Oregon passed a bill amending the Consumer Identity Theft Protection Act (CITPA). Under the bill, the definition of “personal information” is expanded to include user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, when combined with any other method necessary to authenticate the user name or means of identification. The bill also requires vendors (i.e., a person that maintains, but does not own or license, personal information) to:
- Notify the entity that owns or licenses the personal information of a security breach no later than 10 days after discovering the breach of security; and
- Notify the attorney general of a security breach if the security breach involved more than 250 Oregon residents (unless the entity that owns or licenses the personal information has already notified the attorney general).
In addition, the bill renames the CITPA to the Consumer Information Protection Act. The bill becomes effective January 1, 2020.
See Oregon State Legislature website for the full text of the Statue:
https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/SB684/Enrolled
