Oregon Governor Kate Brown recently signed a new data breach reporting law (S. 1551) that toughens the state’s existing requirements.

The new law requires companies to notify individuals within 45 days after a data breach has been discovered, unless a delay in notification is requested by law enforcement. It expands the definition of personal information to include passport information, biometric information, any information that would permit access to a consumer’s financial account, health insurance account number, and a consumer’s medical history, mental or physical condition, or a diagnosis by a medical provider.

Further, the law prohibits credit reporting agencies from charging consumers a fee if they want to freeze or unfreeze their credit reports.

If notification to consumers is required under the statute, notification is to also to be given to the Attorney General.

Finally, the law also requires companies to implement appropriate physical, technical, and administrative measures to protect the personal information of consumers, which follows the lead of other states, including Massachusetts, California, Rhode Island, and Connecticut. These measures include implementation of an information security program, designating an employee responsible for the information security program, identifying security risks, training and managing employees, selecting appropriate service providers, reviewing user access privileges, applying security updates, and monitoring and detecting security controls, among others. The statute includes a list of requirements that companies are required to follow in order to comply with the statute. The list is worth a good look.

The statute goes into effect in June 2018.