While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.
The amendments to the Oregon data breach notification law require vendors to notify the Oregon Attorney General of data breaches affecting more than 250 Oregon residents, unless the data owner has already provided such notice. Further, if a vendor suffers a data breach affecting Oregon residents, the vendor must notify the party on whose behalf it is storing or processing personal data within 10 days. And upon receipt of such notice of a data breach from a vendor, the data owner must provide notice to affected individuals within 45 days. The law provides, “[i]f a covered entity … receives notice of a breach of security from a vendor, the covered entity shall give notice of the breach of security.”
Imposing these reporting obligations directly on vendors complicates companies’ data breach obligations. Vendor contracts commonly prohibit vendors from publicly disclosing data breaches unless otherwise required by law. Under the new Oregon statute, a vendor may now be directly required to provide regulatory notices, though there is an exception when the data owner has already provided such regulatory notice. What this means in practice is that there may be increased pressure on companies to provide regulatory notices more quickly and any disputes with vendors as to whether there has been a notifiable data breach will carry increased consequences that may turn public.
The Oregon law also specified that covered entities or vendors may have an affirmative defense to certain claims in the event of a data breach if they can show that “with respect to the personal information that is subject to ORS 646A.600 to 646A.628, the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.” This provision picks up on an increasing trend of limited safe harbors for reasonable information security also seen in the formulation of the private cause of action under the CCPA.
In addition to changes in Oregon, and the effective date of the CCPA, the New Year saw updated data breach notification laws in Illinois and Texas, which now require companies to notify the state attorney general of data breaches affecting more than 500 residents and 250 or more residents, respectively.