December 11, 2019

December 10, 2019

Subscribe to Latest Legal News and Analysis

December 09, 2019

Subscribe to Latest Legal News and Analysis

Oregon: Vendor Meet Regulator, Regulator Meet Vendor

Oregon amended its data breach notice statute (ORS §§ 646A.600 – 646A.628) on May 24, 2019. Beginning January 1, 2020, Oregon will be the first state to explicitly require vendors to notify the attorney general about data breaches that meet certain thresholds.

Vendors are often required (by contract and/or by law) to notify business customers within a time period after a data breach has occurred. But, under the new Oregon law, vendors will be legally obligated to notify the state attorney general when a data breach affects the personal information of over 250 Oregon consumers, or when the number cannot be determined, “in the most expeditious manner possible” but not “later than 45 days” after learning of the breach. The notification includes information on when the breach occurred, when and how the breach was discovered, types of data that was accessed and the number of Oregon residents impacted. Vendor’s obligation to notify is satisfied if the business customer notifies the attorney general.

The new law also addresses the situation where sub-vendors provide services to vendors that, in turn, provide services to business customers. Those second degree vendors must notify the first degree vendors, so the first degree vendors can notify the business customers. As a result, obligations turtle all the way down.

This law incentivizes parties to prepare for data incidents during the contracting phase. In Oregon, organizations must be careful when coordinating breach responses, particularly discerning notification obligations, and ultimately who will take on the cost and care of providing notice to the attorney general. Business customers and vendors can address breach notification procedures in their contracts and avoid waiting until a breach to discuss how to respond.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

Dominic Dhil Panakal Womble Atlanta

Dominic is a member of the firm’s IP Transactions, FinTech, and Privacy and Cybersecurity practices.

Dominic advises clients on international and domestic data privacy laws.  He also assists in drafting Software as a Service agreements, privacy policies, terms of use, and licensing contracts.