivacy, like other regulators, will want companies to “show their work.” Regulators do not simply accept high-level assurances that “we comply” or “we take security seriously.” In investigations, they routinely ask companies to produce concrete documentation showing that security and privacy activities actually occurred as described in policies, public statements, certifications, and responses to regulators. For example, in cybersecurity-related investigations, regulators commonly ask for:

  • Patch management records if a company says it “regularly applies security updates” (e.g., change tickets, scan reports, deployment logs).
  • Training records if policies require annual security or privacy training (e.g., completion reports, attendance records, training materials).
  • Vendor diligence files if contracts or policies say third parties are subject to security reviews (e.g., questionnaires, SOC reports, risk assessments).
  • Incident logs and response documentation where the company describes a formal incident response process.

The expectation is straightforward: when a company represents that a control exists or a process occurs, it should be prepared to point to contemporaneous documentation that reasonably supports that statement. Given CalPrivacy’s mandate and the creation of the Audits Division (a newly created division we review in more detail in Section V), it is reasonable to expect CalPrivacy to apply the same “show your work” mindset to CCPA cybersecurity audits — focusing not just on whether an audit was completed, but on whether the audit file, remediation tracking, and related operational records substantiate what the company says about its program.

With that framing in mind, if CalPrivacy obtains a company’s audit materials in an investigation, it is likely to use them to answer three core enforcement questions.

1. What did the company know, and when? Audit reports and their supporting documents must identify security gaps, weaknesses, and material risks, along with planned remediation and timelines. Over multiple audit cycles, this creates a history of:

  • The weaknesses, vulnerabilities, or deficiencies identified.
  • How critical each issue was.
  • How long it took the company to address each issue.

After a security incident, CalPrivacy can compare the root cause to the issues the company already knew about and that were flagged in prior audits. Any perceived failure to timely address a known vulnerability will likely be a focal point in enforcement or litigation.

2. Are the company’s statements accurate and consistent? The certification requires an executive to attest, under penalty of perjury, that the audit was conducted as required and that the information in the submission is true and correct. The audit report, likewise, is required to include specific findings, gaps, risks, and remediation commitments. In enforcement, CalPrivacy can compare:

  • What the written certification and audit report represent about the state of the security program or how the audit was performed; and
  • What the supporting evidence behind the audit (e.g., workpapers, testing documentation, and underlying records) actually shows about the company’s controls, practices, and follow-through.

CalPrivacy can also look at what the company has said elsewhere about its security practices — for example, in privacy policies and website statements, breach notification letters, representations to customers, partners, or regulators, and disclosures to investors. Gaps between the company’s external story and its internal audit record can quickly become a central enforcement concern. In an enforcement action, regulators may also treat those public-facing statements about cybersecurity as a basis to seek additional civil penalties under other state laws, such as California’s Unfair Competition Law or False Advertising Law.

3. How serious and sustained were remediation efforts? Because the audit report must describe gaps, remediation plans, and timelines, it gives CalPrivacy a way to assess the company’s prioritization of cybersecurity issues and its follow-through. CalPrivacy can evaluate:

  • Whether high-risk issues were given realistic deadlines.
  • Whether deadlines were met or repeatedly deferred.
  • Whether unresolved items were treated as acceptable risks, short-term trade-offs, or simply allowed to linger without clear decisions.

A record showing thoughtful prioritization and steady progress — with visible involvement from management and board-level oversight — tells a very different enforcement story than one showing recurring findings, vague plans, and minimal action by company leadership.

V.  The CCPA Enforcement Framework: Divisions, Penalties, and Extraterritorial Risk

a.  The Enforcement Architecture: Who Does What

CalPrivacy has established a dedicated Audits Division, led by the Chief Privacy Auditor. That division is responsible for:

  • Developing and applying privacy and security compliance audit procedures.
  • Examining companies and their practices.
  • Identifying and documenting potential compliance gaps that may be referred to the Enforcement Division.

