If you do business in Oregon and own, maintain, or possess data about Oregon residents, you must comply with Oregon’s Consumer Identity Theft Protection Act (the “Act”). The Act requires the implementation of reasonable safeguards to protect the security, confidentiality, and integrity of personal information. Personal information is defined as:
- Social Security number, driver’s license number or state identification card number, U.S. issued identification number, financial account number, and credit or debit card number, in combination with any required security code, access code, or password that permits access to the financial account; and
- Biometric, health insurance, and medical information.
If you experience a data breach that materially compromises the security, confidentiality or integrity of personal information, you must notify every affected Oregon resident. If the breach impacts more than 250 Oregon residents, then you must also notify Oregon’s Attorney General in writing or electronically through a form found here: https://justice.oregon.gov/consumer/DataBreach/Home/Submit.
All notices must be given in the most expeditious manner possible without unreasonable delay, unless the delay is requested by law enforcement.
Violation of the Act is an unlawful practice under Oregon’s Unlawful Trade Practices Act. This means that businesses that fail to properly safeguard personal information or comply with the mandatory notification requirements could be subject to civil actions by either the Attorney General or local district attorneys. While private individuals do not have a right to sue directly for violation of these laws, they could seek recovery based on other legal theories (such as breach of contract).
Having robust privacy policies and data retention policies, as well as an incident response plan that details your notification obligations, will help your compliance efforts.