This excellent post by my colleague Brian Sniffen in our firm’s IP Law Trends blog reports on the efforts by Oregon’s attorney to strengthen the state’s data breach notification laws. The proposed amendments to the Oregon Consumer Identity Theft Protection Act (ORS 646A.602 et seq.) are part of Senate Bill 601, which is making its way through the legislature right now. You can follow the bill’s progress here).
As Brian reports, among the proposed changes are a lowering of the threshold for notification to the Attorney General to 100 records; expansion of the definition of confidential data to include medical and biometric information; and giving enforcement power to the Attorney General under the Unfair Trade Practices Act.
As we observed last week in our post about the insurance implications of Washington’s effort to toughen its data-breach notification laws, these proposed Oregon changes should prompt every business — whether it handles loads of consumer data or not — to review its cyber insurance coverage to get a comfort level with any sub-limits relating to notification costs, and liability coverage for regulatory claims. Of course, both state-level efforts could be upended if the President’s proposed data-breach bill becomes federal law, because the federal law will likely trump all state laws. All the more reason to review your cyber coverage with an insurance professional today.
Update April 22: The Oregon bill has received a “do pass” recommendation, with some amendments, from the Senate Judiciary Committee, and is awaiting transfer to the floor for passage.