On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684 (SB 684). SB 684 amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by extending data breach notification obligations to vendors and by broadening the definition of “personal information” to include information used to access an online account.
SB684 extends breach notification obligations to “vendors,” defined as entities who contract with a covered entity to “maintain, store, manage, process or otherwise access personal information.” Such vendors must now notify covered entities no later than 10 days after discovering a breach, and must also notify the Oregon Attorney General of breaches affecting more than 250 Oregon residents, or if the vendor cannot determine the number that were affected, unless a covered entity has already notified the Attorney General of the breach. SB 684 also broadens the definition of “personal information” to include user names and passwords or similar means to access an individual’s account.
The changes go into effect January 1, 2020.