On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684, which requires vendors, service providers and other entities that maintain or possess consumers’ personal information to notify consumers of a security breach.

Effective January 1, 2020, the Oregon Consumer Identity Theft Protection Act, which the amendment renames as the Oregon Consumer Information Protection Act (the “Act”), requires vendors that discover a breach of security or have reason to believe that a breach of security has occurred to (1) notify any contracted covered entities as soon as practicable but no later than 10 days after discovering (or having reason to believe that) a breach has occurred and (2) notify the Attorney General if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

As amended, the Act defines a “covered entity” to mean an individual or entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” In addition, “vendor” is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

The amendment also updates the Act’s definition of “personal information” to include user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification. It also clarifies that compliance with security measures under federal data security laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), provides covered entities and vendors alleged to have violated the Act with an affirmative defense even as to information protected under the Act but not under federal laws.