New Update to Oregon Data Breach Notification Law Now Covers Vendors of Covered Entities

An updated Oregon breach notification laws had been approved. The update included the following: expanded definition of consumer data, modified the meaning of covered entity, and extended the law to include vendors.

Senate Bill 684 changed the name of The Oregon Consumer Identity Theft Protection Act to The Oregon Consumer Information Protection Act and its effect will begin on January 1, 2020.

In the update of the definition of personal information, the following were included: usernames and other ways to identify a consumer allowing access to the account of a consumer, together with any technique used to authenticate a consumer.

Covered entity is now defined as an individual that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.”

A vendor refers to a person or entity with which a covered entity makes an agreement with for services as maintaining, storing, managing, processing or accessing personal data for the reason of, or in association with, offering services to or for the covered entity.

Vendors are at this point expected to alert the covered entity in the event of a breach within 10 days of discovering the breach. In case the vendor is a subcontractor of a different vendor that works with a covered entity, the subcontractor should inform its vendor regarding a breach within 10 days. The Oregon Attorney General should also receive a notification from the vendors when a breach affects over 250 consumers or “an undetermined number of consumers.

The Oregon Consumer Identity Theft Protection Act currently mandates covered entities to have an information security program and acceptable safeguards to secure any information maintained, kept, handled, processed, accumulated, received, or or else obtained.

According to the new Oregon Consumer Information Protection Act, both covered entities and vendors must be able to show they comply with the security specifications of federal regulations like the HIPAA and the HITECH Act. It could be used as an affirmative defense in actions and proceeding that state noncompliance with the safety specifications of the Oregon Consumer Information Protection Act to preserve reasonable safety measures to protect personal information security, confidentiality and integrity. That exception can be applied even when the Oregon Consumer Information Protection Act covers the types of information but not by the specifications of those federal acts.