Amended Oregon Law Requires Notifying State Attorney General of Data Breaches

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

June 16 — Beginning in 2016, organizations that own or license the personal information of Oregon residents must notify the state's attorney general of data breaches affecting more than 250 consumers under a bill (S.B. 601) recently signed by Gov. Kate Brown (D).

The measure, signed June 10, amends the state's existing data breach notification law, the Oregon Consumer Identity Theft Protection Act, Or. Rev. Stat. § 646A.600, which took effect in 2007.

“The number of state breach notification laws that are being amended to provide for notification of a state attorney general about a breach in addition to affected individuals continues to increase,” Melissa Krasnow, a partner at Dorsey & Whitney LLP in Minneapolis, told Bloomberg BNA June 16. Including Oregon, 22 states plus Puerto Rico require notification to the attorney general in the event of a data breach, she said. Some attorney generals “have used breach notification as a basis to further investigate,” she added.

“Oregon SB 601 also contains an amendment to the Oregon securities procedures law to provide clarity regarding certain provisions,” she said.

Since President Barack Obama's federal breach notification proposal was unveiled in January, states are “constantly amending” their breach notification laws, Krasnow said.

Expanded ‘Personal Information' Definition 

In addition to expanding the notification requirements, the amended law expands the definition of “personal information” to include a consumer's biometric data, health insurance policy number in combination with another unique identifier and information about his or her medical history, mental or physical health or medical diagnosis or treatment.

The law also makes a violation of the Consumer Identity Theft Protection Act actionable by the state's attorney general under the Unlawful Trade Practices Act, according to a House Judiciary Committee summary on the bill.

In addition, the summary said, hospitals or health-care plans that are covered by the Health Insurance Portability and Accountability Act won't be subject to enforcement actions by the attorney general if they give notice of the breach to the attorney general.

The bill passed the Senate April 29 by a vote of 26 to 3, and the House May 29 by a vote of 54 to 2.

The effective date of the amendments is Jan. 1, 2016.

To contact the reporter on this story: Katie W. Johnson in Washington at

To contact the editor responsible for this story: Barbara Yuill at

S.B. 601, as enrolled, is available at

Request Bloomberg Law: Privacy & Data Security