State Regulatory Developments

Oregon Amends Provisions Regarding Notice Requirements for Breach of Security

Oregon has issued Senate Bill 1551, which requires that any person that owns, licenses or otherwise possesses personal information that was subject to a breach of security, or that received notice of breach of security from another person that maintains or otherwise possesses personal information on the person’s behalf, to notify all consumers to whom the personal information pertains within 45 days after discovering or receiving notice of the breach of security.

The Senate Bill also requires, among other things, that when providing notice to any consumers affected by a security breach, the person giving notice must take reasonable measures to do the following: determine the correct contact information for the intended recipient of the notice; define the scope of the security breach; and restore the integrity, security, and confidentiality of the personal information.