New Oregon data security law takes effect January 1

by Joanna Perini-Abbott

Oregon’s expanded data breach law will take effect January 1, making two significant changes to the old law—a notification requirement and a change in the definition of “personal information.”  Lock that Data Down

Like the old law, the new law requires businesses that maintain personal information digitally, including information about employees, to notify Oregon residents whose electronically stored information has been compromised as soon as the breach is discovered.

The new law stipulates that if a breach involves more than 25 people, employers must notify the Oregon attorney general. Also, the law requires employers to recommend that individuals report the incident to law enforcement officials, including the attorney general.

The new law expands the definition of “personal information” to include biometric information (e.g., fingerprints and retina scans), health insurance plan numbers and policy information, and medical information. The new definition is in addition to the information covered by the previous definition, which includes individuals’ names with their financial account information or Social Security number or other state or federal identification number.

For more information on Oregon’s new data security law, see the December issue of Oregon Employment Law Letter.

Joanna Perini-Abbott is an attorney with Perkins Coie LLP in Portland, Oregon. She can be reached at