On December 10, Oregon Attorney General Ellen Rosenblum testified in front of the joint Oregon Senate and House Judiciary Committee on the evolving nature of not only data collection and use, but also on cybersecurity incidents and hacking, and the need to amend the Oregon data breach notification law to provide enforcement authority to the state Department of Justice. Extending enforcement authority to the attorney general’s office within that department will allow the attorney general to use the state’s Unlawful Trade Practices Act to enforce failures-to-notify and other violations of the statute.

In seeking enforcement authority, Attorney General Rosenblum is also asking that the law be amended to require breached entities to notify the state Department of Justice. The law requires notification to affected individuals, and to the consumer reporting agencies under certain circumstances, but at this time does not require notification to any state regulator. Currently, 15 states require breached entities to notify the state attorney general or other regulators, and New Jersey requires notification to be made to the state police.

For example, California requires notification to the state attorney general when a data breach affects more than 500 California residents. Once received, California posts the notifications on its website for public review. Using the information it has received in these breach notification letters, California has produced two breach reports – the most recent released in October 2014 – that highlight the most common types of breaches, the type of information stolen in breaches, and which industry sectors are victimized by breaches most often.

The attorney general is also working to expand the definition of “personal information,” the loss of which requires notification under the law. The changes contemplated in Oregon follow a current trend among the states to add biometric data, as well as medical and health information, to the list of the type of information that, if breached, triggers the notification statute.