Oregon Amends Data Breach Notification Law

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

In March 2018, Oregon Governor Kate Brown signed into law new measures to strengthen the state’s existing data breach notification statute, ORS § 646A.604. The legislation is set to take effect in June 2018 and, among other things, will require organizations that experience a data breach affecting Oregon residents to notify affected individuals of the data breach within 45 days of its discovery, unless asked to delay notification by law enforcement. Previously, Oregon law required notification to be made in the most expeditious time possible, without unreasonable delay. 

The legislation also adds a category of personal information that will trigger a duty to notify. The definition of personal information will now include an individual’s first name or first initial and last name in combination with any “information that a person reasonably knows or should know would permit access to [a] consumer’s financial account.” The definition of personal information was previously more limited. In addition, the legislation expands the reach of the law to any person who “possesses” personal information involved in a data breach. The law previously applied only to those who owned or licensed personal information.

An organization required to notify individuals of a data breach must, according to the new legislation, now (a) “determine sufficient contact information” for the intended notice recipient, (b) “determine the scope of the [data] breach,” and (c) “restore the reasonable integrity, security and confidentiality of the personal information” impacted. These requirements are new. Further, the legislation revises legal requirements for the content of consumer notification letters. Under the new law, any consumer notification letter must now include contact information for the organization giving notice of the data breach.

Finally, the new legislation prohibits organizations that experience a data breach from requiring affected individuals to provide credit card or debit card numbers or accept any other service in order to receive free credit monitoring or identity theft protection services. To the extent that additional services are offered for a fee, the organization must clearly and conspicuously disclose the fact that there will be charges associated with such services. The legislation also prohibits consumer reporting agencies from charging a fee for placing, lifting, or removing a security freeze on a consumer’s credit report or protective record.