Privacy Officer's Roundtable

Oregon Expands Data Breach Law 

12-18-2015 11:40 AM
0 Favorited
1 Files
pdf file
SB 601 2015.pdf   49 KB   1 version
Uploaded - 12-18-2015


12-18-2015 12:06 PM

Expands the statute’s definition of “personal information” (PI) to include a resident’s biometric or medial information;
Requires entities or persons that own or license consumer PI to notify the Oregon Attorney General of a data breach if the entity must notify more than 250 residents;
Raises the threshold for notifying Oregon consumers to a more generous “unlikely to suffer harm” standard;
Lowers the threshold for reporting to consumer report agencies (CRAs) by requiring notice to CRAs whenever a breach affects more than 1,000 residents;
Exempts covered entities under the Health Insurance Portability and Accountability Act (HIPAA) from compliance, so long as a copy of the notice sent to either the entity’s primary functional regulator or to state residents is sent to the Attorney General; and
Allows the Attorney General to bring action against entities that violate the data breach statute, pursuant to Oregon’s Unlawful Trade Practices Act (Ore. Rev. Stat. § 646.607).

Related Entries and Links

No Related Resource entered.