The Enforcement Division — a distinct internal division within CalPrivacy — is separate. Its role is to:

  • Investigate potential violations.
  • Decide whether to bring an enforcement action.
  • Seek remedies and penalties where appropriate.

The two divisions work together. The Audits Division can refer issues it finds to the Enforcement Division, which can then use the audit report and supporting documents as key evidence in deciding whether a company failed to meet its obligations.

Note that the California Attorney General (AG) retains concurrent enforcement authority under the CCPA and can independently investigate and bring actions. More on that in the next section.

b.  Penalties and Exposure

Under the CCPA, CalPrivacy can currently impose administrative fines of up to $2,663 per violation or up to $7,988 per intentional violation or per violation involving a minor’s personal information. As noted above, the California AG shares that civil enforcement authority and can seek the same penalties independently.

While there is no published guidance specifically addressing how penalties will apply in the cybersecurity audit context, some obvious categories of potential violations include:

  • Failing to conduct a required audit altogether.
  • Submitting a materially inaccurate certification.
  • Failing to maintain required records for five years.
  • Impeding auditor independence.

In addition, the audit record itself may become evidence in a broader enforcement action for failure to maintain “reasonable security.” While “reasonable security” remains a flexible concept, the 18 cybersecurity program components (discussed in Part 3) seek to give that concept more concrete meaning.

In practice, the penalty question may be less about the fine per individual violation and more about the volume of violations California regulators (including both CalPrivacy and the California AG) identify across audit cycles, consumer records, and related compliance failures. And as discussed in the next section, exposure rarely ends with California regulators — the same audit record can support enforcement and litigation by other regulators and private parties under a range of state and federal laws.

c.  Extraterritorial Risk

As CalPrivacy’s specialization deepens, the audit reports and enforcement know‑how developed in California are likely to increase enforcement risk not only under the CCPA, but also under other state privacy laws when those jurisdictions coordinate with California in joint investigations or enforcement actions. Given the growing use of multistate enforcement mechanisms — under which states pool resources to investigate companies operating across jurisdictions — the technical expertise and detailed knowledge that CalPrivacy acquires through its audit requirements are unlikely to remain confined to California. We return to these spillover effects in Section VI.

VI. Spillover Risk: State Attorneys General, SEC, FTC, and White-Collar Investigations

The effect of CCPA cyber audits will not likely stop at California’s state border — particularly for companies operating in multiple jurisdictions, government contractors, public companies, and other organizations subject to federal agency oversight.

By way of example, the same audit reports, workpapers, and certifications that California regulators may obtain can be relevant to:

  • The Securities and Exchange Commission (SEC), which requires public companies to describe their cybersecurity risk management and governance, and to disclose material incidents
  • The Federal Trade Commission (FTC), which has long pursued data security cases under Section 5 and expects evidence-based remediation, designated responsible individuals, and ongoing monitoring and reporting in its consent orders
  • The U.S. Department of Justice (DOJ), which prosecutes federal contractors for misrepresentations regarding their compliance with required standards
  • Other State Attorneys General, who have the power to bring individual or multistate investigations into a company’s public representations about cybersecurity and privacy practices under state and certain federal laws.

If CCPA audits show significant, known weaknesses while the company is telling investors, customers, or regulators a much more optimistic story, those internal materials can become important evidence in securities, consumer protection, or white-collar criminal investigations. Additionally, because the CCPA certification is made under penalty of perjury, knowingly inaccurate certifications, or altering or withholding audit records once an investigation begins, can raise issues beyond administrative privacy enforcement.

