On July 12th, Oregon Governor Theodore R. Kulongoski signed into law S.B. 583, an omnibus data security bill scheduled to take effect on October 1. Oregon is the 38th state to enact a breach notification law (37 states have legislation that applies to private entities); the District of Columbia and Puerto Rico also have similar legislation. Continuing a five-year-old national legislative trend, Oregon lawmakers greenlit provisions requiring state businesses and government agencies to notify residents of certain kinds of data breaches.
The bill defines “breach of security” as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person” (emphasis added), and requires businesses to notify state residents if their computerized personal information is compromised unless, “after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach.”
For purposes of the bill, “personal information” is defined as a consumer’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or state identification card number, 3) passport or other United States issued ID number or 4) financial account information along with password or security code information. An individual’s name need not be directly connected to the other data elements to trigger the notice requirements; notice is required if the compromised data “would be sufficient to permit a person to commit identity theft.”
Under the new law, businesses and government agencies also must meet certain data security and disposal requirements. Specifically, they must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including disposal of the data.” An entity will be deemed to be in compliance if it implements an information security program that includes certain enumerated administrative, technical and physical safeguards.
Violations of the new law can result in civil penalties of not more than $1,000 for each violation. In the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.