Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Oregon Extends Data Breach Notification Requirements to Include Third-Party Vendors

By Hunton Andrews Kurth LLP on June 6, 2019
Email this postTweet this postLike this postShare this post on LinkedIn

On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

Previously, OCITPA required any entity, public or private, that “owns, licenses, maintains, manages, collects, processes, acquires or otherwise possesses personal information” in the course of business to notify affected Oregon consumers as well as the Oregon Attorney General following a data breach. The Bill extends those obligations to “vendors,” meaning any person with which a previously covered entity contracts to maintain, store, process or otherwise access personal information.

The Bill requires vendors to notify the Oregon Attorney General of any breach of security involving the personal information of 250 or more Oregon residents in the most expeditious manner possible and no later than 45 days after discovering the breach. Additionally, the vendor must notify the covered entity with which the vendor has a contract as soon as possible and no later than 10 days after discovering the breach. Notably, the vendor is not required to give notice to the Attorney General if the covered entity has already done so.

The Bill also expands the definition of “Personal Information” covered by OCITPA to include a user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

Finally, the Bill provides that entities or vendors holding data in compliance with the federal Health Insurance Portability and Accountability Act or Gramm-Leach-Bliley Act are exempt from the state law’s breach notification requirements.

  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    Privacy & Information Security Law Blog
  • Organization:
    Hunton Andrews Kurth LLP

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
Library at LexBlog
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo