Oregon Senate Bill 1551

The Oregon legislature recently amended provisions of its laws related to breaches of security, effective June 2, 2018.

In addition to specifically enumerated information, “personal information” now includes any information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.

If a person owns, licenses or otherwise possesses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities and that was subject to a breach of security or if the person received notice of a breach of security from another person that maintains or otherwise possesses personal information on the person’s behalf, the person must give notice of the breach of security to the individuals specified by law.

A person that maintains or otherwise possesses personal information on behalf of another person as described above must give the notice in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.  In providing the notice, the person must undertake reasonable measures that are necessary to:

• Determine sufficient contact information for the intended recipient of the notice;
• Determine the scope of the breach of security; and
• Restore the reasonable integrity, security and confidentiality of the personal information.

The notification must now include the contact information for the person that gave the notice.

If notice is required and in connection with the notification the person offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to the consumer, the person may not condition the person’s provision of the services on the consumer’s providing the person with a credit or debit card number or on the consumer’s acceptance of any other service the person offers to provide for a fee.

If a person offers additional credit monitoring services or identity theft prevention and mitigation services for a fee to a consumer under the circumstances described above, the person must separately, distinctly, clearly and conspicuously disclose in the offer for the additional credit monitoring services or identity theft prevention and mitigation services that the person will charge the consumer a fee.

The terms and conditions of any contract under which one person offers or provides credit monitoring services or identity theft prevention and mitigation services on behalf of another person must require compliance with the above requirements.

A person that owns or licenses personal information must provide to the Oregon Attorney General within a reasonable time at least one copy of any notice the person sends to consumers or to the person’s primary or functional regulator in compliance with these provisions or with other state or federal laws or regulations that apply to the person as a consequence of a breach of security.

A person that owns, maintains or otherwise possesses, or has control over or access to, data that includes personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including safeguards that protect the personal information when the person disposes of the personal information.  This includes implementing an information security program that includes:

• Administrative safeguards such as:
  • Designating one or more employees to coordinate the security program;
  • Identifying reasonably foreseeable internal and external risks with reasonable regularity;
  • Assessing whether existing safeguards adequately control the identified risks;
  • Training and managing employees in security program practices and procedures with reasonable regularity;
  • Selecting service providers that are capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;
  • Adjusting the security program in light of business changes, potential threats or new circumstances; and
  • Reviewing user access privileges with reasonable regularity;
• Technical safeguards such as:
  • Assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address the risks and vulnerabilities;
  • Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;
  • Monitoring, detecting, preventing and responding to attacks or systems failures; and
  • Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and
• Physical safeguards such as:
  • Assessing, in light of current technology, risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;
  • Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;
  • Protecting against unauthorized access to or use of personal information during or after collecting, using, storing, transporting, retaining, destroying or disposing of the personal information; and
  • Disposing of personal information, whether the person disposes of the personal information on or off the person’s premises or property, after the person no longer needs the personal information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be ready or reconstructed.