Enter to open, tab to navigate, enter to select
Oregon Amends Identity Theft Protection Act
Practical Law Legal Update 0-616-4919 (Approx. 4 pages)
Oregon Amends Identity Theft Protection Act
by Practical Law Intellectual Property & Technology
| Published on 16 Jun 2015 • USA (National/Federal) |
Oregon Governor Kate Brown has signed a bill updating the Oregon Consumer Identity Theft Protection Act. The bill expands the definition of personal information under the Act and imposes new notification requirements on businesses when a data security breach occurs.
On June 10, 2015, Oregon Governor Kate Brown signed Senate Bill 601 into law. The bill updates the Oregon Consumer Identity Theft Protection Act, Oregon's data breach statute, and amends it to:
- Expand the definition of "personal information."
- Require an incident notification to be sent to the Oregon Attorney General when a data security breach affects more than 250 Oregon consumers.
- Make a violation of this act an unlawful practice under the Oregon Unlawful Trade Practices Act (UTPA).
In particular, the bill amends Or. Rev. Stat. §§ 646.607, 646A.602, 646A.604 and 646A.622. It is effective as of January 1, 2016.
Definition of Personal Information
The current version of Oregon's data breach statute defines personal information to include an individual's first name or initial with last name in combination with one or more of the following data elements, if either the name or the data elements are not encrypted:
- Social Security number.
- Driver’s license number or state identification card number.
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account.
SB 601 amends the definition of personal information to include the following additional data elements:
- Data from automatic measurements of an individual's physical characteristics, like fingerprint, retina or iris images, that are used to authenticate the individual's identity in connection with a financial transaction or other transaction.
- An individual's health insurance policy number or subscriber identification number, in combination with any other unique identifier that a health insurer uses to identify the individual.
- Any information about:
- an individual's medical history, or mental or physical condition; or
- a healthcare professional’s medical diagnosis or treatment of the individual.
Government Agency Reporting
Oregon's current data breach statute does not require a covered entity to report a breach to a government agency. The amendments require covered entities to give notice of a data security breach in writing or electronically to the Attorney General when the breach affects more than 250 Oregon individuals.
Enforcement
The current Oregon statute authorizes the director of the Department of Consumer and Business Services to enforce it. Under the amendments, a violation of the act will be an "unlawful practice" under the UTPA. Accordingly, the attorney general or any district attorney of any county will have power to enforce the act under the enforcement powers granted in the UTPA.