Privacy and Data Security Law Update
07/24/2015
Oregon Amends Data Breach Law — Companies Can Expect More Enforcement Actions
Oregon Gov. Kate Brown recently signed into law amendments to the state’s data breach law. These
amendments recognize the growing definition of data, expand the role of the Attorney General in
addressing data breaches, provide a consumer notification exemption for entities covered under the
federal Health Insurance Portability and Accountability Act (HIPAA) and raise the threshold for
consumer notification. The new law goes into effect on January 1, 2016, and key changes include:




Expanding the definition of personal information to include a consumer’s biometric, medical and
health insurance information;
Requiring individuals or entities who own or license personal information to provide notice of a
data breach to the Attorney General in the event the individual or entity must notify more than 250
consumers;
Providing an exemption to the consumer notification requirements for entities covered under
HIPAA, so long as the entity provides the Attorney General with a copy of the notice sent to
consumers or the entity’s primary functional regulator; and
Raising the threshold for customer notification, where notification is not required if the customer
is “unlikely to suffer harm.”
The statutory scheme applies to any individual or entity that conducts business in Oregon and who owns
or licenses personal information.
Personal Information
The amendments expand the definition of “personal information” — recognizing not only the changing
definition of data, but addressing the increasing use and theft of such data. The definition of personal
information under the amendments will protect a wider range of data, including biometric, medical and
health insurance information, which was not previously covered by the law. As a result, more entities
doing business in Oregon will be subject to Oregon’s data breach law. Those doing business in Oregon
need to consider whether they own or license these categories of information and if so, assess the
company’s privacy and data breach preparedness procedures to confirm compliance with the statutory
requirements.
Role of Attorney General
The Attorney General office has been inserted into the equation by requiring notification in the event of a
data breach, employing tools to better track data breaches and enforcing violations of the data breach law
under the amendments.
The amendments mandate notice to the Attorney General when more than 250 consumers must be
notified under the data breach law, and the Attorney General’s office must be notified without
unreasonable delay. The amendments also provide that the Attorney General may bring an enforcement
action pursuant to the Unfair Trade Practices Act against any individual or entity subject to, and in
violation of, the data breach law. Currently, the data breach law grants enforcement authority solely to
the Department of Consumer and Business Services, which has been relatively inactive in bringing
enforcement actions, having conducted only three such actions as of May 2015. As a result of these
changes, there is likely to be an uptick in enforcement actions.
Consumer Notification Threshold
Currently, the data breach law requires notification unless it is determined after an appropriate
investigation that there is “no reasonable likelihood of harm.” Under the amendments, individuals or
businesses will not need to provide notice to consumers if the consumer is “unlikely to suffer harm” as a
result of a data breach. With this change, entities subject to the data breach law will not have to provide
notice to customers if the harm is determined to be unlikely, setting a lower threshold than the current
law.
Finally, those covered by the data breach law should monitor enforcement actions to see how the
Attorney General interprets this new standard. Keep in mind that under the current statute and unaffected
by the amendments, entities that own, maintain or otherwise possess protected data must develop,
implement and maintain reasonable safeguards to maintain the security and integrity of the data.
Companies who have not done so and experience a breach may be more likely to face an enforcement
action.
For more information, please contact the Privacy and Data Security Practice Group at
Lane Powell: lanepowellpc@lanepowell.com
This is intended to be a source of general information, not an opinion or legal advice on any specific
situation, and does not create an attorney-client relationship with our readers. If you would like more
information regarding whether we may assist you in any particular matter, please contact one of our
lawyers, using care not to provide us any confidential information until we have notified you in writing
that there are no conflicts of interest and that we have agreed to represent you on the specific matter that
is the subject of your inquiry.
Copyright © 2015 Lane Powell PC
Seattle | Portland | Anchorage | Tacoma | London
2