Oregon’s Data Breach Notification Law

pexels-photo-160107.jpegIf you do business in Oregon and own, maintain, or possess data about Oregon residents, you must comply with Oregon’s Consumer Identity Theft Protection Act (the “Act”). The Act requires the implementation of reasonable safeguards to protect the security, confidentiality, and integrity of personal information. Personal information is defined as:

  • Social Security number, driver’s license number or state identification card number, U.S. issued identification number, financial account number, and credit or debit card number, in combination with any required security code, access code, or password that permits access to the financial account; and
  • Biometric, health insurance, and medical information.

If you experience a data breach that materially compromises the security, confidentiality or integrity of personal information, you must notify every affected Oregon resident. If the breach impacts more than 250 Oregon residents, then you must also notify Oregon’s Attorney General in writing or electronically through a form found here: https://justice.oregon.gov/consumer/DataBreach/Home/Submit. 

All notices must be given in the most expeditious manner possible without unreasonable delay, unless the delay is requested by law enforcement.

Violation of the Act is an unlawful practice under Oregon’s Unlawful Trade Practices Act. This means that businesses that fail to properly safeguard personal information or comply with the mandatory notification requirements could be subject to civil actions by either the Attorney General or local district attorneys. While private individuals do not have a right to sue directly for violation of these laws, they could seek recovery based on other legal theories (such as breach of contract).

Having robust privacy policies and data retention policies, as well as an incident response plan that details your notification obligations, will help your compliance efforts.

One thought on “Oregon’s Data Breach Notification Law

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s