If you own or operate a business in Oregon, you should take note of the following recent changes to the Oregon Identity Theft Protection Act (the “Act”) made by SB 601 (2015). The changes go into effect January 1, 2016.

1. Definition of “Personal Information” Is Expanded

In addition to the financial and governmental identification previously protected, the Act now protects a consumer’s first name or first initial and last name in combination with:

• Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;
• A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or
• Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s diagnosis or treatment of the consumer.

The new definition of “personal information” also excludes information that has been rendered unusable by encryption, redaction, or other methods.

2. Persons Subject to the Act if a Breach Occurs

The Act distinguishes between two classes of persons for enforcement purposes. The first tier of persons are those responsible for notifying the affected consumer(s) and, if more than 250 persons are affected, the Oregon Attorney General. This person “owns or licenses personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” and has been subject to a breach of security.

The second tier of persons subject to the Act includes a person “that maintains or otherwise possesses personal information on behalf of, or under license of, another person.” This person’s obligation is to notify the owner or licensor of the personal information of the breach of security.

3. Reasonable Likelihood of Harm Determines Need for Notification

The duty to notify consumers does not arise if “after appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies the person reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.” This is much the same as the existing law, but the Act now holds the determination of the likelihood of harm to a “reasonableness” standard. The basis for this determination must be documented and kept for five years.