January 27, 2021

Volume XI, Number 27

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

Oregon Updates Its Data Breach Notification Law

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.

When providing notice, companies must notify affected individuals within 45 days of discovering or receiving notification of a breach. This changes the prior “expeditious” and “without undue delay” requirement. Companies must now also take “reasonable measures” to figure out what happened. They must also use reasonable measures to figure out impacted people’s contact information. Reasonable measures are also specifically required for restoring the integrity of the information.

Oregon previously had requirements for contents of notice. Added to the list of required content is the contact information for the entity that gave notice.

Oregon, like other states, provides for exemptions if companies are required to notify under federal laws. Now, however, those entities must also give the Oregon AG a copy of the notice sent to individuals and to the company’s regulator (if there are more than 250 impacted consumers). Finally, in a provision that does not exist in other similar laws, Oregon now specifically prohibits -if a company gives free credit monitoring- requiring individuals to give their credit card numbers to get the free credit monitoring.

Putting it Into Practice: Companies with nationwide incident response plans, Oregon’s modified law will require some changes. Among these are the 45-day provision, the definition of personal information, and the process those who are otherwise regulated must follow.

Advertisement
Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 88
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney
Associate

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

202-747-2658
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Advertisement
Advertisement