Oregon Statutes 276A.346 – Secretary of State prohibited from using covered products; risk mitigation; exceptions
(1) As used in this section:
Terms Used In Oregon Statutes 276A.346
- Contract: A legal written agreement that becomes binding when signed.
- Corporation: A legal entity owned by the holders of shares of stock that have been issued, and that can own, receive, and transfer property, and carry on business in its own name.
(a) ‘Covered product’ means any form of hardware, software or service provided by a covered vendor.
(b) ‘Covered vendor’ means any of the following corporate entities, or any parent, subsidiary, affiliate or successor entity of the following corporate entities:
(A) Ant Group Co., Limited.
(B) ByteDance Limited.
(C) Huawei Technologies Company Limited.
(D) Kaspersky Lab.
(E) Tencent Holdings Limited.
(F) ZTE Corporation.
(c) ‘State information technology asset’ means any form of hardware, software or service for data processing, office automation or telecommunications used directly by the office of the Secretary of State or used to a significant extent by a contractor in the performance of a contract with the office of the Secretary of State.
(2) Except as provided in subsection (4) of this section, the Secretary of State shall:
(a) Prohibit a covered product from being:
(A) Installed or downloaded onto a state information technology asset; or
(B) Used or accessed by a state information technology asset;
(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and
(c) Implement all measures necessary to prevent the:
(A) Installation or download of a covered product onto a state information technology asset; or
(B) Use or access of a covered product by a state information technology asset.
(3) For any corporate entity that the State Chief Information Officer designates as a covered vendor under ORS § 276A.344, the secretary may:
(a) Prohibit a covered product from being:
(A) Installed or downloaded onto a state information technology asset; or
(B) Used or accessed by a state information technology asset;
(b) Remove any covered product that is installed or downloaded onto a state information technology asset; and
(c) Implement all measures necessary to prevent the:
(A) Installation or download of a covered product onto a state information technology asset; or
(B) Use or access of a covered product by a state information technology asset.
(4) If the secretary adopts risk mitigation standards and procedures related to the installation, download, use or access of a covered product, the secretary may, for investigatory, regulatory or law enforcement purposes, permit the:
(a) Installation or download of the covered product onto a state information technology asset; or
(b) Use or access of the covered product by a state information technology asset. [2023 c.256 § 4]