Skip to main content
  • Foundation
  • Executive network
  • CEO Circle
  • Enterprise Solutions
  • Linkage Logo
  • Store
  • Sign In
  • Account
    • My Account
    • Logout
    • Global
    • India
    • MENA
SHRM
About
Book a Speaker
Join Today
Renew
Rejoin Now
Renew
  • Membership
  • Certification
    Certification

    Smiling asian student studying in library with laptop books doing online research for coursework, making notes for essay homework assignment, online education e-learning concept
    Get Certified!

    Be recognized as an HR leader with your SHRM-CP or SHRM-SCP credential.

    • How to Get Certified

      Demonstrate your ability to apply HR principles to real-life situations. No other HR certification compares.

      • How to Get Certified
      • Eligibility Criteria
      • Exam Details and Fees
      • SHRM-CP
      • SHRM-SCP
      • Which Certification is Best for Me
      • Certification FAQs
    • Prepare for the Exam

      Give yourself the best chance to pass your SHRM certification exam.

      • Exam Preparation
      • SHRM BASK
      • SHRM Learning System
      • Instructor-Led Learning
      • Self-Study
      • Study Aids & Add-ons
    • Recertification

      Recertify your SHRM Credentials before your end date!

      • Specialty Credentials
      • Qualifications
  • Topics & Tools
    Topics & Tools

    Stay up to date with workplace news and leverage our vast library of resources to streamline day-to-day HR tasks.

    The white house in washington, dc.
    Executive Order Impact Zone

    Do not abandon, but evaluate and evolve. It is about legal, equal opportunity for all.

    • News & Trends

      Follow breaking news and emerging workplace trends.

      Legal & Compliance

      Stay informed on workplace legal updates and their impacts.

      From the Workplace

      Explore diverse perspectives from your peers on today's workplaces.

      Flagships

      Get curated collections of podcasts, videos, articles, and more produced by SHRM.

    • HR Topics
      • AI in the Workplace
      • Civility at Work
      • Compensation & Benefits
      • Inclusion & Diversity
      • Talent Acquisition
      • Workplace Technology
      • Workplace Violence Prevention
      SEE ALL
      SHRM Research
    • Tools & Samples

      Access member resources and tools to streamline HR tasks.

      • Forms & Checklists
      • How-To Guides
      • Interactive Tools
      • Job Descriptions
      • Policies
      • Toolkits
      SEE ALL
      Ask an Advisor
  • Events & Education
    Events & Education

    SHRM25 in San Diego, June 29 - July 2, 2025
    Join us for SHRM25 in San Diego

    Register for the World’s Largest HR Conference being held on June 29 - July 2, 2025

    • Events
      • SHRM25
      • The AI+HI Project 2025
      • INCLUSION 2025
      • Talent 2026
      • Linkage Institute 2025
      SEE ALL
      Webinars
    • Educational Programs

      Designed and delivered by HR experts to empower you with the knowledge and tools you need to drive lasting change in the workplace.

      Specialty Credentials

      Demonstrate targeted competence and enhance credibility among peers and employers.

      Qualifications

      Gain a deeper understanding and develop critical skills.

    • Team Training & Development

      Customized training programs unique to your organization’s needs.

  • Business Solutions
  • Advocacy
    Advocacy

    Make your voice heard on public policy issues impacting the workplace.

    Advocacy
    SHRM's President & CEO testifies to Congress on "The State of American Education"
    • Policy Areas
      • Workforce Development
      • Workplace Inclusion
      • Workplace Flexibility & Leave
      • Workplace Governance
      • Workplace Health Care
      • Workplace Immigration
      State Affairs

      SHRM advances policy solutions in state legislatures nationwide.

      Global Policy

      SHRM is the go-to for global HR leaders and businesses on workplace matters.

    • Advocacy Team (A-Team)

      SHRM’s A-Team is a key member benefit, giving you the tools, insights, and opportunities to shape workplace policy and drive real impact.

      Take Action

      Urge lawmakers to support policies that create lasting, positive change.

      Advocacy & Legislative Resources

      Access SHRM’s curated policy materials and content.

