Updates to the Oregon Data Breach Notification Law and Information Security Law

Oregon state governor Kate Brown just signed Senate Bill (SB 1551) last month to update several regulations including Oregon’s Breach Notification Law (O.R.S. 646A.604) and Information Security Law (O.R.S. 646A.622). The update in the law will take effect on June 2018. What are the updates in the recently signed bill?

There were several definition updates. One is the definition of the person to whom the Oregon data breach notification law applies. In the past, a person is only defined as one who owns or license personal information. Now, a person refers to any individual, public or private corporation, partnership, cooperative, estate, association, limited liability company, organization or entity. It does not matter if the referred entity was organized as a public body or makes profits (see ORS 174.109).

A data breach is now defined as “the unauthorized acquisition of electronic data that materially compromises the confidentiality, security or integrity of personal information.”

The expanded definition of personal information now includes the first name or first initial and last name plus any of these data elements:

  • Driver’s license number
  • Social Security number
  • Passport number
  • State ID card number issued by the Department of Transportation
  • Other U.S. identification numbers
  • Biometric data including iris and retina scans and fingerprints, which are used for authenticating transactions
  • A health insurance policy number or subscriber ID number combined with any unique identifier that identifies a person
  • Medical histories
  • Information on mental or health conditions
  • Financial details that include an access code or passwords that would allow an unauthorized access of a person’s financial account

The updated law now observes a maximum time frame of 45 days from the day of discovering the breach for sending notifications to data breach victims. Issuance of notifications must be without reasonable delay except upon the request of law enforcement to avoid obstruction of an investigation.

When an entity is covered by HIPAA law, it is exempt from the state law of 45-day data breach notification deadline. It can follow HIPAA’s 60-day deadline to issue notifications. When sending breach notices to impacted individuals, the Oregon attorney general must have a copy of the breach notice also if there are over 250 individual breach victims.

In case of a breach, the entity is now required to offer credit monitoring services and identity theft protection services. And it must not be conditioned with the acceptance of other paid services or the provision of a debit or credit card. In case of a breach of personal information, the breached entity is not required to provide the same services.

The updated Information Security Law, O.R.S. 646A.622, requires a person with control  over  or access  to the personal information of consumers, which is used in the course of the person’s business, vocation, occupation or volunteer activities” to implement reasonable safeguards to protect the integrity, confidentiality and security of personal information. HIPAA-covered entities are deemed compliant to this law if in compliance with HIPAA 45 C.F.R. 160 and 164.