On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement.
Key Provisions of the Amended Law Include:
- Definition of Personal Information: Oregon’s definition of personal information now includes the consumer’s first name or initial and last name combined with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
- Expanded Scope of Application: Instead of applying only to persons who “own or license” personal information that they use in the course of their business, the amended law now also applies to any person who “otherwise possesses” such information and uses it in the course of their business. It also requires notice when an organization receives a notice of breach from another person that “maintains or otherwise possesses personal information on the person’s behalf.” Persons who maintain or otherwise possess information on behalf of another must “notify the other person as soon as is practicable after discovering a breach of security.”
- Notice Requirements: The amended law adds a new notice deadline. Notice of a breach of security must be given in the “most expeditious manner possible, without unreasonable delay,” and not later than 45 days after discovering or being notified of the security breach. Also, while the amended law exempts entities that are required to provide breach notification under certain other requirements (e.g., federal laws such as HIPAA), such entities are now required to provide the Attorney General with any notice sent to consumers or regulators in compliance with such other requirements.
- Providing Credit Monitoring Services: If organizations offer consumers credit monitoring services or identity theft prevention or mitigation services in connection with their notice of a breach, they cannot make those services contingent on the consumer providing a credit or debit card number, or accepting another service that the person offers to provide for a fee. The terms and conditions of any contract for the provision of these services must embody these requirements.
- Prohibiting Fees for Security Freezes: Under the amended law, consumer reporting agencies are prohibited from charging a consumer a fee for “placing, temporarily lifting or removing a security freeze on the consumer’s report,” creating or deleting protective records, placing or removing security freezes on protected records, or replacing identification numbers, passwords or similar devices that the agency previously provided.