The risk is particularly pronounced at the state level. State Attorneys General from states outside of California can use those same certifications and records as a baseline for understanding the company’s overall cybersecurity posture and its public representations about that posture. Although a company’s annual audits may be designed to address California-specific requirements, the resulting audits and supporting documentation will be viewed as a rich source of information for regulators evaluating the maturity, scope, and effectiveness of a company’s cybersecurity program. Over time, State Attorneys General in other jurisdictions are likely to request CCPA audit certifications and supporting materials to determine what the company has represented — publicly or to third parties — about the nature of its cybersecurity program, and to use those representations as a foundation for bringing enforcement actions under state laws other than the CCPA. Companies should expect that California will coordinate with other state regulators, as evidenced by the Consortium of Privacy Regulators, which is a bipartisan effort to enforce state privacy laws across the country.

The practical point is not that every CCPA audit will trigger multiagency scrutiny. It is that the audit and certification create a common factual record of what the company knew and how it described its cybersecurity program, and that record can be reused by multiple regulators. Privacy and security professionals should assume that, in a serious event, the same audit file prepared for the CCPA may also be read by securities, consumer protection, and other state and/or federal authorities.

VII.  Bringing it All Together

The CCPA cybersecurity audit requirement creates a structured record of how a company understands its risks, what it tells senior leadership, and how it follows through. Because businesses and auditors are required to retain all audit-related documents for at least five years — a period that directly aligns with the window for bringing an enforcement action — those records will remain accessible to California regulators long after a single audit cycle. They may also be reviewed by other regulators and, in the event of a breach or litigation, by plaintiffs’ counsel. Audits and certifications will not be judged by whether they show a risk‑free environment. They will be judged by whether they reflect a credible cybersecurity journey: issues identified, prioritized, and addressed over time; risk decisions documented; and the company’s internal story aligned with its external statements.

With that in mind, many organizations are taking preparatory steps before the first CCPA audits are due — such as running privileged readiness exercises to identify and remediate gaps in a protected setting — so that the formal audit record, when it is created, reflects a program they are prepared to defend.

In Part 5, we will examine how the same audit reports and certifications discussed here are likely to surface in data breach and class action cases, and how to structure audit and documentation practices with both regulatory and civil litigation risk in mind.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Read more about Sadia MirzaSadia's Linkedin Profile
Show more Show less
Photo of Casselle Smith Casselle Smith

Casselle counsels individuals and entities in high-stakes matters across a variety of sectors and routinely represents clients in connection with allegations of wrongdoing that have enterprise-wide implications and the potential for catastrophic reputational harm.

Read more about Casselle Smith
Photo of Kaitlin Clemens Kaitlin Clemens

Kaitlin brings a wealth of knowledge and a proven track record in managing complex legal challenges to clients in a wide range of industries. Her diverse background spans cybersecurity, data privacy, and complex litigation, including leading cybersecurity incident response teams, advising on compliance…

Kaitlin brings a wealth of knowledge and a proven track record in managing complex legal challenges to clients in a wide range of industries. Her diverse background spans cybersecurity, data privacy, and complex litigation, including leading cybersecurity incident response teams, advising on compliance issues, and coordinating with international counsel.

Read more about Kaitlin Clemens
Show more Show less
Photo of Edgar Vargas Edgar Vargas

Edgar is a Certified Information Privacy Professional (CIPP/US). He assists clients on compliance and litigation issues, including issues regarding privacy and cybersecurity laws. He is fluent in Spanish, allowing him to effectively communicate with and serve Spanish speaking clients.

Read more about Edgar VargasEdgar's Linkedin Profile
Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.

Read more about Daniel Waltz
Show more Show less
Related Posts
Privacy_1200x600_GettyImages-1952157610
The ECPA: A Federal Private Right of Action for Privacy Policy Inaccuracies? (And What You Can Do to Cut Off Class Action Lawsuits)
April 16, 2026
Cyber_1200x600_GettyImages-1987307560
CCPA Cybersecurity Audits: Part 3 - Where CCPA Cybersecurity Audits Fit Within Existing Security Frameworks
March 26, 2026
Cyber_1200x600_GettyImages-2155090853
CCPA Cybersecurity Audits: Part 2 – The ‘How’ of CCPA Cybersecurity Audits: Operationalizing the Requirements
March 18, 2026