Oregon recently amended its data breach notification statute, now called the “Oregon Consumer Information Protection Act.” The amendments, which go into effect on January 1, 2020, include the following changes:
- Expanding the definition of “personal information” to include “[a] user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account” when combined with other authentication factors.
- Broadening the definition of “breach of security” to cover personal information that a person possesses.
- Specifying that covered entities or vendors that are subject to and in compliance with HIPAA or the Gramm-Leach-Bliley Act (GLBA) are exempt from the state’s data breach notification requirements to consumers. However, they must still give notice to Oregon’s Attorney General if the breach affects more than 250 Oregon consumers.
- Adding new obligations for “vendors,” which the law defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”
- Specifically, vendors must notify their business customers of a breach within 10 days, and they must notify Oregon’s Attorney General when a breach affects the personal information of over 250 (or an indeterminate number) Oregon consumers.
The vendor provisions represent the most substantive changes. Specifically, vendors must notify their business customers of a breach within 10 days, and they must notify Oregon’s Attorney General when a breach affects the personal information of over 250 (or an indeterminate number) Oregon consumers. In addition, Vendors are subject to the reasonable safeguards rule, which we discussed in a prior blog post.
Before January 1, 2020, companies should take steps to determine whether they qualify as a “vendor” under the law and, if necessary, implement policies and procedures to enable them to comply with the new requirements.
Questions about whether your business falls within the scope of these amendments? Contact Kristen Hilton at firstname.lastname@example.org or 503-227-1111.