Connecticut, Oregon, and Washington update their data breach notification laws

Data Breach Notification Law Map by IT GovernanceConnecticut, Oregon, and Washington have all strengthened their data breach notification requirements, affecting organizations that do business in those states.


In Connecticut, Public Act 15-152 amends Sec. 6. Section 36-a701b of the general statutes, which now mandates that breached companies supply affected individuals with free credit monitoring and identity theft protection services for at least a year after a data breach incident. Notification – previously required “without unreasonable delay” must now be made no later than 90 days after the discovery of a breach. The amended statute is effective as of October 1, 2015.


In Oregon, A-Engrossed Senate Bill 601 (SB 601) was signed into law earlier this month, updating the Oregon Consumer Identity Theft Protection Act of 2007. Among other amendments, SB 601 expands the definition of “personal information” to include Oregonians’ biometric, health insurance, and medical information, and requires breached entities to notify Oregon’s attorney general when more than 250 individuals are affected by an incident. The amended statute is effective as of January 1, 2016.


In Washington, Engrossed Substitute House Bill 1078 (HB 1078) was signed into law in April, updating Washington Revised Code 19.255.010 to provide greater protection for Washington residents. Among other new obligations, breached entities must now report the theft of all information – not just unencrypted information – to affected individuals and must notify Washington’s attorney general when more than 500 individuals are affected by any incident. Breach notices must be made no more than 45 days after a breach is discovered. The amended statute is effective as of July 24, 2015.

2015 federal data breach notification legislation

In reaction to the recent spate of data breach incidents to hit the US, there has been a flurry of legislative activity. So far in 2015, seven federal data security bills have been proposed:

Until one or more is enacted, however, organizations across the US must comply with 47 individual state data breach notification laws, details of which can be found here >>

The best – and easiest – way to fulfill your data security obligations and avoid the costs associated with suffering a data breach is to implement and maintain an information security management system (ISMS) as laid out in the international information security management standard ISO 27001.

ISO 27001 presents a comprehensive and logical approach to developing, implementing, and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.

The additional external validation demonstrated by accredited registration to ISO 27001 will improve an organization’s cybersecurity posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.

IT Governance has created four ISO 27001 implementation solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Find out more >>

ISO 27001 implementation solutions