We received a proposed data breach bill (available here) recently circulated in Salem. This draft is a variant of Oregon House Bill 2581 that died in committee. That bill would have required, among other things, merchants impacted by security breaches to notify issuing banks of all the credit cards subject to the breach.

Compared to HB 2581, the new version makes the following changes:

  • it no longer seeks to impose liability to financial institutions under ORS 646A.604;
  • it does not amend ORS 646A.622, which would have required development of safeguards compliant with security standards of the Department of Consumer and Business Services; and
  • it adds the following language qualifying the reporting requirement: “The person shall notify the financial institution in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement described in subsection (3) of this section and consistent with any measures that are necessary to determine sufficient contact information for the affected financial institution, determine the scope of the breach of security and restore the reasonable integrity, security and confidentiality of the personal information.”

We’ll keep you posted on further developments with this legislation.