Data Breach Notification and Information Security Laws Refreshed in Oregon

by | Apr 10, 2018

Oregon has reviewed its data breach notification law to enhance protections for state citizens whose personal information is exposed in a data violation. State governor Kate Brown put her signature to Senate Bill (SB 1551) in March, which brings several regulations up to date, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become enforceable on June 2018.

Before to the update, Oregon data breach notification law only impacted people who own or license personal information. With the new update the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

A data breach is something that “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

The definition of personal information has also been updated to include a first name or first initial and last name, along with any of the following data elements:

  • Social Security details
  • Driver’s license particulars
  • Department of Transportation issued state identification card
  • Number from passport
  • Other U.S. identification details
  • Information from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to complete transactions
  • A health insurance policy number or client ID number along with with any unique identifier that can identify a person
  • Mental or health conditions details
  • Medical records
  • Financial data that includes an access code or passwords that would allow an unauthorized person to access a financial account

While timely alerts were required when personal data was exposed or stolen due to a security breach, there is now a maximum time frame for issuing alerts. Notifications must be sent without unreasonable delay, but no later than 45 days following the identification of a breach. Breach notifications can be delayed at the behest of law enforcement if the issuing of alerts would impede an investigation.

While there is some correlation between the definition of personal information under state legislation and the definition of protected health information under HIPAA, HIPAA-covered bodies are exempt from complying with the 45-day breach notice deadline and are ruled to as compliant with that aspect of state legislation if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the identification of a breach. All breached bodies, including HIPAA covered entities, must broadcast a copy of the consumer breach notice to the Oregon attorney general if the breach affects more than 250 people.

The update also brought in is the requirement that credit monitoring services and identity theft protection services must not be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision credit or debit card details. The law does not mean that a breached entity must provide these services in the event of a breach of personal data.

The change to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to put in place and maintain reasonable security measures to protect the confidentiality, integrity, and security of personal data.

HIPAA-covered bodies will be rule as being compliant with that aspect of O.R.S. 646A.622 provided they adhere with HIPAA 45 C.F.R. 160 and 164.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy