[BreachExchange] Oregon Amends Data Breach Notification Law

[Inga Goddijn]

https://www.huntonprivacyblog.com/2018/06/07/oregon-amends-data-breach-notification-law/

On June 2, 2018, Oregon’s amended data breach notification law
<https://olis.leg.state.or.us/liz/2018R1/Downloads/MeasureDocument/SB1551>
(“the amended law”) went into effect. Among other changes, the amended law
broadens the applicability of breach notification requirements, prohibits
fees for security freezes and related services provided to consumers in the
wake of a breach and adds a specific notification timing requirement.

*Key Provisions of the Amended Law Include:*

   - *Definition of Personal Information:* Oregon’s definition of personal
   information now includes the consumer’s first name or initial and last name
   combined with “any other information or combination of information that a
   person reasonably knows or should know would permit access to the
   consumer’s financial account.”
   - *Expanded Scope of Application:* Instead of applying only to persons
   who “own or license” personal information that they use in the course of
   their business, the amended law now also applies to any person who
   “otherwise possesses” such information and uses it in the course of their
   business. It also requires notice when an organization receives a notice of
   breach from another person that “maintains or otherwise possesses personal
   information on the person’s behalf.” Persons who maintain or otherwise
   possess information on behalf of another must “notify the other person as
   soon as is practicable after discovering a breach of security.”
   - *Notice Requirements:* The amended law adds a new notice deadline.
   Notice of a breach of security must be given in the “most expeditious
   manner possible, without unreasonable delay,” and not later than 45 days
   after discovering or being notified of the security breach. Also, while the
   amended law exempts entities that are required to provide breach
   notification under certain other requirements (e.g., federal laws such as
   HIPAA), such entities are now required to provide the Attorney General with
   any notice sent to consumers or regulators in compliance with such other
   requirements.
   - *Providing Credit Monitoring Services:* If organizations offer
   consumers credit monitoring services or identity theft prevention or
   mitigation services in connection with their notice of a breach, they
   cannot make those services contingent on the consumer providing a credit or
   debit card number, or accepting another service that the person offers to
   provide for a fee. The terms and conditions of any contract for the
   provision of these services must embody these requirements.
   - *Prohibiting Fees for Security Freezes:* Under the amended law,
   consumer reporting agencies are prohibited from charging a consumer a fee
   for “placing, temporarily lifting or removing a security freeze on the
   consumer’s report,” creating or deleting protective records, placing or
   removing security freezes on protected records, or replacing identification
   numbers, passwords or similar devices that the agency previously provided.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180610/65a7e589/attachment.html>