New Oregon Breach Notification Law Comes Into Effect

Organizations doing business in the state of Oregon must now comply with a new data breach law that came into effect on January 1, 2016. If a data breach is suffered that exposes the personal information of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General.

On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment expanded the definition of “personal information” to include biometric data such as a retina or iris images and fingerprints, as well as medical and health insurance information.

Other data classed as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial information including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial requires a breach notice to be issued. Oregon is one of a few states that requires a breach notice to be issued even if a person’s name is not exposed, if it would be possible for a person to be identified by the exposed data.

Under Oregon law, a data breach is defined as “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that an entity maintains.”

Under the new Oregon breach notification law, if a data breach is suffered that affects more than 250 state residents, a breach notice must be submitted electronically via a new website created specifically to record data breaches, similar to that created by the California Attorney General.

In addition to displaying the date that the breach was suffered, the date that the breach was reported to the attorney general, and the date breach notifications were sent to consumers is also displayed on the website.

The site can be used by consumers to search for organizations that have suffered data breaches that have affected Oregon residents and see whether organizations have reported those breaches correctly.

Oregon attorney general Ellen Rosenblum recently thanked the 2015 Oregon Legislature for passing the new law, which will ensure that state residents are better protected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.