Oregon Amends Provisions Regarding Security Breaches
The state of Oregon amended its provisions regarding security breaches that involves personal information. These provisions are effective on January 1, 2020.
The amendment defines “covered entity” as “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” “Covered entity” does not include a person described above to the extent that the person acts solely as a vendor.
A “vendor” is defined under the amendment as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”
The amendment requires vendors that provide services to covered entities to notify the covered entity of a breach of security as soon as is practicable but not later than 10 days after discovering a breach of security or having reason to believe that the breach of security occurred.
A vendor who has a contract with another vendor that, in turn, has a contract with a covered entity, is required to notify the other vendor of a breach of security as soon as is practicable but not later than 10 days after discovering a breach of security or having reason to believe that the breach of security occurred.
The amendment requires a vendor to notify the Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.
The amendment specifies exemptions for certain covered entities that are subject to other laws governing protections and disclosures such as the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.
The amendment also provides that a covered entity or vendor in an action or proceeding may defend against an allegation that the covered entity or vendor has not developed, implemented and maintained reasonable safeguards to protect the security, confidentiality and integrity of personal information by showing that the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information.
Rhona Kyeyune, LLM, is a regulatory compliance consultant with CLA. She is a graduate of Makerere University and earned her master of laws at Boston University School of Law.
Comments are closed.