June 30, 2015
On June 16, 2015, Gov. Brown signed SB 601 into law, creating Chapter 357 of the 2015 Laws. The law relates to data security breach notification amendments. While Oregon already has the Oregon Consumer Identity Theft Protection Act in place, this legislation updates this Act to expand the definition of “personal information” to include physical characteristics and health insurance policy numbers, as well as any information about a consumer’s mental or physical health, medical history, diagnosis or treatment. Importantly, it requires entities who suffer a data breach of the personal information to notify the Attorney General when the breach affects more than 250 consumers. There is an exception for hospitals or health care plans already covered by HIPAA (such as employers sponsoring self-insured plans). However, such plans must provide a copy of the breach notification to the Oregon Attorney General when the notice is provided to federal regulators. The legislation is effective Jan. 1, 2016.
Chapter 357 »