On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

Previously, OCITPA required any entity, public or private, that “owns, licenses, maintains, manages, collects, processes, acquires or otherwise possesses personal information” in the course of business to notify affected Oregon consumers as well as the Oregon Attorney General following a data breach. The Bill extends those obligations to “vendors,” meaning any person with which a previously covered entity contracts to maintain, store, process or otherwise access personal information.

The Bill requires vendors to notify the Oregon Attorney General of any breach of security involving the personal information of 250 or more Oregon residents in the most expeditious manner possible and no later than 45 days after discovering the breach. Additionally, the vendor must notify the covered entity with which the vendor has a contract as soon as possible and no later than 10 days after discovering the breach. Notably, the vendor is not required to give notice to the Attorney General if the covered entity has already done so.

The Bill also expands the definition of “Personal Information” covered by OCITPA to include a user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

Finally, the Bill provides that entities or vendors holding data in compliance with the federal Health Insurance Portability and Accountability Act or Gramm-Leach-Bliley Act are exempt from the state law’s breach notification requirements.