Third-party vendors hit by hackers have a finite time to notify the company that hired them and, in some cases, must notify the Oregon attorney general, under changes to the state’s data breach notification law.
The measure (SB 684), which takes effect Jan. 1, 2020. Oregon has gone further than other states with notification requirements for entities that maintain personal data on behalf of another entity, according to Bloomberg law analyst Mark Smith.
Vendors must notify the state AG if the breach involved the personal information of more than 250 Oregon residents, or an unknown number of people. The vendor...
For more stories, analysis and expertiseOR Request Trial