Updated Data Breach Notification Law in Oregon Now Covers Covered Entity Vendors

An updated breach notification law was approved in Oregon. The new law included the following update: broadened definition of consumer data, revised the meaning of covered entity, and included vendors as covered entities by the law.

According to Senate Bill 684, the name The Oregon Consumer Identity Theft Protection Act will now be called The Oregon Consumer Information Protection Act and will become effective starting January 1, 2020.

In the updated law, the definition of personal information now include usernames and other means of identifying a consumer that allow consumer account access as well as any technique for authenticating a consumer.

Covered entity is currently defined as any entity that owns, licenses, preserves, stores, controls, gathers, or processes acquired personal data while conducting an individual’s business, vocation, work or volunteer activities.

A vendor pertains to an individual or entity that a covered entity contracts with for services such as maintaining, storing, controlling, processing or retrieving personal information in relation with the services offered to or for the covered entity.

Currently, vendors need to notify the covered entity when a breach happens within 10 days of breach discovery. If the vendor is a subcontractor of another vendor working with a covered entity, it’s a must for the subcontractor to inform its vendor concerning a breach in 10 days. Vendors should also notify the Oregon Attorney General when a breach impacts more than 250 consumers or an unknown number of persons.

The Oregon Consumer Identity Theft Protection Act presently requires covered entities to implement an information security program and appropriate safety measures to keep safe any information collected, saved, processed, accumulated or received.

The new Oregon Consumer Information Protection Act state that both covered entities and vendors should show their compliance with the security requirements of federal regulations such as the HIPAA and the HITECH Act. It may be used as a defense in actions and proceedings that assert noncompliance with the security requirements of the Oregon Consumer Information Protection Act to assert appropriate safety measures to secure personal data security, confidentiality and integrity. That exception may be applied even though the Oregon Consumer Information Protection Act covers the types of data though not by the requirements of those federal acts.