Oregon Updates Its Data Breach Notification Law
Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.
When providing notice, companies must notify affected individuals within 45 days of discovering or receiving notification of a breach. This changes the prior “expeditious” and “without undue delay” requirement. Companies must now also take “reasonable measures” to figure out what happened. They must also use reasonable measures to figure out impacted people’s contact information. Reasonable measures are also specifically required for restoring the integrity of the information.
Oregon previously had requirements for contents of notice. Added to the list of required content is the contact information for the entity that gave notice.
Oregon, like other states, provides for exemptions if companies are required to notify under federal laws. Now, however, those entities must also give the Oregon AG a copy of the notice sent to individuals and to the company’s regulator (if there are more than 250 impacted consumers). Finally, in a provision that does not exist in other similar laws, Oregon now specifically prohibits -if a company gives free credit monitoring- requiring individuals to give their credit card numbers to get the free credit monitoring.
Putting it Into Practice: Companies with nationwide incident response plans, Oregon’s modified law will require some changes. Among these are the 45-day provision, the definition of personal information, and the process those who are otherwise regulated must follow.