Oregon has updated its data breach notification statute to broaden the definition of personal information that will trigger notice to individuals and add the requirement to notify the state’s Attorney General of certain breaches. Oregon Governor Kate Brown signed into law SB601 on June 10, and it was enrolled on June 15. The bill updates the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). The changes to the Act become effective on January 1, 2016 and apply only to data breaches that occur on or after that date.
The expanded definition of “personal information” that will trigger notification of a data breach now includes biometric information (such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction), health insurance and medical information when associated with an individual’s first and last name or first initial and last name. Oregon is also one of the few states that requires notice when data elements are not associated with an individual’s name, if it is not encrypted and “the data element or combination of data elements would enable a person to commit identity theft against a consumer.” In addition, the Act was updated to require notice to the Attorney General, either in writing or electronically, if the number of consumers affected by the breach exceeds 250.
The updates to the Act also include the addition of a section that makes a “person’s violation of [the amended Act] an unlawful practice under ORS 646.607.” Oregon’s Attorney General, or the District Attorney of any county in which an unlawful practice is alleged to have occurred, may enforce the Act using enforcement powers specified in Oregon’s Unlawful Trade Practices Act.