Along with the California Consumer Privacy Act, the new year brought us a trio of updated breach notification laws, in Oregon, Texas and Illinois. The Oregon law is of the most interest because it is the first to require that vendors notify the state’s attorney general of breaches in some cases. It also requires a vendor to notify a data owner within 10 days of discovering a breach. These new requirements could alter the typical relationship that data owners and vendors develop contractually, and organizations should examine how they expect to interact with their business partners in light of the new law.
New Vendor Notice Requirements
The amendments now clearly differentiate between “covered entities” (virtually any person or organization that collects data) and “vendors” that provide data services to those entities. The law’s first vendor requirement is generally consistent with most service contracts and other state laws that address vendor responsibilities: Once a vendor “discovers a breach of security or has reason to believe that a breach of security has occurred,” it must notify the covered entity within 10 days, or sooner if practicable. But the amendments go further and now require vendors to notify the Oregon attorney general of breaches affecting more than 250 Oregon residents (or where the number of affected residents cannot be determined), unless the covered entity “has notified” the attorney general. The vendor is not required to notify individuals; that requirement is imposed only on the covered entity.
Covered Entity Notice Requirements
The updated law retains Oregon’s 45-day deadline for covered entities to notify individuals and, where more than 250 residents are affected, the attorney general (the 45 days begin after the covered entity discovers or receives notice of the breach).
The amendments retain Oregon’s exemptions for breaches covered by federal regulations, including those concerning healthcare or financial institutions. The law retains a requirement to notify the attorney general of an exempted incident, but helpfully clarifies that this notice is required only if the incident involves more than 250 Oregon residents.
Implications for Vendor – Covered Entity Interactions
Oregon’s new vendor notice requirement may complicate covered entities’ interactions with their vendors during a breach. A covered entity that wishes to maintain messaging control should clarify its intention to provide notice of an incident in the vendor’s place, as allowed by ORS 646A.604(2)(c), and confirm that the vendor will not submit a separate notice. Covered entities may also want to ensure their vendor contracts allow them to maintain control of messaging in light of this new provision.
A vendor that notifies a covered entity of a breach, on the other hand, now must presumably monitor the covered entity’s notification process to ensure that it makes the required notice (thereby relieving the vendor of its own notice obligation). If the covered entity fails to notify the attorney general, the vendor may need to (1) press the covered entity to complete notice or (2) make its own notice to the attorney general. Notably, there is no time period prescribed for a vendor’s report to the attorney general.
Limited Affirmative Defenses
The new amendments also include (in two painfully worded sections) a remarkably limited affirmative defense for a company that complies with security requirements imposed by other state or federal regulation (e.g., GLBA or HIPAA) and wishes to argue that its compliance with that regulation satisfied the requirements in the Oregon statute. Although limited, these provisions will help some state or federally regulated entities such as healthcare institutions and banks that wish to apply consistent safeguards across all their data. Any entity expecting to rely on this defense should examine its limitations closely.
Don’t Forget Texas and Illinois …
By comparison with Oregon’s update, the notification amendments in Illinois and Texas are relatively minor, with both states joining their peers that require notice to the state attorney general when a specific threshold is met. Illinois law now requires notice to the attorney general of a breach affecting more than 500 residents. Texas law requires notice to the state attorney general when the breach involves 250 or more residents.