Oregon Gov. Kate Brown recently signed into law amendments to the state’s data breach law. These amendments recognize the growing definition of data, expand the role of the Attorney General in addressing data breaches, provide a consumer notification exemption for entities covered under the federal Health Insurance Portability and Accountability Act (HIPAA) and raise the threshold for consumer notification.  The new law goes into effect on January 1, 2016, and key changes include:

  • Expanding the definition of personal information to include a consumer’s biometric, medical and health insurance information;
  • Requiring individuals or entities who own or license personal information to provide notice of a data breach to the Attorney General in the event the individual or entity must notify more than 250 consumers;
  • Providing an exemption to the consumer notification requirements for entities covered under HIPAA, so long as the entity provides the Attorney General with a copy of the notice sent to consumers or the entity’s primary functional regulator; and
  • Raising the threshold for customer notification, where notification is not required if the customer is “unlikely to suffer harm.”

The statutory scheme applies to any individual or entity that conducts business in Oregon and who owns or licenses personal information.

Personal Information

The amendments expand the definition of “personal information” — recognizing not only the changing definition of data, but addressing the increasing use and theft of such data. The definition of personal information under the amendments will protect a wider range of data, including biometric, medical and health insurance information, which was not previously covered by the law. As a result, more entities doing business in Oregon will be subject to Oregon’s data breach law. Those doing business in Oregon need to consider whether they own or license these categories of information and if so, assess the company’s privacy and data breach preparedness procedures to confirm compliance with the statutory requirements.

Role of Attorney General

The Attorney General office has been inserted into the equation by requiring notification in the event of a data breach, employing tools to better track data breaches and enforcing violations of the data breach law under the amendments.

The amendments mandate notice to the Attorney General when more than 250 consumers must be notified under the data breach law, and the Attorney General’s office must be notified without unreasonable delay. The amendments also provide that the Attorney General may bring an enforcement action pursuant to the Unfair Trade Practices Act against any individual or entity subject to, and in violation of, the data breach law. Currently, the data breach law grants enforcement authority solely to the Department of Consumer and Business Services, which has been relatively inactive in bringing enforcement actions, having conducted only three such actions as of May 2015. As a result of these changes, there is likely to be an uptick in enforcement actions.

Consumer Notification Threshold

Currently, the data breach law requires notification unless it is determined after an appropriate investigation that there is “no reasonable likelihood of harm.” Under the amendments, individuals or businesses will not need to provide notice to consumers if the consumer is “unlikely to suffer harm” as a result of a data breach. With this change, entities subject to the data breach law will not have to provide notice to customers if the harm is determined to be unlikely, setting a lower threshold than the current law.

Finally, those covered by the data breach law should monitor enforcement actions to see how the Attorney General interprets this new standard. Keep in mind that under the current statute and unaffected by the amendments, entities that own, maintain or otherwise possess protected data must develop, implement and maintain reasonable safeguards to maintain the security and integrity of the data. Companies who have not done so and experience a breach may be more likely to face an enforcement action.