State Data Breach Notification Updates

Written by: Chase Langhorne, Esq.

Starting on January 1, 2020 amendments to data breach notification statutes in Illinois, Oregon, and Texas take effect.


The Personal Information Protection Act (“PIPA”) requires public and private entities that handle non-public personal information to notify affected Illinois residents following a data breach.

An amendment now requires public and private entities to also notify the Office of the Attorney General of any data breach affecting more than 500 Illinois residents. The notice must include the following information:

  • description of the breach;
  • number of affected Illinois residents; and
  • details regarding any steps taken subsequent to the breach.

Most importantly, the amendment allows the Attorney General to publish the name of the entity together with the types of personal information that have been compromised.


Oregon has imposed a new requirement that has not been implemented by any other state’s data breach notification statute. The amendment requires vendors to notify the Oregon Attorney General of data breaches affecting more than 250 Oregon residents, unless the data owner has already made such a notification. The amendment further requires that the vendor notify the data owner of any breach within 10 days. Upon receipt of that notification, the data owner is required to notify affected Oregon residents within 45 days.

However, the statute does provide for a limited safe harbor for vendors that have “implemented  and maintained reasonable security measures” for personal information subject to the statute.

This presents an issue as many vendor contracts prohibit vendors from making disclosures regarding data breaches, except where required by law. Oregon has placed themselves right in the middle by requiring vendors make such a notification unless the data owner has already done so. Data owners will have to determine whether they wish to make notifications on behalf of the vendor or allow the vendor to make the notification.


Texas has clarified the timeline to notify individuals affected by a data breach from “as quickly as possible” to a definite 60 days from determining a breach occurred. The amendment also adds the obligation to notify the Texas Attorney General if the breach affects at least 250 Texas residents. The notification to the Attorney General must include the following information:

  • a detailed description of the nature and circumstances of the breach;
  • the number of Texas residents affected;
  • the measures taken regarding the breach;
  • any measures intended to be taken regarding the breach; and
  • information regarding whether law enforcement is engaged in investigating the breach.

Leave a comment