NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
Amended Oregon data protection act expands scope and regulates vendors
On May 20, 2019, an amendment to the Oregon Consumer Identity Theft Protection Act passed unanimously in the Oregon House and Senate, and Governor Kate Brown signed the bill into law on May 24, 2019.  This amendment changed the title of the state’s data protection law to the “Oregon Consumer Information Protection Act.”  It also expanded the scope of the law, updating the types of information considered “personal information” and mandating vendor notification of breaches.

The amendment expands the definition of “personal information” to include user names or other information used to access a consumer’s online account.  Breaches of this information would require notification pursuant to the requirements of the act.

In addition, vendors now are directly regulated under the act.  The amendment adds a definition of “covered entity”—a person owning, licensing, maintaining, storing, managing, collecting, processing, acquiring or otherwise possessing personal information in the course of its activities.   Persons contracting with such covered entities to maintain, store, manage, process or otherwise access personal information in the course of services provided to or on behalf of a covered entity are deemed “vendors” under the act. 

The amendment specifies that vendors who discover a data breach, or who have reason to believe that a breach occurred, must notify the applicable covered entity no later than ten (10) days following discovery.  Subcontractor vendors must notify the vendor with which they contract.  If a breach involved personal information of more than 250 consumers, or if the vendor cannot determine how many consumers are impacted by a breach, the vendor is required to notify the Oregon Attorney General (unless the applicable covered entity has already done so).

Health care organizations and vendors regulated under HIPAA are exempt from the requirements of the act if the breached information is subject to HIPAA and they comply with their obligations under HIPAA. However, they must notify the Oregon Attorney General if the breach impacts more than 250 consumers.

The amendment to the act takes effect on January 1, 2020.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory