Data Breach Notification and Information Security Laws Refreshed in Oregon

Oregon has reviewed its data breach notification law to enhance protections for state citizens whose personal information is exposed in a data violation. State governor Kate Brown put her signature to Senate Bill (SB 1551) in March, which brings several regulations up to date, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become enforceable on June 2018.

Before to the update, Oregon data breach notification law only impacted people who own or license personal information. With the new update the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

A data breach is something that “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

The definition of personal information has also been updated to include a first name or first initial and last name, along with any of the following data elements:

  • Social Security details
  • Driver’s license particulars
  • Department of Transportation issued state identification card
  • Number from passport
  • Other U.S. identification details
  • Information from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to complete transactions
  • A health insurance policy number or client ID number along with with any unique identifier that can identify a person
  • Mental or health conditions details
  • Medical records
  • Financial data that includes an access code or passwords that would allow an unauthorized person to access a financial account

While timely alerts were required when personal data was exposed or stolen due to a security breach, there is now a maximum time frame for issuing alerts. Notifications must be sent without unreasonable delay, but no later than 45 days following the identification of a breach. Breach notifications can be delayed at the behest of law enforcement if the issuing of alerts would impede an investigation.

While there is some correlation between the definition of personal information under state legislation and the definition of protected health information under HIPAA, HIPAA-covered bodies are exempt from complying with the 45-day breach notice deadline and are ruled to as compliant with that aspect of state legislation if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the identification of a breach. All breached bodies, including HIPAA covered entities, must broadcast a copy of the consumer breach notice to the Oregon attorney general if the breach affects more than 250 people.

The update also brought in is the requirement that credit monitoring services and identity theft protection services must not be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision credit or debit card details. The law does not mean that a breached entity must provide these services in the event of a breach of personal data.

The change to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to put in place and maintain reasonable security measures to protect the confidentiality, integrity, and security of personal data.

HIPAA-covered bodies will be rule as being compliant with that aspect of O.R.S. 646A.622 provided they adhere with HIPAA 45 C.F.R. 160 and 164.