Oregon Amends Data Breach Notification Law To Include Vendor Obligations; Expanded Definition Of Personal Information

Jackson Lewis P.C.

As we recently noted, Washington state amended its data breach notification law on May 7 to expand the definition of “personal information” and shorten the notification deadline (among other changes). Not to be outdone by its sister state to the north, Oregon followed suit shortly thereafter—Senate Bill 684 passed unanimously in both legislative bodies on May 20, and was signed into law by Governor Kate Brown on May 24. The amendments will become effective January 1, 2020.

Among the changes effected by SB 684 is a trimming of the Act’s short title—now styled the “Oregon Consumer Information Protection Act” or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”). Apart from establishing a much more palatable acronym, the amended short title mirrors the national (and international) trend of expanding laws beyond mere “identity theft protection” to focus on larger scale consumer privacy and data rights.

Key substantive changes to the data breach notification law include:

  • Expanding the definition of “breach of security” to cover personal information that a person “maintains or possesses” (where previously only information a person “maintains” was covered);
  • Adding an individual’s account username and password (or other means of account identification and authentication) to the definition of “personal information” sufficient to trigger breach notification obligations—whether or not combined with the individual’s real name;
  • Defining the terms “covered entity” and “vendor,” to replace the cumbersome language in the current statute (g., “A person that owns or licenses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities and that was subject to a breach shall give notice . . . .” becomes “A covered entity that was subject to a breach shall give notice . . . .”).
  • Creating new obligations for “vendors,” including a requirement to notify the applicable covered entity within 10 days of discovery of a breach, and a requirement that the vendor notify the state Attorney General if said breach affects more than 250 consumers or an undetermined number of consumers (notification to the covered entity was previously only required “as soon as is practicable” after discovery, and vendors had no obligation to notify the Attorney General); and,
  • Specifying that covered entities or vendors in compliance with HIPAA or the GLBA (and subject thereto) are exempt from the state’s data breach notification requirements, and adding that compliance with the data security safeguards set forth in HIPAA or the GLBA may be raised as an affirmative defense in any action alleging that a covered entity or vendor has failed to comply with OCIPA’s own data security safeguarding requirements.

For organizations subject to the new law, including anyone that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information” in the course of business, the biggest change to note is that the disclosure of usernames and passwords alone is not sufficient to trigger breach notification obligations. Companies should also make an effort to determine whether they may be acting as a “vendor” under OCIPA’s new definition (“a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information”), as vendors entities will have new obligations when the amendments go into effect on January 1, 2020.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.