    • SHRM-Led Coalitions
      • Generation Cares
      • The Section 127 Coalition
      • Learn More & Partner with SHRM Government Affairs
  • Community
    Community

    Woman raising hand in group
    Find a SHRM Chapter

    Easily find a local professional or student chapter in your area.

    • Chapters

      Find local connections from over 607 chapters and state councils and create your personalized HR network.

      SHRM Connect

      Post polls, get crowdsourced answers to your questions and network with other HR professionals online.

      SHRM Northern California

      Join SHRM members in the greater San Francisco Bay area for local events and networking.

    • Membership Councils

      Learn about SHRM's five regional councils and the Membership Advisory Council (MAC).

      • Membership Advisory Council
      • Regional Councils
    • Volunteers

      Learn about volunteer opportunities with SHRM.

      • Volunteer Leader Resource Center
Close
  • Membership
  • Certification
    back
    Certification
    Smiling asian student studying in library with laptop books doing online research for coursework, making notes for essay homework assignment, online education e-learning concept
    Get Certified!

    Be recognized as an HR leader with your SHRM-CP or SHRM-SCP credential.

    • How to Get Certified

      Demonstrate your ability to apply HR principles to real-life situations. No other HR certification compares.

      • How to Get Certified
      • Eligibility Criteria
      • Exam Details and Fees
      • SHRM-CP
      • SHRM-SCP
      • Which Certification is Best for Me
      • Certification FAQs
    • Prepare for the Exam

      Give yourself the best chance to pass your SHRM certification exam.

      • Exam Preparation
      • SHRM BASK
      • SHRM Learning System
      • Instructor-Led Learning
      • Self-Study
      • Study Aids & Add-ons
    • Recertification

      Recertify your SHRM Credentials before your end date!

      • Specialty Credentials
      • Qualifications
  • Topics & Tools
    back
    Topics & Tools

    Stay up to date with workplace news and leverage our vast library of resources to streamline day-to-day HR tasks.

    The white house in washington, dc.
    Executive Order Impact Zone

    Do not abandon, but evaluate and evolve. It is about legal, equal opportunity for all.

    • News & Trends

      Follow breaking news and emerging workplace trends.

      Legal & Compliance

      Stay informed on workplace legal updates and their impacts.

      From the Workplace

      Explore diverse perspectives from your peers on today's workplaces.

      Flagships

      Get curated collections of podcasts, videos, articles, and more produced by SHRM.

    • HR Topics
      • AI in the Workplace
      • Civility at Work
      • Compensation & Benefits
      • Inclusion & Diversity
      • Talent Acquisition
      • Workplace Technology
      • Workplace Violence Prevention
      SEE ALL
      SHRM Research
    • Tools & Samples

      Access member resources and tools to streamline HR tasks.

      • Forms & Checklists
      • How-To Guides
      • Interactive Tools
      • Job Descriptions
      • Policies
      • Toolkits
      SEE ALL
      Ask an Advisor
  • Events & Education
    back
    Events & Education
    SHRM25 in San Diego, June 29 - July 2, 2025
    Join us for SHRM25 in San Diego

    Register for the World’s Largest HR Conference being held on June 29 - July 2, 2025

    • Events
      • SHRM25
      • The AI+HI Project 2025
      • INCLUSION 2025
      • Talent 2026
      • Linkage Institute 2025
      SEE ALL
      Webinars
    • Educational Programs

      Designed and delivered by HR experts to empower you with the knowledge and tools you need to drive lasting change in the workplace.

      Specialty Credentials

      Demonstrate targeted competence and enhance credibility among peers and employers.

      Qualifications

      Gain a deeper understanding and develop critical skills.

    • Team Training & Development

      Customized training programs unique to your organization’s needs.

  • Business Solutions
  • Advocacy
    back
    Advocacy

    Make your voice heard on public policy issues impacting the workplace.

    Advocacy
    SHRM's President & CEO testifies to Congress on "The State of American Education"
    • Policy Areas
      • Workforce Development
      • Workplace Inclusion
      • Workplace Flexibility & Leave
      • Workplace Governance
      • Workplace Health Care
      • Workplace Immigration
      State Affairs

      SHRM advances policy solutions in state legislatures nationwide.

