August 19, 2019

August 19, 2019

Subscribe to Latest Legal News and Analysis

August 16, 2019

Subscribe to Latest Legal News and Analysis

Oregon Amends Data Breach Notification Law to Apply to Vendors

On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684, which requires vendors, service providers and other entities that maintain or possess consumers’ personal information to notify consumers of a security breach.

Effective January 1, 2020, the Oregon Consumer Identity Theft Protection Act, which the amendment renames as the Oregon Consumer Information Protection Act (the “Act”), requires vendors that discover a breach of security or have reason to believe that a breach of security has occurred to (1) notify any contracted covered entities as soon as practicable but no later than 10 days after discovering (or having reason to believe that) a breach has occurred and (2) notify the Attorney General if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

As amended, the Act defines a “covered entity” to mean an individual or entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” In addition, “vendor” is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

The amendment also updates the Act’s definition of “personal information” to include user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification. It also clarifies that compliance with security measures under federal data security laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), provides covered entities and vendors alleged to have violated the Act with an affirmative defense even as to information protected under the Act but not under federal laws.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved

TRENDING LEGAL ANALYSIS


About this Author

Gail Kamal Insurance Litigation Attorney
Associate

Gail J. Kamal focuses on complex civil litigation and regulatory matters in the insurance and financial services industries in federal and state courts and in arbitration and mediation proceedings. She has experience with matters involving breach of contract, unfair competition and deceptive trade practices, employment classification, consumer financial protection laws, and cybersecurity and privacy.

Gail worked as a judicial intern for the Circuit Court of Cook County, Illinois, and served a clerkship at the U.S. Department of Justice, Office of Vaccine Litigation...

202-230-5239