Both States Set New Requirements for Notifying Consumers When a Data Breach Compromises Personal Information

HIGHLIGHTS:

  • Washington’s Engrossed Substitute House Bill 1078 (HB 1078) strengthens general data breach notification requirements, requires a breach notice be given to Washington’s attorney general when the security breach affects more than 500 Washington residents and eliminates the blanket exemption for encrypted data.
  • Oregon’s A-Engrossed Senate Bill 601 (SB 601), an update to the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”), expands the definition of “personal information,” requires an incident notice be given to Oregon’s attorney general when a security breach affects more than 250 Oregon consumers and makes a person’s violation of the Act an “unlawful practice” under Oregon’s Unlawful Trade Practices Act.

Washington and Oregon both recently updated laws that define data security and incident response requirements for breaches of consumers’ personal information. Details of these new requirements for each state are below.

Washington

Washington’s 2015 Law Updates Its Data Breach Statute

On April 23, 2015 Washington Gov. Jay Inslee signed into law Engrossed Substitute House Bill 1078 (HB 1078), an update to Washington’s data breach notification statute, which is applicable to persons and companies that conduct business in Washington.1

In addition to amendments that clarify the existing statute, HB 1078 strengthens general data breach notification requirements, requires a breach notice be given to Washington’s attorney general when the security breach affects more than 500 Washington residents and eliminates the blanket exemption for encrypted data.

The effective date of the amended statute is July 24, 2015. A similar update applicable to state agencies was made by HB 1078 to the Personal Information section of Washington’s Public Records Act.2 (The section of HB 1078 applicable to state agencies is not addressed in this alert.)

HB 1078 Strengthens Washington’s General Data Breach Notification Requirements

HB 1078 requires that affected Washington residents be provided basic information to help them secure or recover their identities. Breach notices must be written in plain language and must include the following information:

  • the name and contact information of the person or business reporting the breach3
  • a list of the types of personal information that were reasonably believed to have been the subject of the breach4
  • the toll-free telephone numbers and addresses of the major credit reporting agencies5

HB 1078 also requires that breach notifications “be made in the most expedient time possible and without unreasonable delay” but in no event “more than forty-five calendar days after the breach is discovered.”6 However, a breach notice may be given later than 45 calendar days after the breach is discovered “at the request of law enforcement” or if the delay is “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”7

A Breach Notice Must Be Given to Washington’s Attorney General for Security Breaches Affecting More Than 500 Washington Residents

HB 1078 adds a new subparagraph to the current statute. That new subparagraph requires that a breach notice be given electronically to Washington’s attorney general by any person or business that is required to issue a notification to “more than 500 Washington residents.”8 The notice to the attorney general must include a single copy of the notice given to affected Washington residents as well as either the actual or estimated number of Washington residents affected by the breach.9

HB 1078 Eliminates Washington’s Blanket Exemption for Encrypted Data

Prior to the enactment of HB 1078, a blanket exemption from the current statute existed if the personal information was encrypted. But HB 1078 states that a breach of secured personal information must be disclosed if “the confidential process, encryption key or other means to decipher the secured information was acquired by an unauthorized person.”10

Washington’s Enforcement System

Any consumer injured by a violation of the current statute “may institute a civil action to recover damages.”11HB 1078 explicitly authorizes the Washington attorney general to “bring an action in the name of the state, or as parens patriae12 on behalf of persons residing in the state, to enforce” the amended statute.13

What Does This Mean for the Washington Business World?

First, the statute involves data breach response requirements if “personal information” of a Washington resident is disclosed. HB 1078 did not change the definition of “personal information.” In Washington, “personal information” remains “an individual’s first name or first initial and last name in combination with either a (i) social security number, (ii) a driver’s license number or Washington identification card number, or (iii) an account number or credit or debit card number in combination with any required code or password that would permit access to the account. Therefore, if you or your company do not conduct business in Washington, or do not own or license personal information of a Washington resident, the amended statute has no application to you.

Next, even if you or your company conducts business in Washington and owns or licenses personal information of Washington residents, the amended statute may not affect you if you or your company is a covered entity and already subject to the data breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) or the interagency guidelines issued under the authority of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) or the Federal Reserve System.

If you or your company conducts business in Washington and you own or license personal information of Washington residents, and if you are not subject to HIPAA or the interagency guidelines mentioned above, then review your information security and breach response plan to assure that it complies with the amended Washington statute.

