New Security Breach Notification Law in the State of Oregon

Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 is a security breach notification law that was originally passed in the U.S. state of Oregon in 2007 and has been amended several times since, most recently in 2020. Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 was amended for the purposes of providing residents of the state of Oregon with more updated protections as it concerns security breaches, particularly as it relates to the types of personal information that are protected under the law. As such, Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 stands as the primary means by which residents of Oregon can protect themselves from the adverse consequences of a security breach.

What is the scope and applicability of the law?

In terms of the scope and applicability of the law, Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 applies to “Any individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization, or other entity, whether or not organized to operate at a profit, or a public body as defined in Or. Rev. Stat. § 174.109 (collectively, Entity) that owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses PI in the course of the Entity’s business, vocation, occupation, or volunteer activities and was subject to the breach of security.”

What are the security breach notification requirements under the law?

Under Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626, business entities that experience a security breach are required to provide notification to all affected individuals and parties, without undue delay, but no later than 45 days after the discovery of the said breach. Moreover, the law also mandates that an affected entity provide notice to both the Oregon attorney general and the three major credit reporting agencies within the U.S., in instances where a security breach affects more than 250 or 1000 residents within the state respectively. To this point, these security breach notifications must provide affected individuals with the following information:

• A description of the security breach in general terms.
• The approximate date on which the breach occurred.
• The types of personal information that were compromised during the breach.
• The contact information for the entity that is reporting the breach.
• The contact information for the three major credit reporting agencies in the U.S.
• “Advice to the individual to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.”

What types of personal data are covered?

Under Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626, the following types of personal information are legally protected in the event that a security breach takes place, in combination with an Oregon resident’s first name or first initial and last name, in instances where these data elements have not been encrypted, redacted, or otherwise rendered unreadable or unusable by another form of technology:

• Social security numbers.
• Driver’s license numbers and state identification card numbers issued by the department of transportation.
• Passport numbers and other identification numbers issued on behalf of the U.S. government.
• Financial account numbers and credit and debit card numbers, as well as any associated security codes, access codes, and passwords that could be used to gain access to an Oregon resident’s financial account.
• “Any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
• “Biometric data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial or other transaction.”
• Health insurance policy numbers and health insurance subscriber identification numbers, in combination with any other unique identifiers that a health insurer could use to identify a consumer within Oregon.
• Information related to an individual’s medical history, physical or mental condition, or a healthcare professional’s medical diagnosis or treatment of an individual.

What are the penalties?

The provisions set forth in Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 are enforced by the Oregon attorney general. With this being said, the Oregon attorney general has the authority to impose numerous penalties and sanctions against businesses and organizations within the state that fail to comply with the law. Such punishments include a monetary fine of up to $1,000 per violation, with penalties not to exceed $500,000. What’s more, violations of Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 are also considered to be unfair or unlawful trade practices under other applicable legislation within the state.

Through the amended provisions of Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626, residents of the state of Oregon were provided with an enhanced level of legal protection as it relates to the adverse effects of a security breach. As the types of personal information that are covered under the law are numerous and varied when compared with many other security breach laws around the country, residents of the state of Oregon rest assured that they are protected should personal information concerning them become compromised during a security breach or other related event.