Data Breach Notification and Information Security Laws Updated in Oregon

Data breach notification laws in Oregon have been updated to enhance security  for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become enforceable by law on June 2018.

Previous to these amendments, Oregon privacy breach notification law only applied to individuals who own or license or store personal information. With these amendments Now, with the amendments, a person is defined as “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

The definition of a data breach is “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

Personal information has been expanded, by definition, to include a first name or first initial and surname, in combination with any of these data elements: social Security number, driver’s license number, State identification card number from the Department of Transportation, passport number, other U.S. identification numbers, data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions, a health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual, details of mental or health conditions, medical histories and financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account.

Whereas timely notifications were necessary when personal information was exposed or taken due to a security breach, there is now a longer time frame for issuing notifications. Notifications must be issued without any unreasonable delay, but no more than 45 days following the identification of a breach that occurred. In certain cases breach notifications can be delayed if law enforcement agencies feel that the issuing of notifications would impinge on an inquiry.

As there is some overlap between the definition of personal information under state legislation and how protected health information is defined under HIPAA, HIPAA-covered groups are exempt from the 45-day breach notice deadline and are found to be adhering with that aspect of state law if they meet the requirements of the HIPAA Breach Notification Rule and issue the required alerts no later than 60 days from the identification of a breach. All breached organizations, including HIPAA covered entities, must submit a copy of the consumer breach notice to the Oregon attorney general if the breach impacts a number of individuals greater than 250.

The amendment to Information Security Law, O.R.S. 646A.622 states “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to put in place and maintain reasonable security measures to safeguard the confidentiality, integrity, and security of personal data.

HIPAA-covered organization will be found to be in compliance with that aspect of O.R.S. 646A.622 once they are in adhere HIPAA 45 C.F.R. 160 and 164.

Author: Maria Perez