Oregon

Oregon’s 2015 Law Updates Its “Consumer Identity Theft Protection Act” 

On June 10, 2015, Oregon Gov. Kate Brown signed into law A-Engrossed Senate Bill 601 (SB 601), an update to the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). In addition to amendments that clarify the existing Act, SB 601 expands the definition of “personal information,” requires an incident notice be given to Oregon’s attorney general when a security breach affects more than 250 Oregon consumers and makes a person’s violation of the Act an “unlawful practice” under Oregon’s Unlawful Trade Practices Act. The effective date of the amended Act is Jan. 1, 2016. The amendments in SB 601 apply only to breaches of security that occur on or after the effective date of the Act.14

Existing Obligation to Safeguard Personal Information

Under the existing Oregon Act, a person who owns, maintains or otherwise possesses data that includes a consumer’s “personal information” used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.15 SB 601 does not affect the existing obligation to safeguard personal information.

SB 601 Expands the Definition of “Personal Information”

Prior to the passage of SB 601 “personal information” was defined to include an Oregon consumer’s first name (or first initial) and last name in combination with any one or more of the following four data elements:16

  • Social Security number
  • driver’s license number or state identification card number
  • U.S. issued identification number
  • financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the financial account

SB 601 expands the definition of “personal information” to add the following biometric, health insurance and medical information to the four data elements (listed above):17

  • data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction
  • a consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer
  • any information about a consumer’s medical history or mental or physical condition or about a healthcare professional’s medical diagnosis or treatment of the consumer

Existing Obligation to Give a Breach Notice to Each Affected Consumer

As a rule, the existing Oregon Act mandates that any person who owns, maintains or otherwise possesses data that includes an Oregon consumer’s “personal information” used in the person’s business, vocation, occupation or volunteer activities and that was subject to a breach of security must give notice to each consumer whose personal information was breached.18

Under the existing Act, the breach notice must be given in the most expeditious time possible and without unreasonable delay, and it must be consistent with both legitimate needs of law enforcement and with any measures necessary to determine sufficient contact information for the consumers, determine the scope of the breach, and restore the reasonable integrity, security and confidentiality of the data.19

When the Security Breach Affects More Than 250 Consumers, SB 601 Mandates a Breach Notice Be Given to Oregon’s Attorney General

SB 601 adds a new subparagraph to the Act that requires notice of a breach of security be given to Oregon’s “Attorney General, either in writing or electronically, if the number of consumers to whom the person must send [a breach] notice *** exceeds 250.”20

Existing Enforcement System

Under the existing Act, the director of the Department of Consumer and Business Services is charged with enforcing the Act.21 If the director has reason to believe that any person has engaged or is engaging in any violation of the Act, the director may issue an order directed to the person to cease and desist from the violation, or require the person to pay compensation to consumers injured by the violation.22 However, the director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.23

SB 601 Makes a Person’s Violation of the Act an “Unlawful Practice”

SB 601 adds a new section to Oregon’s existing Act that makes a “person’s violation of [the amended Act] an unlawful practice under ORS 646.607.”24 Oregon’s attorney general, or a district attorney of any county in which an unlawful practice is alleged to have occurred, is now empowered to enforce the Act using wide-ranging enforcement powers specified in Oregon’s Unlawful Trade Practices Act.

What Does This Mean for the Oregon Business World?

First, the Act involves security and incident response requirements linked to a “consumer’s” personal information. SB 601 does not change the existing Act’s definition of a consumer. Under the amended Act, a “consumer” still means “an individual resident of [Oregon].” Therefore, if your business does not own, maintain or otherwise collect personal information on residents of Oregon, the amended Act has no application to you.

Next, even if your business owns, maintains or otherwise collects personal information on Oregon residents, the amended Act may not apply to you due to exemptions provided in SB 601.25 The amended Act affords exemptions to:

  • a person who complies with breach notification regulations that the person’s primary or functional federal regulator adopts if the regulations provide greater protection to personal information and disclosure requirements at least as thorough as those provided under the amended Act
  • a person who complies with a state or federal law that provides greater protection to personal information and disclosure requirements at least as thorough as those provided under the amended Act
  • a person who is subject to and complies with regulations promulgated pursuant to the Gramm-Leach-Bliley Act of 1999
  • a covered entity that is subject to and complies with the Health Insurance Portability and Accountability Act, if the covered entity sends the Oregon attorney general a copy of the notice the covered entity sent to consumers pursuant to HIPAA

If your business owns, maintains or otherwise collects personal information on Oregon residents and an exemption does not apply, then review your information security and incident response plan to assure that it complies with the amended Act.