Share this article on:
Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018.
Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”
A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”
The definition of personal information has been expanded to include a first name or first initial and last name, in combination with any of the following data elements:
- Social Security number
- Driver’s license number
- State identification card number from the Department of Transportation
- Passport number
- Other U.S. identification numbers
- Data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions
- A health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual
- Details of mental or health conditions
- Medical histories
- Financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account
While timely notifications were required when personal information was exposed or stolen as a result of a security breach, there is now a maximum time frame for issuing notifications. Notifications must be issued without unreasonable delay, but no later than 45 days following the discovery of a breach. Breach notifications can be delayed at the request of law enforcement if the issuing of notifications would impede an investigation.
While there is some overlap between the definition of personal information under state law and the definition of protected health information under HIPAA, HIPAA-covered entities are exempt from complying with the 45-day breach notice deadline and are deemed to be in compliance with that aspect of state law if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the discovery of a breach. All breached entities, including HIPAA covered entities, must send a copy of the consumer breach notice to the Oregon attorney general if the breach impacts more than 250 individuals.
The update also introduced the requirement that credit monitoring services and identity theft protection services cannot be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision of a credit or debit card. The law does not require a breached entity to provide these services in the event of a breach of personal information.
The update to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses, or has control over or access to, data that includes a consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and security of personal information.
HIPAA-covered entities will be deemed to be in compliance with that aspect of O.R.S. 646A.622 provided they are in compliance with HIPAA 45 C.F.R. 160 and 164.