Oregon Enacts Tougher Data Breach Notification Law
Oregon Governor Kate Brown signed a bill last month toughening the state’s already stringent data breach notification law, which will take effect on June 2, 2018. The most significant change for companies to be aware of is the requirement that affected consumers be notified no later than 45 days following discovery of a breach. Additionally, if a company offers free credit monitoring or identity theft protection services to the affected consumers, the company may not require the consumers to provide a credit or debit card number in order to receive such services.
Originally passed in 2007, and amended in 2015, the Oregon Consumer Identity Theft Protection Act (codified as ORS § 654A.600 to 654A.628) already requires companies to notify affected consumers “in the most expeditious manner possible, without unreasonable delay.” Further, if the number of affected consumers is greater than 250, the company must notify the Attorney General, and the breach will be published on the Oregon Department of Justice website.
Other key changes in the 2018 amendment to the Oregon Consumer Identity Theft Protection Act include:
The law now applies to any person or organization that “owns, licenses, or otherwise possesses personal information” (where previously it only applied to a those that “own or license personal information”).
The duty to report is now triggered if a company receives notice of a breach from a third-party contractor that maintains such information on behalf of the company.
The definition of “personal information” under the law is expanded to include any “information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
Additionally, when the 2018 bill takes effect in June, Oregon will join a growing number of states that have prohibited credit reporting agencies from charging a fee to consumers for placing, temporarily lifting, or removing a security freeze on their credit reports—regardless of whether the consumer was a victim of identity theft.
Finally, the bill also amends ORS § 654A.622, which contains the Act’s information security and safeguard requirements. The requirements now apply to any person or organization that “has control over or access to” personal information, in addition to those that “own, maintain, or otherwise possess” such information. The language in subsection (2)(d)—listing the administrative, technical, and physical safeguards that should comprise an organization’s information security program—was also thoroughly revised. Notable changes include:
Administrative safeguards, including identification of potential risks and training of key employees, must be performed with “reasonable regularity.”
Technical safeguards must now include assessment of “vulnerabilities” in addition to “risks,” and security updates or patches must be implemented when risks or vulnerabilities are identified.
Physical safeguards must be assessed “in light of current technology,” and intrusions must be “monitored” and “isolated” in addition to the previous requirement that they be “detected,” “prevented,” and “responded to.”
As more and more states are amending their data breach notification laws (or even enacting such laws for the first time), organizations of all sizes are encouraged to regularly review and amend their data safeguarding programs (including training programs and incident response processes) to ensure compliance with the various state laws.