skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page


Or. Rev. Stat. §§ 646A.600-.604, 646A.624 - .626  
Amendments effective June 2, 2018 available here (codified provisions incorporating amendments not yet available)

To print or save this summary, click here.


Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Notification Required


No later than 45 days

YES, if >250 residents affected


More Details

Scope of this Summary Notification requirements applicable to persons that own, license, or otherwise possess covered info in the course of business, vocation, occupation or volunteer activities. Some types of businesses may be exempt from some or all of these requirements, but may be required to notify AG of breach even if exempt.
Covered Info First name or first initial and last name, plus: Social Security number; driver license or state ID card number; passport or other U.S.-issued ID number; financial account, credit or debit card number, in combination with any required security or access code or password that would permit access to the resident's financial account or any other combination of information covered entity reasonably should know grants access to a financial account; biometric data; health insurance information used by insurer to identify the resident; or medical information.

OR any of the above data elements without name, if that information is not encrypted, redacted, or otherwise rendered unusable or if the compromised info would be sufficient to permit a person to commit identity theft.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted, redacted or rendered unusable with other methods.
Breach Defined Unauthorized acquisition that materially compromises the security, confidentiality or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Consumer Notice Timing: Must be made in the most expeditious time possible and without unreasonable delay, but not later than 45 days following discovery or notification of breach. In providing notice, covered entity should undertake reasonable measures necessary to determine sufficient contact info, determine the scope of the breach, and restore the reasonable integrity, security and confidentiality of the data.

Content: Notice must include a description of the breach in general terms, approximate date of the breach, the type of covered info subject to the breach, contact info for the covered entity, contact info for the national CRAs, and advice to report suspected identity theft to law enforcement, including the Attorney General and the FTC. If credit monitoring/ID theft protection services offered to affected resident free of charge, enrollment may not require resident to provide credit or debit card number. If additional credit mornitoring/ID theft protection services offered for a fee, offer must separately, distinctly, clearly and conspicuously disclose existence of fee.

Method: By written notice, by telephone notice (if direct contact made with resident), or electronic notice (if it’s the customary method of communication with the resident or is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.
Delayed Notice Notification to consumers and AG may be delayed only if law enforcement determines that notice will impede criminal investigation and has made a written request that the notification be delayed.
Harm Threshold Notification not required if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement, covered entity reasonably determines that affected residents are unlikely to suffer harm. The determination must be documented in writing and retained for five years.
Consumer Agency Notice If more than 1,000 residents are affected, must notify all nationwide CRAs without unreasonable delay of timing, distribution, content of the consumer notice and include a police report number, if any. CRA notice may not delay consumer notice.
Government Notice Must notify AG of breaches affecting over 250 residents within 45 days of discovery or notification of breach.
Third-Party Notice If you maintain or otherwise possess covered info on behalf of another entity, you must notify them as soon as practicable after discovery of a breach.
Potential Penalties Violations may result in civil penalties.


To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 2, 2018