Oregon Amends Data Breach Notification Law to Include Vendor Obligations; Expanded Definition of Personal Information
As we recently noted, Washington state amended its data breach notification law on May 7 to expand the definition of “personal information” and shorten the notification deadline (among other changes). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter—Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.
Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.
Key substantive changes to the data breach notification law include:
- Expanding the definition of “breach of security” to cover personal information that a person “maintains or possesses” (where previously only information a person “maintains” was covered);
- Adding an individual’s account username and password (or other means of account identification and authentication) to the definition of “personal information” sufficient to trigger breach notification obligations—whether or not combined with the individual’s real name;
- Defining the terms “covered entity” and “vendor,” to replace the cumbersome language in the current statute (g., “A person that owns or licenses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities and that was subject to a breach shall give notice . . . .” becomes “A covered entitythat was subject to a breach shall give notice . . . .”).
- Creating new obligations for “vendors,” including a requirement to notify the applicable covered entity within 10 days of discovery of a breach, and a requirement that the vendor notify the state Attorney General if said breach affects more than 250 consumers or an undetermined number of consumers (notification to the covered entity was previously only required “as soon as is practicable” after discovery, and vendors had no obligation to notify the Attorney General); and,
- Specifying that covered entities or vendors in compliance with HIPAA or the GLBA (and subject thereto) are exempt from the state’s data breach notification requirements, and adding that compliance with the data security safeguards set forth in HIPAA or the GLBA may be raised as an affirmative defense in any action alleging that a covered entity or vendor has failed to comply with OCIPA’s own data security safeguarding requirements.
For organizations subject to the new law, including anyone that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information” in the course of business, the biggest change to note is that the disclosure of usernames and passwords alone is not sufficient to trigger breach notification obligations. Companies should also make an effort to determine whether they may be acting as a “vendor” under OCIPA’s new definition (“a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information”), as vendors entities will have new obligations when the amendments go into effect on January 1, 2020.