Highlights

Covered Entities: An individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or public body as defined in O.R.S. § 174.109 that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation, or volunteer activity.

Consumer Notification: Notification must be provided to any Oregon resident whose computerized personal information was acquired without authorization.

Regulatory Notification: Notification must be provided to the Oregon Attorney General where the number of Oregon residents to be notified “exceeds 250.”

Notification Timeline: Notification must be provided “in the most expeditious manner possible, without unreasonable delay, but not later than 45 days” following discovery of a “breach.”

Data Format: Electronic.

Citations: O.R.S. §§ 646A.600–646A.628

More Details

Definitions:

• Breach: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information.
• Personal information (PI):
  • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
    • Social Security number;
    • Driver license or state identification card number issued by the Department of Transportation;
    • Passport number or other identification number issued by the United States;
    • Financial account or payment card number plus a security code, access code, or password that would permit access to a financial account, or any information or combination of information that a person reasonably knows or should know would permit access to a financial account;
    • Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, used to authenticate the individual’s identity in the course of a financial or other transaction;
    • Health Insurance Information, as defined below; or
    • Medical Information, as defined below.
  • A username or other means to identify the individual for the purpose of permitting account access in combination with any method necessary to authenticate the individual; or
  • Any of the listed data elements when not combined with a name if (i) the data element(s) is not rendered unusable by encryption, redaction or other methods; and (ii) the data element(s) would enable a person to commit identity theft.
• Medical Information: Any information regarding medical history, mental or physical condition, or a health care professional’s medical diagnosis or treatment.
• Health Insurance Information: A health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier used for identification by a health insurer.

Safe Harbors:

• Encryption: Notification is not required where the potentially impacted PI is encrypted, if the encryption key has not been acquired, or if the PI is redacted or other methods have rendered the data elements unusable.
• Good Faith: Notification is not required where the potentially impacted PI was acquired by an employee or agent if the PI is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
• Risk of Harm: Notification is not required if, after an appropriate investigation or consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the individuals whose PI was subject to the “breach” are unlikely to suffer harm. This determination must be documented in writing and maintained for at least 5 years.
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests the delay in writing.

Direct Notice:

• Timing: Notification must be provided “in the most expeditious manner possible, without unreasonable delay, but not later than 45 days” following discovery of a “breach.” Before providing notice, the covered entity must undertake reasonable measures necessary to: (a) determine sufficient contact information for affected individuals; (b) determine the scope of the breach; and (c) restore the reasonable integrity, security, and confidentiality of the PI.
• Format: N/A
• Content: Notification letters must include, at a minimum, the following:
  • A general description of the breach;
  • The approximate date of the breach;
  • The type of PI that were subject to the breach;
  • Contact information for the covered entity;
  • Contact information for national consumer reporting agencies; and
  • Advice to the consumer to report suspected identity theft to law enforcement, including the Oregon Attorney General and the Federal Trade Commission.
• Method: Notice may be: (1) in writing; (2) electronically, if the covered entity customarily communicates with the Oregon resident electronically, or if the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001; (3) by telephone, if the covered entity contacts the individual directly; or (4) by substitute notice.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of direct notice would exceed $250,000; (2) the notification population exceeds 350,000; or (3) the entity does not have sufficient contact information. It must include (1) posting the notice or link to the notice conspicuously on the entity’s website; and (2) notifying major statewide television and newspaper media.

Remediation Services:

If a covered entity, agent, or affiliate offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to an Oregon resident in connection with a notification made under this section, the provision of the services must not be conditioned on (1) the Oregon resident providing the entity, agent, or affiliate with a payment card number or (2) the Oregon resident’s acceptance of any other service offered by the entity for a fee. If a covered entity, agent, or affiliate offer additional remediation services for a fee under these circumstances, the covered entity, agent, or affiliate must separately, distinctly, clearly, and conspicuously disclose that the Oregon resident will be charged a fee in the offer.

Regulatory Notice:

Notification must be provided to the Oregon Attorney General where the number of Oregon residents to be notified “exceeds 250.”

Credit Reporting Agencies Notice:

Notification must be provided to all nationwide consumer reporting agencies where more than 1,000 Oregon residents are to be notified.

