Oregon Breach Notification Law Now Applicable

Organizations operating in Oregon must now adhere with a new data breach law that came into effect on January 1, 2016. If a data breach that exposes the personal information of more than 250 state residents is experienced, a breach notice must be filed to the Oregon Attorney General.

On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) amending the Oregon Consumer Identity Theft Protection Act of 2007. The amendment widened the definition of “personal information” to include biometric information such as a retina or iris images and fingerprints, as well as medical and health insurance information.

Other data defined as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial data including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial means a breach notice to be issued. Oregon is one of a few states that needs a breach notice to be issued even if a person’s name is not exposed, if there is potential for a person to be identified by the exposed data.

Under Oregon law, a data breach is classeed as “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that an entity maintains.”

According to the new Oregon breach notification law, if a data breach is experienced which affects more than 250 state residents, a breach notice must be filed electronically via a new website created specifically to record data breaches, similar to that put in place by the California Attorney General.

In addition to displaying the date that the violation was suffered, the date that the breach was reported to the attorney general, and the date breach notifications were issued to consumers is also displayed on the website.

The site can be used by consumers to find organizations that have suffered data breaches that have affected Oregon residents and see whether organizations have reported those breaches properly.

Oregon attorney general Ellen Rosenblum recently thanked the 2015 Oregon Legislature for introducing  the new law, which will ensure that state residents’ personal data is better protected.