Oregon Notice of Breach of Security
OR Rev Stat § 646A.600 - 646A.604, § 646A.622 - 646A.628
SUMMARY:
EFFECTIVE. October 1, 2007
WHO DOES THIS LAW APPLY TO. Any person or business that owns, licenses, or maintains data that includes Personal Information which is used in the course of a business, occupation, vocation, or volunteer activities.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that materially compromises the security, integrity, or confidentiality of Personal Information maintained by a person or business. A good faith acquisition of Personal Information by an employee or agent of the person or business for a legitimate purpose is not a breach, if it is not used for an unlawful purpose or in a manner that harms or potentially threatens the security, confidentiality, or integrity of the Personal Information.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unusable, or if encrypted the key has also been acquired:
-
Social Security Number.
-
Driver’s license number or state identification card number.
-
Passport or other United States issued identification number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina, or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction.
-
A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer.
-
Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.
-
A username or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the username or means of identification.
Personal Information also includes any of the data elements listed above, when not combined with the consumer’s first name, or first initial and last name, and when the data elements are not encrypted or redacted, if the information obtained would be sufficient to permit identity theft.
Personal Information does not include publicly available information, other than a Social Security Number, that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security. If a notice to more than 250 residents must be sent, then notice must be sent to the Attorney General, either in writing or electronically, with at least one copy of any notice the person, the covered entity, or the vendor sends to consumers. This notice must be sent within a reasonable time.
If more than 1,000 residents are involved in a breach, the person or business shall also notify, without reasonable delay, all consumer reporting agencies that maintain files on consumers nationwide of the timing, distribution, and content of the notice, as well as any available police report number. Notification to the affected individuals shall not be delayed in order to provide notice to the consumer reporting agencies.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the person or business, after a reasonable investigation or consultation with relevant Federal, State, or local law enforcement agencies, determines that no reasonable likelihood of harm to affected residents has occurred, or is likely to occur. The covered entity must document the determination in writing and maintain the documentation for at least five years.
-
This Section does not apply to a person or business that complies with a State or Federal law that provides greater protection to Personal Information, and at least as thorough disclosure requirements for a security breach.
-
A person or business that is regulated by and complies with State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, which provide greater protection to Personal Information and at least as thorough disclosure requirements, is considered in compliance with this Section.
-
A person or business that is subject to and complies with Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq. is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers or is notified of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach, sufficient contact information for the individual(s) affected, and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation, and such request is made in writing. In that instance, notification will be made after clearance by law enforcement is received in writing.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic, if contact is made directly with the affected individual.
-
Electronic (if it is the customary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001)
-
Substitute notice as provided below.
The notice shall include, at a minimum, the following information:
-
A general description of the security breach.
-
The approximate date of the breach.
-
The type of Personal Information acquired.
-
Contact information for the person or business providing notice. If the person or entity offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to the consumer, the entity, agent, or the affiliate may not condition the provision of the services on the consumer’s providing the entity, agent, or the affiliate with a credit or debit card number or on the consumer’s acceptance of any other service the covered entity offers to provide for a fee.
-
Contact information for the national consumer reporting agencies.
-
Advice to report suspected identity theft to law enforcement, including the Federal Trade Commission.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 350,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Conspicuous posting of, or link to, the notice on the website home page of the person or business if one is maintained.
-
Notification to major statewide television and newspaper media.
NOTICE TO THIRD-PARTIES. If a person or business maintains or possesses Personal Information that it does not own, then the person or business shall notify the owner or licensor of any security breach immediately upon discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The Director of the Department of Consumer and Business Services may:
-
Issue a cease and desist order to prevent any further violations to the law.
-
Order a person or business to pay compensation to the injured residents, if it is determined that a private civil action would be too burdensome or expensive.
-
In addition to all other penalties and enforcement provided by law, any person or business that violates, or participates or assists in a violation of this Section, shall be subject to a penalty of up to $1,000 per violation, paid to the General Fund of the State Treasury.
-
Each violation is a separate offense, and each day that the violation continues is a separate violation. The maximum penalty for any occurrence shall not exceed $500,000.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. OR Rev Stat § 646A.622.
DATA DISPOSAL PROVISIONS. OR Rev Stat § 646A.622. A covered entity and a vendor shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.
LEGISLATIVE UPDATES.
S.B. 583 – Signed into law on 7/12/2007, Effective 10/1/2007.
S.B. 574 – Signed into law on 6/13/2013, Effective 9/12/2013.
S.B. 601 – signed into law on 6/10/2015, Effective 1/1/2016.
S.B. 1551 – signed into law on 3/16/2018, Effective 6/2/2018.
S.B. 684 – signed into law on 5/24/2019, Effective 1/1/2020.
For more information, see here: https://oregon.public.law/statutes/ors_chapter_646
AND
https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.