Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities

Oregon has updated its breach notification laws and has broadened the definition of consumer information, updated the definition of covered entity, and expanded the law to cover vendors.

The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020.

The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user.

The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.”

A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

Vendors are now required to notify the covered entity of a breach within 10 days of that breach being discovered. If the vendor is a subcontractor of another vendor that deals with a covered entity, the subcontractor must notify its vendor about a breach within 10 days. Vendors are also required to send a notification to the Oregon Attorney General if a breach impacts more than 250 consumers or “a number of consumers that the vendor could not determine.”

The Oregon Consumer Identity Theft Protection Act already required covered entities to implement an information security program and reasonable safeguards to protect any data maintained, stored, managed, processed, collected, received, or otherwise acquired.

Under the new Oregon Consumer Information Protection Act, covered entities and vendors that are able to demonstrate compliance with the security requirements of federal laws such as HIPAA and the HITECH Act can use that as an affirmative defense in actions and proceeding that allege noncompliance with the security requirements of the Oregon Consumer Information Protection Act to maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information. That exception applies even if the types of data are covered by the Oregon Consumer Information Protection Act but are not covered by the requirements of those federal acts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.