Oregon is the latest state to amend its data breach law, instituting stricter notification requirements and expanding the definition of protected personal information. Under S.B. 601, which was signed into law by Gov. Kate Brown on June 10, persons or organizations that own or license Oregon residents’ personal information must now notify the state attorney general of data breaches involving more than 250 consumers, in addition to notifying affected consumers. The definition of “personal information” also now includes a consumer's: biometric data; health insurance policy or subscriber identification number in combination with another unique identifier; and information about his or her medical history, mental or physical health, or medical diagnosis or treatment. The amendments take effect on January 1, 2016.