Third-Party Notice:

A vendor must notify the covered entity “as soon as practicable but not later than 10 days” after discovering a “breach” or having reason to believe that a “breach” occurred. Sub-vendors must notify vendors, who in turn must notify the covered entity, each in the same manner. A vendor must notify the Attorney General if the vendor was subject to a “breach” if the number of impacted Oregon residents exceeds 250 or is indeterminable.

HIPAA:

This section does not apply to a covered entity or vendor that complies with regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009, if PI that is subject to O.R.S. §§ 646A.600–646A.628 is also subject to those Acts. Notwithstanding the above, a covered entity or vendor must provide the Oregon Attorney General with at least 1 copy of any notice sent to the primary or functional regulator if the “breach” affects more than 250 Oregon residents within a reasonable time.

Private Action:

N/A

Associated Regulations:

• Or. Admin. Code § 441-646-0020

Oregon Consumer Privacy Act

Enrolled Senate Bill 619

Highlights

Applicability:

Entities that conduct business in Oregon or that provide products or services to Oregon residents, and controls or processes the Personal Data of:

• At least 100,000 consumers, except for purposes of completing a payment transaction; or
• 25,000 or more consumers, while deriving at least 25% of its annual gross revenue from selling Personal Data.

Among other exemptions, the OCPA excludes:

• State government bodies;
• Activities related to evaluating a consumer’s creditworthiness or personal information conducted in accordance with the provisions of the Fair Credit Reporting Act (“FCRA”);
• Financial institutions or their affiliates;
• Health data covered under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009;
• Personal information relating to an entity’s employees;
• Insurers (such as producers, consultants, or third-party administrators);
• Nonprofit organizations focused on detecting and preventing insurance fraud, and those that provide programing to radio or television networks;
• Noncommercial activities of individuals connected to newspapers, magazines, or general circulation publications; and
• Noncommercial activities of entities that provide information services (such as radio or television stations).

Note that the OCPA does generally apply to nonprofit organizations, with certain exceptions.

Controller Obligations:

OCPA requirements include the following.

• Provide a privacy notice with certain specified content;
• Limit the processing of personal data to that which is reasonably adequate, relevant and necessary for the purposes of the processing;
• Establish a secure and reliable means for consumers to exercise their privacy rights under the law;
• Obtain a consumer’s consent to process sensitive data;
• Enter into contracts with its processors;
• Conduct and document data protection assessments before engaging in processing activities that present a heightened risk of harm;
• Establish and maintain safeguards to protect personal data, such that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data;
• Not discriminate against a consumer for exercising any rights granted by the OCPA; and
• Provide an effective means by which a consumer may revoke consent they previously provided.

Consumer Rights:

Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of Personal Data and Sensitive Personal Data, including consumers’:

• Right to request deletion of Personal Data;
• Right to access Personal Data;
• Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
• Right to correct inaccurate Personal Data;
• Right to opt out of Personal Data sales, targeting advertising, and profiling for decisions producing legal or other significant effects;
• Right to obtain the following from a Controller:
  
  • Confirmation that the controller is processing or has processed the consumer’s Personal Data and the categories of Personal Data that has been or is being processed;
  • A list of the specific third parties, other than natural persons, to which the controller has disclosed the consumer’s Personal Data; and
  • A copy of the Personal Data that the controller has processed or is processing.

More Details

Definitions:

• Child: An individual under the age of 13.
• Consumer: A natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context.
• Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
• Personal Data: Data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household. Personal Data excludes: de-identified data or data that (a) is lawfully available through federal, state, or local government records or through widely distributed media; or (b) a controller reasonably has understood to have been lawfully made available to the public by a consumer.
• Profiling: An automated processing of Personal Data for the purpose of evaluating, analyzing, or predicting an identified or identifiable consumer’s economic circumstances, health, personal preferences, interests, reliability, behavior, location, or movements.
• Processor: A person that processes Personal Data on behalf of a controller.
• Sale of Personal Data: The exchange of Personal Data for monetary or other valuable consideration by the Controller to a third party. The OCPA excludes the following disclosures from this definition:
  
  • A disclosure of Personal Data to a Processor;
  • A disclosure of Personal Data to an affiliate of the Controller;
  • A disclosure of Personal Data to a third party to enable he controller to provide a requested product or service to the consumer;
  • A disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets;
  • A disclosure occurring because a consumer: (i) directs the controller to conduct the disclosure; (ii) intentionally discloses Personal Data in the course of directing a controller to interact with a third party; or (iii) intentionally discloses the Personal Data to the public by means of mass media, if the disclosure is not restricted to a specific audience.
• Sensitive Data: Personal Data that: (i) reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental/physical health condition or diagnosis, sexual orientation, status as transgender or non-binary, status as a victim of a crime, or citizenship/immigration status; (ii) is a child’s Personal Data; (iii) accurately identifies within a radius of 1,750 feet of a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, GPS providing latitude and longitude coordinates; or (iv) is genetic or biometric data.

