Vendors must have the same level of security and protection for personal information as Organizations, including a program for protection and security with administrative, technical and physical safeguards. The information security program includes requirements for the secure disposal of personal information when it is no longer needed for business purposes or as required by law. An organization contracted with a record destruction vendor is considered in compliance with the requirement if the vendor provides the same level of data protection and security. Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect the personal information of the Organization. Organizations and their contracted vendors must develop, implement and maintain an information security program to protect personal information it possesses and accesses. Documentation must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. Vendors must have the same safeguards in place during data disposal. Data disposal vendors must be contracted. Organizations may be fined or penalized for Vendor violations.

Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 Oregon residents. Notification to the Attorney General is required when 250 or more residents are affected. Breach notifications to any affected Oregon residents must be made within 45 days of discovery of a breach.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

If a contracted Vendor who experiences a breach of security affecting more than 250 Oregon residents (or if the Vendor cannot determine the number affected) finds that the Organization has not provided breach notification to the Attorney General, the Vendor must complete the breach notification. If a contracted vendor experiences a breach or suspected breach of security, they must notify the data owner within 10 days of discovering the breach.

Organizations may be fined or penalized for Vendor violations. Documentation must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The State Attorney General may publish the name of the breached entity and corresponding information.