State Regulatory Developments

Oregon Amends Consumer Identity Theft Protection Act

Oregon has recently made numerous amendments to its Consumer Identity Theft Protection Act (relating to the protection of consumers’ personal data and data security breach notification) including, among others, changing the name of the act, modifying and adding definitions, and providing specific timeframes when disclosures must be given in the event of a breach of security or reason to believe that such breach has happened.

First, SB 684 will change the name of the Oregon Consumer Identity Theft Protection Act to the Oregon Consumer Information Protection Act (the Act).

Second, SB 684 would expand or otherwise amend definitions, among others, relating to individuals and information covered by the Act.  SB 684 adds a definition for a “covered entity”, which is defined as a person that owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information in the course of the person’s business, vocation, occupation, or volunteer activities, but excludes a person that acts solely as a vendor.  Additionally, SB 684 would expand the definition of “personal information” to now include a username or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

Further, as it relates to vendors, SB 684 requires that a vendor notify a covered entity with which the vendor has a contract as soon as is practicable, but not later than 10 days, after discovering a breach of security or having a reason to believe that a breach occurred.  If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor must notify the other vendor of a breach of security.  And, if the breach of security involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine, that vendor must notify the Oregon attorney general, unless the covered entity with which the vendor holds the relevant contract has already notified the attorney general.

Lastly, SB 648 provides that a covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not developed, implemented, and maintained reasonable safeguards to protect the security, confidentiality, and integrity of personal information covered by the Act but not subject to certain federal privacy acts by showing that the covered entity or vendor developed, implemented, and maintained reasonable security measures that would be required by those federal acts.

The changes made by SB 684 are effective on January 1, 2020.