Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $1,000 per violation, up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach notifications to any affected Oregon residents must be made within 45 days of discovery of a breach.
  • Notification to the Attorney General is required when 250 or more residents are affected.
  • Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 Oregon residents.
  • If a contracted vendor experiences a breach or a suspected breach of security, they must notify the data owner within 10 days of discovering the breach.
  • Documentation (written) must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.
  • The State Attorney General may publish the name of the breached entity and corresponding information.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses and contracted vendors must develop, implement and maintain an information security program to protect personal information it possesses and accesses.
  • The information security program includes requirements for the secure disposal of personal information when it is no longer needed for business purposes or as required by law. A business contracted with a record destruction vendor is considered in compliance with the requirement if the vendor provides the same level of data protection and security.
  • Sector-specific regulations (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws

  • ORS §§ 646A.600 – 646A.628  Oregon Consumer Information Protection Act

    ORS § 646A.604  Notice of breach of security

    ORS § 646A.622  Requirement to develop safeguards for personal information

    ORS § 646A.624  Powers of director, penalties

    OAR § 847-012-0000  Patient’s Access to Medical Records

    OAR §§ 581-021-0220 – 581-021-0440  Student Education Records

    OAR § 581-021-0270  Right of Inspection and Review of Education Records

BAck to map

Our site uses cookies to ensure you get the best experience on our website. If you continue without changing your browser settings, you are providing consent to our Cookie Policy.

Yes, I Accept Cookies