Oregon’s data breach notification law was recently amended, and starting January 1, 2016, companies that suffer a breach impacting more than 250 consumers in the state must notify the Oregon attorney general. The law also adds to the definition of personal information (which if compromised would constitute a breach) a person’s name and (a) “data from automatic measurements of consumer’s physical characteristics” like fingerprints used to authenticate a consumer’s identity, (b) health insurance policy numbers or subscriber numbers, or (c) information about a consumer’s medical history. The amendment also permits notice by telephone. The amendment applies to breaches that occur after the effective date.

TIP: Oregon is joining a growing number of states requiring notice to attorneys general in the event of a data breach. Companies should keep this in mind for breaches that occur on or after January 1, 2016.