      Global Policy

      SHRM is the go-to for global HR leaders and businesses on workplace matters.

    • Advocacy Team (A-Team)

      SHRM’s A-Team is a key member benefit, giving you the tools, insights, and opportunities to shape workplace policy and drive real impact.

      Take Action

      Urge lawmakers to support policies that create lasting, positive change.

      Advocacy & Legislative Resources

      Access SHRM’s curated policy materials and content.

    • SHRM-Led Coalitions
      • Generation Cares
      • The Section 127 Coalition
      • Learn More & Partner with SHRM Government Affairs
  • Community
    back
    Community
    Woman raising hand in group
    Find a SHRM Chapter

    Easily find a local professional or student chapter in your area.

    • Chapters

      Find local connections from over 607 chapters and state councils and create your personalized HR network.

      SHRM Connect

      Post polls, get crowdsourced answers to your questions and network with other HR professionals online.

      SHRM Northern California

      Join SHRM members in the greater San Francisco Bay area for local events and networking.

    • Membership Councils

      Learn about SHRM's five regional councils and the Membership Advisory Council (MAC).

      • Membership Advisory Council
      • Regional Councils
    • Volunteers

      Learn about volunteer opportunities with SHRM.

      • Volunteer Leader Resource Center
Join Today
Renew
Rejoin Now
Renew
  • Store
    • Global
    • India
    • MENA
  • About
  • Book a Speaker
  • Foundation
  • Executive network
  • CEO Circle
  • Enterprise Solutions
  • Linkage Logo
SHRM
Sign In
  • Account
    • My Account
    • Logout
Close

  1. Topics & Tools
  2. Workplace News & Trends
  3. Complying with Enhanced Cybersecurity Safeguards in California
Share
  • Linked In
  • Facebook
  • Twitter
  • Email

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.


Error message details.

Copy button
Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.


Learn More
News

Complying with Enhanced Cybersecurity Safeguards in California

January 19, 2021 | Brian G. Cesaratto and Deanna Ballesteros

Three men looking at a computer screen.


​The California Privacy Rights Act (CPRA) leaps forward on cybersecurity by amending the California Consumer Privacy Act (CCPA) to impose enhanced protections. The CPRA enhancements apply to "for profit" companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information.

Those businesses must:

  • Provide reasonable cybersecurity safeguards for all categories of personal information.
  • Conduct annual cybersecurity audits and make regulatory filings of risk assessments with the newly created California Privacy Protection Agency if the processing of personal information presents a significant risk to consumers' privacy or security.
  • Require contractual clauses and other safeguards to address supply chain security and privacy risks when they transfer, share or otherwise disclose personal information to their vendors and other third parties.

The CPRA also:

  • Imposes breach liability subject to a private right of action and statutory damages for failures to reasonably protect an individual's email in combination with a password or security question and answer permitting access to an online account (i.e., login credentials).
  • Removes 30-day safe harbors for organizations attempting to insulate themselves after the fact from statutory damages or fines by implementing cybersecurity safeguards following a data breach or following a notice of noncompliance.

The CPRA becomes effective on Jan. 1, 2023, except for requests by consumers to access their data, which will "look back" to data collected by the business on or after an earlier Jan. 1, 2022 effective date. Businesses should plan now to address these enhanced requirements because the effective implementation of operational and contractual processes will require significant lead time. One important consideration for businesses is how they will meet these new safeguards requirements in connection with internal and third-party systems, services, and applications collecting or processing categories of personal data of California residents beyond Social Security numbers, credit/debit card numbers and similar private data. The amendments will impact the duties of the workforce responsible for developing customer products, technologies and services, or who otherwise handle individually identifiable customer information, as well as information technology professionals and auditors responsible for cybersecurity. Retail, hospitality, online and other businesses that broadly collect personal information of their California customers will be among the businesses impacted by the new cybersecurity requirements.

