Oregon Cannabis: Data Breach Notification Laws 101

A few weeks ago, we mentioned that cannabis companies that fall victim to a data breach are required, under state law, to inform employees and customers whose data was compromised by the intrusion. However, not every stolen piece of information demands notification. This post further dives into these laws—all 50 states have now enacted breach notification laws—by addressing the notification requirements imposed by the State of Oregon.

Oregon Revised Statutes (“ORS”) 646A.602 defines “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” “Personal information” means an Oregon resident’s:

• Social security number;
• Driver license number or state identification card number;
• Passport number or other identification number;
• Financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account;
• Physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;
• Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the resident; or
• Any information about their medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment information.

Personal information also includes any of the data elements listed above, without the resident’s name, if the data elements, alone or in combination with others, would enable a person to commit identify theft against the resident.

However, the breach of a resident’s personal information does not, in and of itself, prompt the notification requirement. In Oregon, notification is not mandated if, after an appropriate investigation or consultation with law enforcement agencies, the company reasonably determines that the resident has not and is not likely to be harmed from the breach. Such determination must be documented in writing and maintained by the company for a minimum of 5 years.

If the company determines that the stolen data will harm or is likely to harm the resident, then the company must notify the resident “in the most expeditious manner possible, without unreasonable delay,” but no later than 45 days after discovering or receiving notification of the breach. Notification may only be delayed if the notice were to impede on a criminal investigation.

The notification, which must be made in writing, by phone or electronically, must include, at a minimum:

• A description of the breach in general terms;
• The approximate date of the breach;
• The type of personal information that was subject to the breach;
• The company’s contact information;
• The contact information for national consumer reporting agencies; and
• Advice to the consumer to report suspected identity theft to law enforcement, including the state Attorney General and the Federal Trade Commission.

Moreover, if more than 250 residents are notified, the company will be required to submit, in writing or electronically, a copy of the notification to the Attorney General. If more than 1,000 residents are notified, then the company will also have to notify all nationwide Consumer Reporting Agencies.

Data breach notification laws are demanding on hacked companies, but they are not the only laws with which these business entities must comply following a cyber attack. State and federal laws, including employment, medical, and financial laws, usually apply. In addition, states like Oregon impose pre-data breach measures, also known as information security standards—we will further cover this issue in our next post—on any company doing business in the state to protect the security, confidentiality and integrity of personal information before a breach. (California just passed one such law, specifically targeted at marijuana businesses.)

Cannabis companies affected by a data breach should always consult with experienced cyber security attorneys to avoid any civil penalty, but also to retain public confidence and maintain their competitive edge in this high-risk cyber environment.