This May, Oregon’s legislature passed a set of amendments to the state’s already relatively robust data breach notice statute (ORS §§ 646A.600 – 646A.628). The most significant changes are around service providers, who will take on an independent obligation to notify the state Attorney General (AG) about data security breaches. A handful of other, more subtle changes are also included in the amendments, which take effect January 1, 2020. Oregon also passed an IoT security bill to establish minimal protections around connected devices.
Notice Obligation for Service Providers
Under the amended Oregon law, service providers will have an independent, explicit obligation to notify the state AG when subject to a security breach. Service providers, termed “vendors” under the statute, are the constellation of companies that store, manage, and process data on behalf of other businesses. The businesses that ultimately control the data and contract with service providers are newly defined as “covered entities” in the amendments.
The obligation that service providers notify the AG is triggered by breaches affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. This is separate from the standard obligation on service providers to notify their business customers of data breaches. Service providers will have their own obligation to notify the state AG. The obligation is satisfied if their business customer notifies the AG. In practice that means service providers must notify the AG if their customers do not notify – which has some interesting implications.
Complications in Incident Response
The new obligation increases the number of parties involved in incident response and notice decisions. There are good reasons for businesses to be careful about how they coordinate breach response with service providers, including preserving legal privilege, but at the least businesses and service providers will need to communicate about whether notice is happening. Businesses and their service providers could legitimately reach different conclusions about the need for notice in the same incident, but service providers might play it safe by giving notice to the AG rather than risk noncompliance. Service providers also could notify the AG regardless of whether their business customers provide notice, there being no prohibition on duplicate notice. Ultimately, the new obligation on service providers may increase breach notice, but the different incentives and pressures for businesses and their service providers may make it a more complicated process for all involved.
Address Service Provider Notice in Contracts
Most businesses would not want to be in the situation of notifying the state AG after their service provider already did so. Businesses contracting with service providers that touch any notice-triggering personal information, whether payment processors, web hosts, app developers, or cloud providers, should keep this in mind when reviewing service provider contracts, and consider adding provisions to help manage this process. For example, a business could require its service providers to give advance warning and consult with the business before notifying a state AG (Oregon or otherwise) regarding a data breach.
One other amendment also touches service providers. Where previously service providers had to notify business customers “as soon as practicable” after discovering a breach, the amendments set a deadline of 10 days. For some businesses that may seem slow. If so, that is another point to address in contracts.
Addition of User Names to Triggering PI
This round of amendments adds user names, combined with password or other means of authentication, to the list of notice-triggering personal information. This will increase the number of organizations and incidents covered, as any entity that creates some kind of user account for customers will now have to pay attention to data breach issues. That said, this is not an unusual category of triggering information. Many states already include user names as a trigger or are adding them. For reference, Oregon’s existing statute covers personal names combined with social security number, financial account information, and other typical categories of information, as well as biometric information.
Oregon is among the states that sets out, by law, relatively specific expectations around reasonable security for personal information. The existing statute lists a set of 15 administrative, technical, and physical safeguards that can meet the requirement as part of an information security program. The requirements have some flexibility for small businesses of 100 employees or less, and there are other ways to comply, including by complying with stricter state or federal data protection laws. Companies can also rely on compliance with the federal Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) regimes to meet their reasonable security obligations under the Oregon statute. The current amendments clarify that compliance with GLBA and HIPAA is an affirmative defense regarding not only personal information covered by those federal laws, but also personal information covered by the state statute and not the federal law.
A Subtle Change in Naming
Although having no substantive effect, the amendments change the name of the statute from the “Oregon Consumer Identity Theft Protection Act” to the “Oregon Consumer Information Protection Act.” It seems to signal a change in how the legislature conceives of the statute, which is meant to capture the broad application and protective elements of the statute.
New IoT Security Law
A separate Oregon bill also passed this session with security mandates for connected devices, a.k.a. Internet of Things (IoT) devices. The Oregon connected device security law is largely consistent with California’s new connected device security law, and both take effect January 1, 2020. Both require that manufacturers equip IoT devices with reasonable security features. Under either statute that can mean setting unique passwords for each unit shipped, or requiring end users to set a new password when they first access the device, in order to access the devices remotely from outside the devices’ local area network. This is a floor, not a ceiling, and both laws leave room for other security features, as well as for preemption by federal standards.
The point of these laws is to rein in the manufacture and sale of IoT devices that all have the same default password and can be accessed remotely with that universal password. Persistent problems have been reported around malicious remote access to web-connected cameras and other devices that can easily be found through specialized IoT search engines and then accessed by default passwords that users did not think to change. The proliferation of connected devices poses a number of cybersecurity challenges, from spying to botnets, and the Oregon and California bills have been welcomed as steps toward securing that space. The Oregon and California laws do not create private rights of action, but can be enforced by state authorities.