What does Oregon law require you to do, and who are you required to notify? What happens if you don’t notify anyone?

Data Breach Notification Laws

Enacted in 2007, Oregon’s data breach notification law requires businesses and state agencies to notify any Oregon consumer whose personal information was subject to a breach of security. If a breach effected more than 250 Oregon consumers, the law also requires that a sample copy of a breach notice sent must also be provided to the Oregon Attorney General.

Breach of Security

The Oregon Department of Justice defines breach of security as an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information that a person maintains or possesses.

Requirements:

1. If your company has experienced a data breach of an Oregonian’s personal information, you must notify the affected person within 45 days of discovering the breach.
2. If your company has experienced a data breach of 250 or more Oregonians’ personal information, you must report the breach to the Attorney General within 45 days of discovering the breach. Report a data breach online at: https://justice.oregon.gov/consumer/DataBreach/Home/Submit

1. If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

4. If you fail to have reasonable security or provide proper notification of a data breach, you could be liable for civil penalties of up to $25,000 per violation.

Personal Information (PI)

Personal information (PI) includes an Oregonian’s first name or first initial and last name in combination with any one or more of the following data elements:

• Social Security Number.
• Driver license number or state identification card number issued by the department of transportation.
• Passport number or other identification number issued by the United States.
• Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a financial account.
• Biometric data such as an image of a fingerprint, retina or iris, or other unique characteristics used to authenticate the consumer’s identity.
• Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer.
• Medical information, including medical history, mental or physical condition, diagnosis, or treatment.

Data Security Breach Notification Laws by State

Businesses must invest in security and be ready to respond if a breach occurs. Part of your preparedness program should be staying current on data breach legislation at the state level. Mintz is a useful online resource to review Data Breach Notification Laws by state.

Image Courtesy of Mintz

List of Data Breach Notifications in Oregon

Data security breach notifications sent to the Oregon Attorney General’s Office are available for review here. 

Oregon State Data Breach Resources

• Oregon Revised Statutes 646A.604: Notice of Breach of Security
• Oregon Data Breach Reporting (PDF)
• Oregon Department of Justice Consumer Protection

Additional Data Breach Resources

• Data Breach Response: A Guide for Business (FTC Link)
• Data Breach Response: A Guide for Business (PDF)

Teknologize has clients throughout the Pacific Northwest with offices located in the Tri-Cities and Yakima, Washington 509.396.6640 and Bend, Oregon 541.848.6072.