Reasonable Safeguards Requirement for All Categories of Personal Information

The obligation to implement reasonable cybersecurity safeguards is expressly extended under the CPRA beyond the current obligation to protect Social Security numbers and other private information (such as drivers' license numbers, other government identifiers, and medical, biometric and other information defined under Cal. Civ. Code §1798.81.5) to include all categories of personal information. The CPRA mandates that it is a "responsibility" of businesses to "take reasonable precautions to protect consumers' personal information from a security breach." The CPRA further expressly requires as an affirmative "obligation" that a business that "collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure in accordance with Section 1798.81.5." Businesses will need to consider how to reasonably protect any and all individually identifiable information that under the CCPA's broad definition identifies, relates to, describes or is reasonably capable of being associated with, or could be linked, directly or indirectly, with a particular individual or household. The CPRA's inclusion of all categories of personal information under an express affirmative obligation to implement reasonable cybersecurity safeguards brings California in lockstep with the EU's GDPR requirement mandating appropriate risk-based safeguards for all personal data. The expanded coverage will require businesses to identify all categories of personal information collected or processed for their customers, the information systems that collect or process this wider scope of data, the staff that handles those processes, and a risk-based determination of the reasonable safeguards needed to protect the information from unauthorized access and other security threats.

Risk Assessments and Cybersecurity Audits Required for Businesses Whose Data Practices Present a "Significant Risk" to Consumers' Privacy or Security

The CPRA provides for the issuance of regulations requiring the performance of an annual cybersecurity audit by those businesses whose processing present a "significant risk" to privacy or security "including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent." The CPRA provides for the regulations to list those "factors to be considered in determining when processing may result in significant risk to the security of personal information [and] shall include the size and complexity of the business and the nature and scope of processing activities." At a minimum, businesses that collect "sensitive personal information" under the CPRA's new definition are likely to fall within the audit requirement because of the foreseeable adverse consequences of a breach. "'Sensitive personal information' means: . . . (A) a consumer's Social Security, driver's license, state identification card, or passport number; (B) a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocation; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer's genetic data; and (2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer's health; or (C) personal information collected and analyzed concerning a consumer's sex life or sexual orientation." The requirement of an "independent" and "thorough" audit is a significant safeguard. Whatever the particulars flushed out by future regulations, the requirement of an audit function that must be independent and thorough will require robust corporate processes for auditing cybersecurity safeguards as to systems, applications and workers that collect or process "significant risk" data supported by policies and procedures.

The CPRA also requires that business engaged in this "significant risk" processing be subject to regulations requiring the filing with the California Privacy Protection Agency "on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, with the goal of restricting or prohibiting such processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public." Risk assessments are a foundational best practice for an effective information security program that are required under certain statutory schemes, including the NY SHIELD Act and HIPAA. The requirement, however, that the actual risk assessment be subject to regularized governmental filing and regulatory oversight is a significant development. Organizations should begin now to identify their higher risk processing activities and consider the sufficiency of their risk assessments of these practices using a defensible risk assessment framework.

Contractual and Other Safeguards Required for Sharing Personal Information with Third Parties

A business must include, inter alia, in its contracts with third parties, service providers or contractors with whom it shares personal information that the receiving party (i) comply with "applicable obligations under this title" (including reasonable safeguards), (ii) "obligate those persons to provide the same level of privacy protection as is required by this title," and (iii) grant the business the right to take reasonable steps to stop and remediate unauthorized use. In addition, the contract must include a requirement that the third party, service provider, or contractor notify the business if it makes a determination that it "can no longer meet its obligations" to comply with the privacy and cybersecurity obligations. This last requirement mirrors recent guidance under the GDPR in connection with cross-border data transfers including use of contractual safeguards for the data importer to provide prompt advance notice to the data exporter of its inability to comply with its contractual commitments and meet an "essentially equivalent level of data protection." Businesses that disclose or transfer personal information to other organizations should begin to look now at those contractual agreements and consider modifications or addendums. These agreements, for example, may renew in advance of the Jan. 1, 2023 effective date but apply to data collected or processed on or after the effective date, or govern data practices after Jan. 1, 2022 that may be subject to a future consumer access request.

