NB: This page summarizes current Oregon law. However, Oregon amended its data breach notification statute effective January 1, 2020. This page will be updated at that time.
Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: No later than 45 days
Government Notification Required: YES, if>250 residents affected
Scope of this Summary
First name or first initial and last name, plus: Social Security number; driver license or state ID card number; passport or other U.S.-issued ID number; financial account, credit or debit card number, in combination with any required security or access code or password that would permit access to the resident's financial account or any other combination of information covered entity reasonably should know grants access to a financial account; biometric data; health insurance information used by insurer to identify the resident; or medical information, OR any of the above data elements without name, if that information is not encrypted, redacted, or otherwise rendered unusable and the compromised info would be sufficient to permit a person to commit identity theft.
Form of Covered Info
Encryption Safe Harbor
Timing: Must be made in the most expeditious time possible and without unreasonable delay, but not later than 45 days following discovery or notification of breach. In providing notice, covered entity should undertake reasonable measures necessary to determine sufficient contact info, determine the scope of the breach, and restore the reasonable integrity, security and confidentiality of the data.
Content: Notice must include a description of the breach in general terms, approximate date of the breach, the type of covered info subject to the breach, contact info for the covered entity, contact info for the national CRAs, and advice to report suspected identity theft to law enforcement, including the Attorney General and the FTC. If credit monitoring/ID theft protection services offered to affected resident free of charge, enrollment may not require resident to provide credit or debit card number. If additional credit mornitoring/ID theft protection services offered for a fee, offer must separately, distinctly, clearly and conspicuously disclose existence of fee.
Method: By written notice, by telephone notice (if direct contact made with resident), or electronic notice (if it’s the customary method of communication with the resident or is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.