Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents.
Broadened Definition of Personal Information
Like many states, Oregon’s breach notification statute previously included some formulation of financial account number within its definition of “personal information.” In addition to this standard element, the amended law also includes “any other information or combination of information that a personal reasonably knows or should know would permit access to the consumer’s financial account.”
The new Oregon law will require notice to individuals and, if applicable, the state Attorney General within 45 days of discovery or notification of a security breach.
Limitation of Existing Exemptions
Oregon’s breach notification statute previously included specified exemptions, such as for an entity that is subject to and in compliance with breach notification rules established by the entity’s primary or functional federal regulator, and the amended law significantly reduces the scope of these exemptions. For example, an entity that notifies individuals and/or the entity’s primary or functional regulator pursuant to federal laws or regulations now must also notify the Oregon Attorney General. This additional obligation to notify the Attorney General applies “subject to subsection (1)(b)” of the amended Oregon breach notification law, which requires notification to the Attorney General only where 250 or more Oregon residents are to be notified.
Enhanced Data Security Obligations
Oregon’s previously existing data security law contained relatively prescriptive requirements for companies that handle personal data of Oregon residents. The amended law incorporates a few key changes. For example, information security programs must now include safeguards related to regular review of user access privileges as well as application of security updates and a patch management program, among others. The amended law further clarifies that companies must not only assess but also remediate or mitigate identified risks.
Definition of Personal Information
Arizona’s amended law, effective August 3, 2018, will broaden the definition of “personal information” that triggers notification obligations. In addition to a Social Security number, driver’s license or state identification, or financial account number or credit/debit card number with any required security code, access, or password that would permit access to an individual’s financial account, the definition will include:
- An individual’s username or email address, in combination with a password or security question and answer that allows access to the account;
- Health insurance identification numbers;
- Information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
- Passport numbers;
- Individual taxpayer identification numbers or identity protection personal identification numbers issued by the IRS;
- Unique biometric information; and
- A “private key” that is unique to individual and used to authenticate or sign an electronic record.
Individual Notice Requirements
Similar to many state breach notification laws, the amended Arizona law will require that notices to Arizona residents include specified content: the approximate date of the breach, a brief description of the personal information subject to the reach, and contact information for consumer reporting agencies and the FTC. The amended law will also require that companies notify individuals within 45 days of the determination that a breach has occurred.
If the breach involves only a username or email address, in combination with a password or security question and answer that allows access to the account, the amended law will permit companies to follow a separate procedure for notice.
Notice to the Attorney General and Consumer Reporting Agencies
If more than 1,000 Arizona residents are to be notified, the amended law will require that companies notify (a) the three largest nationwide consumer reporting agencies and (b) the Arizona Attorney General, also within 45 days of the determination that a breach has occurred.
Method of Notice
Arizona’s existing breach notification law permits substitute notice in specified circumstances and requires that substitute notice include an email notice, to the extent an email address is known, as well as a conspicuous notice on the notifying entity’s website and notification to major statewide media. The amended law will remove the requirements for an email notice and notification to major statewide media, but add a requirement that the notifying entity provide a written letter to the Arizona Attorney General demonstrating the facts necessary for substitute notice.
With respect to general individual notice procedures, the amended law will permit email notice if the notifying entity has e-mail addresses for the individuals to be notified.