Oregon Amends Data Breach Notification Law to Apply to Vendors
Thursday, June 6, 2019
Oregon Data Breach Notification Law
Print Mail Download i

On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684, which requires vendors, service providers and other entities that maintain or possess consumers’ personal information to notify consumers of a security breach.

Effective January 1, 2020, the Oregon Consumer Identity Theft Protection Act, which the amendment renames as the Oregon Consumer Information Protection Act (the “Act”), requires vendors that discover a breach of security or have reason to believe that a breach of security has occurred to (1) notify any contracted covered entities as soon as practicable but no later than 10 days after discovering (or having reason to believe that) a breach has occurred and (2) notify the Attorney General if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

As amended, the Act defines a “covered entity” to mean an individual or entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” In addition, “vendor” is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

The amendment also updates the Act’s definition of “personal information” to include user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification. It also clarifies that compliance with security measures under federal data security laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), provides covered entities and vendors alleged to have violated the Act with an affirmative defense even as to information protected under the Act but not under federal laws.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins