Skip to main content

Implications for Businesses as Oregon Attorney General Fights for More Detailed Data Breach Notifications, and Increased Involvement in Data Breach Situations



As reported in an interview with The Privacy Advisor, Oregon Attorney General Ellen Rosenblum is seeking the following three changes to Oregon’s data breach notification law:

  1. Mandatory reporting of data breaches to the AG’s office;
  2. Enhanced enforcement authority in the event of data breaches; and
  3. An expanded definition of personal information required to be reported.

Rosenblum is seeking an expansion of authority for her office, and an increase in responsibilities for businesses, because the rate at which personal data is being collected—and compromised—continues to expand. She also notes that the increase in enforcement authority she seeks would allow her to coordinate with other state attorneys general. Given the interstate nature of data breaches, coordinating with other states makes sense.

But the expanded definition of “personal information” would present practical difficulties for businesses responding to data breaches: already, determining what was lost in a data breach, and then determining whether a data-breach notification is necessary, is very difficult. By adding additional categories of information (Rosenblum proposes adding medical, insurance, and biomedical information to the must-report list), which may or may not be defined well in proposed legislation, the difficulty of that determination is increased. The practical result may be significant delays in notifying potential victims of data breaches because breached companies will need additional time to investigate whether the breach captured these additional categories of information.

Businesses may also be leery of mandatory notification of data breaches to the attorney general because such a report would be subject to public disclosure. Indeed, the attorney general proposes making all reported data breaches available on a publicly-searchable database. In the case of a small data breach (e.g., three employees of a small business whose information is stolen by a disgruntled former employee), companies would likely prefer to notify only those affected by the breach and thereby minimize potential negative PR and/or avoid raising the profile of the thief.

In any event, we are encouraged that Rosenblum and other state attorneys general are thinking about data-privacy issues. If you have questions about these issues, including your company’s obligations under state and federal laws, or if you are worried about a potential data breach, please give us a call.

  Edit this post