Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 45 days
Government Notification Required: Yes, if>250 residents affected
Scope of this Summary:
Notification requirements applicable to persons who own, license, or otherwise possess covered info in the course of business, vocation, occupation, or volunteer activities. Some types of businesses may be exempt from some or all of these requirements but may be required to notify AG of breach even if exempt.
Risk of Harm Threshold
Notification not required if, after an appropriate investigation or after consultation with relevant federal, state, or local law enforcement, covered entity reasonably determines that affected residents are unlikely to suffer harm. The determination must be documented in writing and retained for five years.
Unauthorized acquisition that materially compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or rendered unusable with other methods.
Form of Covered Info
- First name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number issued by the Department of Transportation.
- Passport number or other identification number issued by the United States.
- Financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer's financial account.
- Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction.
- A health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer.
- Any information about a consumer's medical history or mental or physical condition or about a healthcare professional's medical diagnosis or treatment of the consumer.
- A username or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the username or means of identification.
Consumer Notice Timing
Must be made in the most expeditious time possible and without unreasonable delay but no later than 45 days following discovery or notification of breach. In providing notice, covered entity should undertake reasonable measures necessary to determine sufficient contact info, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
In writing, electronically, if consistent with the ESIGN Act. By telephone. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
- A description of the breach of security in general terms.
- The approximate date of the breach of security.
- The type of personal information that was subject to the breach of security.
- Contact information for the covered entity.
- Contact information for national Consumer Reporting Agencies.
- Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
Notification to consumers and AG may be delayed only if law enforcement determines that notice will impede criminal investigation and has made a written request that the notification be delayed.
Must notify AG of breaches affecting over 250 residents within 45 days of discovery or notification of breach.
Exceptions for Other Laws
The statute includes certain exceptions for covered entities that comply with: The Gramm-Leach-Bliley Act (GLBA); the Health Insurance Portability and Accountability Act (HIPAA); or the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Consumer Reporting Agency Notice
If more than 1,000 residents affected, must notify, without unreasonable delay, nationwide Consumer Reporting Agencies of timing, distribution, and content of consumer notice, and include police report number, if any. This may not delay consumer notice.
Vendors must notify covered entities as soon as practicable, but no later than 10 days after discovery of a breach, and are not required to notify consumers themselves.
Private Right of Action
* Although the Oregon statute does not explicitly provide for a private right of action, it anticipates that affected consumers may pursue a civil action (Or. Rev. Stat. § 646A.624(3); see Question 12). Notably, two federal district courts have addressed this issue and reached different conclusions (see Patton v. Experian Data Corp., 2018 WL 6190349, at *10 (C.D. Cal. Jan. 8, 2018) and In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1167 (D.Minn. 2014)).
Violations may result in civil penalties.