[BreachExchange] Oregon Amends Data Breach Notification Law to Apply to Vendors

Destry Winant destry at riskbasedsecurity.com
Fri Jun 7 06:15:08 EDT 2019


https://www.natlawreview.com/article/oregon-amends-data-breach-notification-law-to-apply-to-vendors

On May 24, 2019, Oregon Governor Kate Brown signed into law Senate
Bill 684, which requires vendors, service providers and other entities
that maintain or possess consumers’ personal information to notify
consumers of a security breach.

Effective January 1, 2020, the Oregon Consumer Identity Theft
Protection Act, which the amendment renames as the Oregon Consumer
Information Protection Act (the “Act”), requires vendors that discover
a breach of security or have reason to believe that a breach of
security has occurred to (1) notify any contracted covered entities as
soon as practicable but no later than 10 days after discovering (or
having reason to believe that) a breach has occurred and (2) notify
the Attorney General if a breach or suspected breach involved the
personal information of more than 250 consumers or a number of
consumers that the vendor could not determine.

As amended, the Act defines a “covered entity” to mean an individual
or entity that “owns, licenses, maintains, stores, manages, collects,
processes, acquires or otherwise possesses personal information in the
course of the person’s business, vocation, occupation or volunteer
activities.” In addition, “vendor” is defined as an individual or
entity “with which a covered entity contracts to maintain, store,
manage, process or otherwise access personal information for the
purpose of, or in connection with, providing services to or on behalf
of the covered entity.”

The amendment also updates the Act’s definition of “personal
information” to include user names or other means of identifying a
consumer for the purpose of permitting access to the consumer’s
account, together with any other method necessary to authenticate the
user name or means of identification. It also clarifies that
compliance with security measures under federal data security laws,
such as the Health Insurance Portability and Accountability Act
(HIPAA) or the Gramm-Leach-Bliley Act (GLBA), provides covered
entities and vendors alleged to have violated the Act with an
affirmative defense even as to information protected under the Act but
not under federal laws.


More information about the BreachExchange mailing list