In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Amendments to Oregon’s Breach Notification Law, O.R.S. 646A.604

  • The law expands the scope of those who must provide notice of a security breach to include a person who “otherwise possesses” personal information. Existing law applies only to persons who own or license personal information.
  • The law requires that notice of the breach be provided “in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.” The law continues to define “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” With this amendment, Oregon joins a growing number of states that have moved away from ambiguous timing language and instead require notice to be provided in a specific number of days.
  • Notably, HIPAA covered entities are exempt from the 45-day notice requirement. That is a significant carve-out because the Oregon law’s definition of “personal information” includes a consumer’s health insurance policy number, health insurance subscriber number, and any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment. In the absence of a carve-out, there could have been circumstances under which a HIPAA covered entity may have been required to provide notice sooner than the 60-day requirement in the HIPAA Breach Notification Rule. However, it should be emphasized that it will not always be the case that Oregon’s 45-day deadline will run before HIPAA’s 60-day deadline because the HIPAA deadline starts on  “the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity.”  45 C.F.R. § 164.04(a)(2).
  • The law provides that if an entity offers free credit monitoring or identify theft prevention/mitigation services it cannot condition those services on the person providing a credit or debit card number or accepting any other services the person offers to provide for a fee.

Amendments to Oregon’s Information Security Law, O.R.S. 646A.622

  • The law expands the scope of covered individuals to include anyone who “has control over or access to” data containing personal information. The law previously applied only to persons that owned, maintained or otherwise possessed such information.
  • The law updates a number of its prescriptive data security requirements. For example, in addition to numerous other existing requirements, the law requires that entities:
    • Conduct risk assessments and provide training “with reasonable regularity” whereas the prior law was silent on the timing;
    • Review user access privileges with reasonable regularity; and
    • Apply security updates and a reasonable security patch management program to software that might reasonably be at risk.

The new law goes into effect 91 days after adjournment of the 2018 legislative session.