Oregon amended its data breach notice statute (ORS §§ 646A.600 – 646A.628) on May 24, 2019. Beginning January 1, 2020, Oregon will be the first state to explicitly require vendors to notify the attorney general about data breaches that meet certain thresholds.

Vendors are often required (by contract and/or by law) to notify business customers within a time period after a data breach has occurred. But, under the new Oregon law, vendors will be legally obligated to notify the state attorney general when a data breach affects the personal information of over 250 Oregon consumers, or when the number cannot be determined, “in the most expeditious manner possible” but not “later than 45 days” after learning of the breach. The notification includes information on when the breach occurred, when and how the breach was discovered, types of data that was accessed and the number of Oregon residents impacted. Vendor’s obligation to notify is satisfied if the business customer notifies the attorney general.

The new law also addresses the situation where sub-vendors provide services to vendors that, in turn, provide services to business customers. Those second degree vendors must notify the first degree vendors, so the first degree vendors can notify the business customers. As a result, obligations turtle all the way down.

This law incentivizes parties to prepare for data incidents during the contracting phase. In Oregon, organizations must be careful when coordinating breach responses, particularly discerning notification obligations, and ultimately who will take on the cost and care of providing notice to the attorney general. Business customers and vendors can address breach notification procedures in their contracts and avoid waiting until a breach to discuss how to respond.