Recent Amendments to Oregon’s Data Breach Law

Oregon recently amended its data breach notification statute, now called the “Oregon Consumer Information Protection Act.”  The amendments, which go into effect on January 1, 2020, include the following changes:

  • Expanding the definition of “personal information” to include “[a] user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account” when combined with other authentication factors.
  • Broadening the definition of “breach of security” to cover personal information that a person possesses.
  • Specifying that covered entities or vendors that are subject to and in compliance with HIPAA or the Gramm-Leach-Bliley Act (GLBA) are exempt from the state’s data breach notification requirements to consumers. However, they must still give notice to Oregon’s Attorney General if the breach affects more than 250 Oregon consumers.
  • Adding new obligations for “vendors,” which the law defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”
  • Specifically, vendors must notify their business customers of a breach within 10 days, and they must notify Oregon’s Attorney General when a breach affects the personal information of over 250 (or an indeterminate number) Oregon consumers.

The vendor provisions represent the most substantive changes. Specifically, vendors must notify their business customers of a breach within 10 days, and they must notify Oregon’s Attorney General when a breach affects the personal information of over 250 (or an indeterminate number) Oregon consumers. In addition, Vendors are subject to the reasonable safeguards rule, which we discussed in a prior blog post.

Before January 1, 2020, companies should take steps to determine whether they qualify as a “vendor” under the law and, if necessary, implement policies and procedures to enable them to comply with the new requirements.

Questions about whether your business falls within the scope of these amendments? Contact Kristen Hilton at khilton@sussmanshank.com or 503-227-1111.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s