Penalties:

Violations of the OCPA may be enforced by the Oregon Attorney General. The maximum civil penalty for violations is $ 7,500 per violation.

Private Action:

None.

Associated Regulations:

None.

Effective Date:

The majority of OCPA sections go into force on July 1, 2024.

Highlights

Covered Entities: An entity that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information (“PI”) in the course of the person’s business, vocation, occupation or volunteer activities.

First Party Security Standard: A covered entity and a vendor must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of PI, including safeguards that protect the PI when the covered entity or vendor disposes of the PI.

Third Party Security Standard: A business that discloses PI about an Oregon resident pursuant to a contract with a nonaffiliated vendor must require by contract that the vendor implement and maintain reasonable security procedures and practices to protect the PI.

Disposal/Destruction Standard: A covered entity or vendor must take reasonable steps to dispose, or arrange for the disposal, of PI when they are no longer to be retained by the business by (a) burning, (b) pulverizing, (c) shredding or (d) modifying a physical record and by destroying or erasing electronic media so that the PI cannot be read or reconstructed

Data Format: Electronic and physical.

Citations: Or. Rev. Stat. §§ 646A.622, 646A.602, 646A.624

More Details

Definitions:

• Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
  
  • Social Security number;
  • Driver license or state identification card number issued by the Department of Transportation;
  • Passport number or other identification number issued by the United States;
  • Financial account or payment card number plus a security code, access code, or password that would permit access to a financial account, or any information or combination of information that a person reasonably knows or should know would permit access to a financial account;
  • Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, used to authenticate the individual’s identity in the course of a financial or other transaction;
  • Health Insurance Information, as defined below; or
  • Medical Information, as defined below; and
  • A username or other means to identify the individual for the purpose of permitting account access in combination with any method necessary to authenticate the individual; or
  • Any of the listed data elements when not combined with a name if (i) the data element(s) is not rendered unusable by encryption, redaction or other methods; and (ii) the data element(s) would enable a person to commit identity theft.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance:

The statute defines the following as reasonable security procedures and practices:

• Complies with a state or federal law that provides greater protection to PI than the protections granted here.
• Complies with Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”), if PI is also subject to the GLBA.
• Complies with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), if PI is also subject to HIPAA and/or HITECH.
• Implements an information security program that includes:
  
  • Administrative safeguards such as:
    
    • Designating one or more employees to coordinate the security program;
    • Identifying reasonably foreseeable risks with reasonable regularity;
    • Assessing whether existing safeguards adequately control the identified risks;
    • Training employees in security program practices and procedures regularly;
    • Selecting service providers capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;
    • Adjusting the security program in light of business changes, potential threats or new circumstances; and
    • Reviewing user access privileges with reasonable regularity;
  • Technical safeguards such as:
    
    • Assessing and timely addressing risks and vulnerabilities in network and software design;
    • Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;
    • Monitoring, detecting, preventing and responding to attacks or system failures; and
    • Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and
  • Physical safeguards such as:
    
    • Assessing risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;
    • Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;
    • Protecting against unauthorized access to or use of PI in the covered entity’s possession or that is its responsibility; and
    • Disposing of PI, whether the covered entity or vendor disposes of the PI on or off the covered entity’s or vendor’s premises or property, after the covered entity or vendor no longer needs the PI for business purposes or as required law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the PI cannot be read or reconstructed.
• The covered entity or vendor contracts with another person engaged in the business of record destruction to dispose of PI in a manner that is consistent with these requirements.
• A person that is an owner of a small business (a business with 100 or fewer employees) is compliant if the PI security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.

Exclusions:

N/A

Enforcement/Penalties:

Any covered entity or vendor who violates, or who procures, aids, or abets in the violation of this statute is subject to a penalty not to exceed $1,000 per violation. Every violation is a separate offense and, in the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence must not exceed $500,000.

Associated Regulations:

N/A