OREGON: Tightening the Language
In 2017, Oregon’s legislature amended data protection laws.
O.R.S. 646A.604, the state’s breach notification law, adding
to the list of those to which it applies, reducing the time
of breach notification to 45 days, and removing onerous
requirements from free credit monitoring services provided to
victims of a breach. Also amended was O.R.S. 646A.622, the
state’s information security law, where it added a requirement
to conduct risk assessments and provide training “with
reasonable regularity.” Previously, the law had not referenced
any timeframe.
THE TIP OF THE ICEBERG:
Keeping Up with the Neighbors
I began this article asserting the fact that the GDPR
represents the future of data protection globally. I also
referenced California’s bellwether status regarding data
protection.
As of this writing, reliable sources indicate that a New Jersey
bill will soon be introduced with the expressed purpose of
harmonizing the state’s data protection laws with the GDPR.
Those who have reviewed early drafts of the bill report that
it aligns with the European regulation, exceeding that of the
California law.
If history repeats itself, there are no doubt sponsors of such
legislation in other states. Furthermore, it is logical that, like
breach notification, states not yet doing so will follow suit,
for the simple reason that their citizens will demand similar
protections.
GLOBALLY
The fact that this trend is fueled by developments outside
the U.S. is evidence enough that it is global in nature. The
Bahamas, Korea, Brazil, Japan, and Australia have either
acted or are close to acting. On November 1, a new universal
data breach notification requirement goes into effect in
Canada. There too, the provinces are taking even stronger
actions. Following the lead of Alberta and British Columbia,
Ontario is currently considering a law that will supersede the
country’s national privacy law.
What to Do
Not always, but in general, it is safe to say that enhanced data
protection laws are good for data protection service providers.
All ships rise on the tide. Any firm that has survived the recent
industry contractions stands to do pretty well. As to how well
is up to each individual service provider. Will they adopt a
passive or active approach?
Passive is easier, of course, but the benefits will be less
(obviously). The phone might ring more often. The Internet
inquiries will increase. Eventually, salespeople will learn the
new buzzwords.
Active is better. Strategically pursuing this trend will reap
greater market share and higher profits.
What does that look like?
In California, it might mean forming alliances with throngs of
privacy consultants who will be busy advising nervous data
controllers. Or it could mean adding services to respond to
consumer requests for information about their record (since
they can request it any time). Or maybe it simply means
honing a CCPA compliant contract.
In Colorado, it means helping clients create their legally
required destruction policies and procedures, first to their
customers, and then their competitors’ customers. Some will
be tempted to provide a template. Some, the smart ones,
will use the opportunity to review the customers’ disposal
practices, not only better protecting the customers, but most
likely increasing the amount of business they’re doing with
them. The Colorado law, and the trend in general, should/
could easily become the point at which every customer
should convert to a “destroy all” policy. It has finally become
negligent to allow a double stream for any discarded media.
continued on page 34
“In states or countries yet
to act, it is really a matter of
‘when’ not ‘if’ it is time for
service providers to prepare.
Many have already.”