On June 10, 2015, Oregon Governor Kate Brown signed into law a bill that significantly amends Oregon’s data breach notification law.

The amended law, which is effective January 1, 2016 (and applies to breaches occurring on and after that date), requires Oregon’s Attorney General to be notified if a breach affects more than 250 Oregonians.

The new law also makes a violation of the revised law an unlawful trade practice that may be pursued by the Oregon Attorney General.

Finally, the law also expands the definition of “personal information” to include unencrypted biometric data (“automatic measurements of a consumer’s physical characteristics”), health insurance policy and ID numbers, and information about a consumer’s medical history, including diagnoses.

This amended law increases instances where data-breach notifications must be sent and raises the stakes for businesses who are responding to data breaches.

Is your business prepared to comply with these new obligations? Call us if you need help.