California's cybersecurity audit rule and its impact for class litigation

Last year, the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit. The rule went into effect 1 Jan. 2026. This pioneering requirement, the first of its kind among state data privacy laws of general applicability, may entail substantial compliance efforts for affected companies to identify and correct cybersecurity shortcomings. While compliance concerns may generate new anxiety, the audit requirement's impact on data breach litigation could have equally significant long-term implications for businesses operating in California. 

The compliance requirements are considerable and complex, covering eighteen different technical and organizational components of an entity's cybersecurity practice. Under the rule, covered entities are required to submit to the agency, each calendar year, a written certification that the business has completed a cybersecurity audit report that meets the rule’s standards.  

Although the report itself does not need to be filed, the need to create and certify one highlights an item of high interest to a plaintiff’s counsel. As a result, the audit will likely become a focal point of plaintiffs' discovery requests in data breach class actions as they seek to prove negligence or violations of state data privacy laws.  

Discovery and privilege

With the rise in cybersecurity, data breaches and privacy-related litigation, plaintiffs are increasingly seeking materials they can leverage to argue that a business’s cybersecurity or privacy-related practices are deficient or negligent in some fashion. Cybersecurity audit reports and risk-assessment narratives will therefore be compelling targets for discovery, particularly when the business must identify gaps in its security posture. Additional materials generated during an audit, such as supporting analyses, drafts, internal communications and documentation showing when risks were identified and how they were addressed, will likewise be of substantial interest. 

Importantly, shielding these materials from discovery may be difficult. While there may be good-faith arguments to limit the discovery of such materials, such as a claim of privilege or attorney work product over materials prepared by or for a lawyer, courts have often been unwilling to treat materials prepared for these types of purposes as protected from discovery. 

Indeed, California Consumer Privacy Act audits and risk assessments are not automatically privileged. While California law preserves traditional evidentiary privileges, such as attorney-client privilege and attorney work product, the statute does not provide any shield or discovery limitation for compliance documents. If an audit is primarily conducted as a business or regulatory exercise — rather than to obtain legal advice — it may be treated as fully discoverable. As a result, businesses should anticipate being required to disclose a cybersecurity audit and certain supporting materials prepared as part of the CCPA certification and handle those materials accordingly.  

Even when companies believe the final audit report is defensible, discovery fights often focus on what came before it. Drafts, internal emails, risk scoring worksheets and preliminary gap analyses are fertile ground for plaintiffs arguing that the company knew of specific vulnerabilities, chose not to remediate them and downplayed those risks in the final audit. 

It begs the question: What can a company subject to the CCPA do to combat the risk of crafty lawyering that paints such a narrative? Companies may want to consider additional precautions, such as maintaining clear divisions and limited handling of any legal work product from more traditional compliance and business analysis, to foster a sense of control and readiness.  

Companies should carefully document the audit process, clearly distinguish legal advice from operational assessments and maintain a structured record to prevent unfavorable inferences during litigation. Particularly sophisticated companies have begun to take a two-track approach, as upheld in several data breach cases, where more traditional regulatory compliance and operational activities proceed on one side while legal advice and attorney work product remain on the other. This separation can help organizations doing business in California feel more in control of their legal protections and proactive in safeguarding privileged information.

How can companies prepare for a heightened risk of data breach litigation?

The risk that opposing counsel could obtain copies of up to five years of cybersecurity audits during discovery may disincentivize companies from fully participating in cybersecurity audits. The risk of resource and cost-intensive class action litigation, whether the claim has merit, may be especially impactful for startup businesses that may not yet have as robust a cybersecurity program or legal team as more established companies. The intersection of audit requirements and data breach litigation may create an environment where organizations are more hesitant to candidly document undesirable findings. 

However, as in judo, the martial art where an individual uses an opponent's weight to their advantage, entities can view the weight of a cybersecurity audit as an opportunity to build a strong defense against claims of cybersecurity negligence or regulatory violations. This perspective can help the audience feel optimistic about leveraging an audit as a strategic tool in litigation defense. 

A strong showing in a cybersecurity audit conducted under an approved cybersecurity framework, such as those issued by the U.S. National Institute of Standards and Technology, International Organization for Standardization or Center for Internet Security, demonstrates that the organization has invested time, talent and infrastructure to minimize, not eliminate, cybersecurity risk. A cybersecurity audit can help eliminate actual compliance gaps as well as perceived gaps, where ambiguous discussions about cybersecurity readiness could paint an incorrect picture of what is otherwise a robust and appropriate security posture. 

No defense system is perfect, but one goal of a company audit is to provide a clear, evidence-based picture of its cybersecurity practices to rebut any claims of negligence and deter litigation.