On December 10, Oregon Attorney General Ellen Rosenblum proposed more rigorous requirements for companies to disclose data breaches that expose consumers’ personal information.  Testifying before the Oregon joint Senate and House Judiciary Committee, Rosenblum called on the Oregon legislature to update the state’s data breach law and to extend data breach enforcement and notification to the Oregon Department of Justice.

“As technology changes, so must the legal infrastructure which protects that technology.  Oregonians want – and should – know who is collecting their personal information and data, how it is being used and protected, as well as to whom it is being sold.  If asked today, most people would have little idea how to answer these questions.  We need to protect and educate Oregonians – as they should, but often cannot, understand how their data is being used,” Rosenblum testified.

Rosenblum, a first-term Attorney General, indicated that Oregon’s 2007 data breach law is out-of-date.  The existing law requires companies to notify consumers whose name is compromised in conjunction with their Social Security number, bank account number or other information. Rosenblum wants to broaden the list to include medical, insurance, and biometric information.  The Oregon House and Senate Judiciary committees plan to consider a bill for next year’s legislative session.

In her calls for updated data breach laws, the Oregon Attorney General joined a growing chorus of state AGs pushing for revamped privacy and data laws at the state level.  Just this past October, California Attorney General Kamala Harris released a report outlining the growing threat that data breaches pose to California residents.  That report included a number of recommendations to California lawmakers such as revising the breach notice law in order to strengthen the consumer notification procedure, clarifying the roles and responsibilities of data owners and data maintainers, and requiring a final breach report to the Attorney General’s Office.


For continued updates on this and other cyber security news, follow the Consumer Financial Services Law Monitor.