Oregon Security Breach Law — Summary

Oregon Employers — CAUTION. If you store any "consumer" personal information electronically, read on. Oregon has adopted laws that apply where the security of a consumer, including your employee(s), electronically stored personal information has been breached. ORS 646A.604. "Consumer" includes, for example, employees, clients, and vendors' personal information.

Security Breach

In Oregon, a security breach is defined as, "an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains." A security breach does not include an "inadvertent acquisition of personal information by a person or the person's employee or agent if the personal information is not used in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information."

Personal Information

Personal information includes name, Social Security number, driver license or state ID card number, passport number, financial account number, credit card or debit card number, data from automatic measurements of a consumer's physical characteristics such as an image of a fingerprint, retina or iris, health insurance policy number or subscriber information number, medical history including mental or physical condition.

Notice

If a security breach of a consumer's personal information has occurred, the employer is required to give "Notice" to: (1) the consumer whose personal information has been breached; (2) national credit reporting agencies, if the breach affects more than 1,000 consumers; (3) Oregon's Attorney General, if the breach affects more than 250 Oregon residents.**

Notice must include, at a minimum: description of the security breach, the date of the breach, the type of personal information that was subject to the breach, consumer's contact information, contact information for national consumer reporting agencies if applicable, and advice to the consumer to report suspected identity theft to law enforcement including the Attorney General and the Federal Trade Commission.**

**The vast majority of other States have also enacted security breach laws that are similar, but not identical, to Oregon's security breach laws. If the security breach includes consumers who reside not only in Oregon, but also other States, the employer must comply with the other State(s) applicable security breach laws as well.

Timing

Notification must be made in the most expeditious manner possible, without unreasonable delay.

Method Of Notice

Generally, notice can be made in writing, electronically if you generally communicate with the consumer electronically, by telephone if you generally communicate with the consumer by telephone, or by publication if the cost of notification would otherwise exceed $250,000 or the affected class exceeds 400,000.

Penalties

In addition to all other penalties and enforcement provisions provided by law, any person who violates or aids and abets in the violation of the breach notification law shall be subject to a penalty of not more than $1,000 for each violation. Each violation is a separate offense, and each day's continuance is a separate violation, with a max of $500,000. Plus, consumers retain a private right of action.

Questions

If you have questions, please contact our office.