Data Breaches Workgroup Prepares for Session
by Mark Hester
Previously reported in the OBI Weekly Update, Senator Floyd Prozanski (D-Eugene) and Representative Paul Holvey (D-Eugene) formed a workgroup on data breaches amid concerns created by the hack of credit reporting giant Equifax earlier this year. Data security is an important issue for Oregon Business & Industry (OBI) members, who like everyone else want to know that their information is safe. But it also is a complex issue that is difficult to effectively and legally regulate.
Several statutory and regulatory changes were discussed at the December 8 meeting of the workgroup. These changes could create significant legal and operational complications for retailers and other businesses that use or store customers’ personal identifying information.
The Legislative leaders of the workgroup are considering legislation for both February 2018 and the Long Session in 2019. Bill drafts for February were distributed during the workgroup. Here’s what they propose:
•Remove fees for consumers who wish to freeze, thaw, or lift a freeze on their credit. Some Legislators and advocates want these actions to be free to the consumer, regardless of the number of times performed. Others propose one free freeze, thaw, or lifting of freeze, with reduced fees on subsequent ones.
•Establish deadlines – the current proposal is 45 days – for reporting data breaches to affected consumers.
•Restrict upselling, the practice of offering additional services for a fee when providing free credit monitoring after a data breach.
In addition to those proposals, Prozanski and Holvey have not ruled out inclusion of data breach as a private right of action under Oregon’s Unlawful Trade Practice Act. Allowing a private right of action would expose businesses, including some not at fault for the breach, to greater risk of lawsuits. This would be a significant legal change, which OBI opposes. It especially should not be considered in the 2018 Short Session.