Expanded Breach Liability and Elimination of 30-Day Cure Periods

The CPRA now provides for a private right of action and statutory minimum damages for the unauthorized access and exfiltration, theft or disclosure of consumer log-in information as a result of the business's violation of the duty to implement and maintain reasonable cybersecurity practices. Moreover, for any breach subject to the private right of action, the CPRA provides that "the implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 in the 30 day period following notice of a breach does not constitute a cure with respect to that breach." Violations that did not result in a breach remain curable within the 30-day notice period. Similarly, the CCPA's provision providing that a business may avoid a violation and administrative fines if it cures any alleged violation within 30 days after being notified of any alleged noncompliance has been eliminated. Future litigation and administrative enforcement actions will include a focus on the CPRA's affirmative obligation to provide preventative reasonable safeguards for all categories of personal information in advance of a breach or alleged violation. Administrative fines under the CPRA remain significant—$2,500 for each violation and $7,500 for each intentional violation.

Businesses should plan now for compliance while watching for regulatory clarification in advance of the effective date. Planning for compliance should include an analysis of supply chain, internal system and workforce risks to all categories of personal information. Organizations should consider the need for contractual safeguards, as well as determine the cybersecurity safeguards and risk assessment and audit processes that may need to be adopted in light of the CPRA's enhancements to the CCPA.

Brian G. Cesaratto is an attorney in the New York office and Deanna Ballesteros is an attorney in the Los Angeles office of Epstein Becker Green. © 2021 Epstein Becker Green. All rights reserved. Republished with permission.

Risk Management
Technology
Workplace Security

Artificial Intelligence in the Workplace

​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.



Related Content

Kelly Dobbs Bunting speaks onstage at SHRM24
(opens in a new tab)
News
Why AI+HI Is Essential to Compliance

HR must always include human intelligence and oversight of AI in decision-making in hiring and firing, a legal expert said at SHRM24. She added that HR can ensure compliance by meeting the strictest AI standards, which will be in Colorado’s upcoming AI law.

(opens in a new tab)
News
A 4-Day Workweek? AI-Fueled Efficiencies Could Make It Happen

The proliferation of artificial intelligence in the workplace, and the ensuing expected increase in productivity and efficiency, could help usher in the four-day workweek, some experts predict.

(opens in a new tab)
News
How One Company Uses Digital Tools to Boost Employee Well-Being

Learn how Marsh McLennan successfully boosts staff well-being with digital tools, improving productivity and work satisfaction for more than 20,000 employees.

HR Daily Newsletter

Stay up to date with the latest HR news, trends, and expert advice each business day.

Success title

Success caption

Manage Subscriptions
  • About SHRM
  • Careers at SHRM
  • Press Room
  • Contact SHRM
  • Book a SHRM Executive Speaker
  • Advertise with Us
  • Partner with Us
  • Copyright & Permissions
  • Post a Job
  • Find an HR Job
Follow Us
  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • SHRM Newsletters
  • Ask An Advisor

© 2025 SHRM. All Rights Reserved

SHRM provides content as a service to its readers and members. It does not offer legal advice, and cannot guarantee the accuracy or suitability of its content for a particular purpose. Disclaimer


  1. Privacy Policy

  2. Terms of Use

  3. Accessibility

Join SHRM for Exclusive Access to Member Content

SHRM Members enjoy unlimited access to articles and exclusive member resources.

Already a member?
Free Article
Limit Reached

Get unlimited access to articles and member-exclusive resources.

You've reached the limit of 1 free article this month. Join to access unlimited articles and member-only resources.

Already a member?
Free Article
Exclusive Executive-Level Content

This content is for the SHRM Executive Network and Executive Content Subscription members only.

You've reached the limit of 1 free article this month. Join the Executive Network and enjoy unlimited content.

Already a member?
Free Article
Exclusive Executive-Level Content

This content is for the SHRM Executive Network and Executive Content Subscription members only.

You've reached the limit of 1 free article this month. Join and enjoy unlimited access to SHRM Executive Network Content.

Already a member?
Unlock Your Career with SHRM Membership

Please enjoy this free resource! Join SHRM for unlimited access to exclusive articles and tools.

Already a member?

Your membership is almost expired! Renew today for unlimited access to member content.

Renew now

Your membership has expired. Renew today for unlimited access to member content.

Renew Now

Your Executive Network membership is nearing its expiration. Renew now to maintain access.

Renew Now

Your membership has expired. Renew your Executive Network benefits today.

Renew Now