Oregon Expands Data Breach Law

The modified law will expand the definition of personal information to include medical information and physical characteristics, and require notification to the state Attorney General.

Businesses with customers in Oregon should take note, as some big changes are coming to the Beaver State’s data breach law in early 2016.

On June 10 Oregon Governor Kate Brown signed S.B. 601 into law, approving a number of amendments to the state’s data breach notification statute and making Oregon the sixth state to amend its state data breach law since the beginning of the year. Though most of the changes to the statute are cosmetic or grammatical tweaks, the bill makes several important additions and modifications that entities with a presence in Oregon should be aware of before S.B. 601 goes into effect on January 1, 2016. Among its changes, S.B. 601:

• Expands the statute’s definition of “personal information” (PI) to include a resident’s biometric or medial information;
• Requires entities or persons that own or license consumer PI to notify the Oregon Attorney General of a data breach if the entity must notify more than 250 residents;
• Raises the threshold for notifying Oregon consumers to a more generous “unlikely to suffer harm” standard;
• Lowers the threshold for reporting to consumer report agencies (CRAs) by requiring notice to CRAs whenever a breach affects more than 1,000 residents;
• Exempts covered entities under the Health Insurance Portability and Accountability Act (HIPAA) from compliance, so long as a copy of the notice sent to either the entity’s primary functional regulator or to state residents is sent to the Attorney General; and
• Allows the Attorney General to bring action against entities that violate the data breach statute, pursuant to Oregon’s Unlawful Trade Practices Act (Ore. Rev. Stat. § 646.607).

A Multitude of Edits Create New Duties and Confusion

S.B. 601 adds the following biometric and medical information to the definition of PI: automatic measurements of a resident’s physical characteristics – such as fingerprint, retina or iris data – used to verify the resident’s identity pursuant to a transaction; a resident’s health insurance policy or subscriber number; or a resident’s medical history, mental or physical health, diagnosis or treatment information. This expanded definition of PI means that entities which own or license resident’s biometric or medical information will need to ensure that their breach response practices are in line with Oregon’s notification requirements by the end of this year. Fortunately, the bill is specific as to what biometric and medical information will constitute PI, which should allow entities to clearly identify if they possess any information fitting this definition and develop appropriate breach response procedures.

Additionally, the requirement to notify the Attorney General of a breach is a new duty that entities will need to incorporate into their breach response practices and procedures. Notice to the Attorney General may be either in writing or electronic, and must be in the most expeditious manner possible and without unreasonable delay. S.B. 601 requires notice to the Attorney General whenever 250 or more residents are notified of a breach, an incredibly small threshold considering that most breaches routinely affect tens of thousands – if not hundreds of thousands or millions ­– of individuals. The reality is that businesses should be prepared to provide notice to the Attorney General’s office whenever Oregon residents must be notified of a breach.

S.B. 601 also raises the harm threshold for providing notice to residents. Whereas the statute’s current language mandates that notification is required unless the breached entity determines that there is “no reasonable likelihood of harm” to affected residents after consulting with law enforcement, S.B. 601 states an entity does not need to “notify consumers” in Oregon of a breach if it reasonably determines after consulting with law enforcement that the residents “are unlikely to suffer harm.” This slight change could give businesses greater discretion to resolve whether or not residents need to be notified, as opposed to requiring notification every time there is a reasonable likelihood of harm.

But businesses should also note that ambiguities in the statute’s amended language seem to require notice of a breach to CRAs even when notice to Oregon residents and the Attorney General may not be required. This is because S.B. 601 restricts the above harm threshold for notice only to affected residents (and, by extension, to the Attorney General), while simultaneously striking current language that mandates notice to CRAs only when 1,000 or more residents are notified under the statute.  An entity could thus suffer a breach that affects more than 1,000 residents but which is unlikely to cause the residents harm; under this situation, the statute strangely seems to require notice to CRAs even though affected residents and the Attorney General do not need to be alerted. Though this scenario likely was not the legislators’ intent when they drafted and passed S.B. 601, businesses should be aware of the confusion that this ambiguity creates.

Finally, businesses should be aware that they could be subject to civil actions by either the Attorney General or local district attorneys for violations of the state data breach statute. S.B. 601’s amendments make violations actionable as unlawful trade or business practices, pursuant to Ore. Rev. Stat. §  646.607. Accordingly, the state’s prosecuting attorneys will be empowered to investigate, enjoin, or bring an action against an affected entity for violations of the data breach statute. Affected individuals, however, will not enjoy a private right of action under the revised law.