Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.
| Last Updated | Oregon breach law summary was last updated on 07/02/2017 |
| Statute | Oregon Rev. Stat. §§ 646A.600 to .628 [View Source] [Download PDF] |
| Covered Entities | "Person" means an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109. |
| Covered Information | "Personal Information" includes a consumer's First Name (or First Initial) and Last Name PLUS one of the following:
|
| Form of Information | Electronic |
| Breach Trigger | Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains. |
| Encryption Safe Harbor | No. A consumer's first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired. |
| Risk of Harm Analysis | Yes. A person does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the person reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The person must document the determination in writing and maintain the documentation for at least five years. |
| Consumer Notice | A person that owns or licenses personal information that the person uses in the course of the person's business, vocation, occupation or volunteer activities and that was subject to a breach of security shall give notice of the breach of security to: The consumer to whom the personal information pertains after the person discovers the breach of security or after the person receives notice of a breach of security. |
| Government Agency Notice | Yes, more than 250. Notify the Attorney General, either in writing or electronically, if the number of consumers to whom the person must send the notice described in paragraph (a) of this subsection exceeds 250. |
| Credit Agency Notice | Yes, more than 1,000 consumers. If a person discovers a breach of security that affects more than 1,000 consumers, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notice the person gave to affected consumers and shall include in the notice any police report number assigned to the breach of security. |
| Penalties | Yes. A person's violation of a provision of ORS 646A.600 to 646A.628 is an unlawful practice under ORS 646.607. |
| Private Cause of Action | Yes. 646A.624(3): If the director has reason to believe that any person has engaged or is engaging in any violation of ORS 646A.600 to 646A.628, the director may issue an order, subject to ORS chapter 183, directed to the person to cease and desist from the violation, or require the person to pay compensation to consumers injured by the violation. The director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical. |