Recently passed amendments to Oregon’s Consumer Identity Theft Protection Act take effect on June 2, 2018. One of the most significant changes is to require notice to consumers, and Oregon’s Attorney General if the breach impacts more than 250 consumers, “not later than 45 days after discovering or receiving notification of the breach of security.” Significantly, HIPAA covered entities are exempt from the 45-day time period. Previously, the law did not specify a notice deadline.
The amendments expand the scope of those who must provide notice to include a person who “otherwise possesses” personal information. They also mandate that reasonable measures be undertaken to:
- Determine sufficient contact information for the intended recipient of the notice;
- Determine the scope of the breach of security; and
- Restore the reasonable integrity, security and confidentiality of the personal information.
In addition, the law revises Oregon’s “reasonable safeguards” rule. That rule states that a person that owns, maintains or otherwise possesses personal information used in the course of the person’s business, vocation, occupation or volunteer activities shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information.
The reasonable safeguards rule now also covers those who have control over or access to such data, and it imposes “reasonable regularity” requirements on certain types of safeguards needed for a compliant information security program. For instance, training and managing employees in security program practices and procedures, reviewing user access privileges, and identifying reasonably foreseeable internal and external risks all must be done with reasonable regularity. Businesses with fewer than 100 employees continue to enjoy less stringent obligations.
Other notable changes to the law include:
- Any owner or licensee of personal information required to notify Oregon’s Attorney General of a breach must also provide the Attorney General at least one copy of any notice sent to consumers. Copies shall be provided within a reasonable time.
- Offers for free credit monitoring and identity theft prevention services cannot be conditioned on the consumer providing a credit or debit card number or on the acceptance of any other fee-based service.
- A consumer reporting agency may no longer charge any fee for placing, temporarily lifting or removing a security freeze on the consumer’s consumer report or creating or deleting a protective record.
Oregon’s amended Consumer Identity Theft Protection Act may require revisions to your information security policies and procedures, as well as your incident response plan. If you own, license, or possess personal information, review your incident response plan to ensure it complies with the law after June and will enable you to satisfy the 45-day notice requirement. In addition, anyone with control of or access to personal information should evaluate their information security program to make certain it includes the administrative, technical, and physical safeguards identified in the statute.