Oregon Breach Notification Law Now Applicable

by Ryan Coyne | Jan 12, 2016

Organizations operating in Oregon must now adhere with a new data breach law that came into effect on January 1, 2016. If a data breach that exposes the personal information of more than 250 state residents is experienced, a breach notice must be filed to the Oregon Attorney General.

On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) amending the Oregon Consumer Identity Theft Protection Act of 2007. The amendment widened the definition of “personal information” to include biometric information such as a retina or iris images and fingerprints, as well as medical and health insurance information.

Other data defined as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial data including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial means a breach notice to be issued. Oregon is one of a few states that needs a breach notice to be issued even if a person’s name is not exposed, if there is potential for a person to be identified by the exposed data.

Under Oregon law, a data breach is classeed as “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that an entity maintains.”

According to the new Oregon breach notification law, if a data breach is experienced which affects more than 250 state residents, a breach notice must be filed electronically via a new website created specifically to record data breaches, similar to that put in place by the California Attorney General.

In addition to displaying the date that the violation was suffered, the date that the breach was reported to the attorney general, and the date breach notifications were issued to consumers is also displayed on the website.

The site can be used by consumers to find organizations that have suffered data breaches that have affected Oregon residents and see whether organizations have reported those breaches properly.

Oregon attorney general Ellen Rosenblum recently thanked the 2015 Oregon Legislature for introducing the new law, which will ensure that state residents’ personal data is better protected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter