Oregon Updates Its Data Breach Notification Law
Thursday, March 29, 2018
S 1551, Oregon, breach notification, modification, personal information, financial accounts
Print Mail Download i

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.

When providing notice, companies must notify affected individuals within 45 days of discovering or receiving notification of a breach. This changes the prior “expeditious” and “without undue delay” requirement. Companies must now also take “reasonable measures” to figure out what happened. They must also use reasonable measures to figure out impacted people’s contact information. Reasonable measures are also specifically required for restoring the integrity of the information.

Oregon previously had requirements for contents of notice. Added to the list of required content is the contact information for the entity that gave notice.

Oregon, like other states, provides for exemptions if companies are required to notify under federal laws. Now, however, those entities must also give the Oregon AG a copy of the notice sent to individuals and to the company’s regulator (if there are more than 250 impacted consumers). Finally, in a provision that does not exist in other similar laws, Oregon now specifically prohibits -if a company gives free credit monitoring- requiring individuals to give their credit card numbers to get the free credit monitoring.

Putting it Into Practice: Companies with nationwide incident response plans, Oregon’s modified law will require some changes. Among these are the 45-day provision, the definition of personal information, and the process those who are otherwise regulated must follow.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

Health-e Law Episode 8: What We Heard at HIMSS 2024 with Michael Orlando & Carolyn Metnick [Podcast]
by: Michael D. Orlando , Carolyn V. Metnick
New York Court of Appeals Rules in Favor of Insurers on COVID Coverage
by: Sylvia Waghorne
Massachusetts AG Says Consumer Protection, Civil Rights, and Data Privacy Laws Apply to Artificial Intelligence
by: James G. Gatto
DOJ Plans to Apply the New Whistleblower Rewards Pilot Program to FCPA Cases
by: Michael J. Gilbert , Jennifer N. Le
Increased Scrutiny into Agents & Brokers in the Medicare Advantage Space
by: Erica J. Kraus , Calla Simeone
CMS Issues CY2025 Medicare Advantage and Part D Final Rule
by: Christine M. Clements , Arushi Pandya
CMS Announces Medicare Advantage and Part D Rates for CY 2025
by: Carter D. Gage , Krysten Thomas
SCOTUS Declines to Review New York City’s Rent Stabilization Law
by: Ross A. Honig
New Court Ruling Pokes Holes in Contractual Limitation of Liability Language in Commercial Leases
by: David M. Gao
States Sue the Biden Administration to Stop Loan Relief Plan
by: Moorari Shah , A.J. S. Dhaliwal

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins