Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $1,000 per violation, up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach notifications to any affected Oregon residents must be made within 45 days of discovery of a breach.
  • Notification to the Attorney General is required when 250 or more residents are affected.
  • Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 Oregon residents.
  • If a contracted vendor experiences a breach or a suspected breach of security, they must notify the data owner within 10 days of discovering the breach.
  • Documentation (written) must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.
  • The State Attorney General may publish the name of the breached entity and corresponding information.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses and contracted vendors must develop, implement and maintain an information security program to protect personal information it possesses and accesses.
  • The information security program includes requirements for the secure disposal of personal information when it is no longer needed for business purposes or as required by law. A business contracted with a record destruction vendor is considered in compliance with the requirement if the vendor provides the same level of data protection and security.
  • Sector-specific regulations (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws
  • ORS §§ 646A.600 – 646A.628  Oregon Consumer Information Protection Act

    ORS § 646A.604  Notice of breach of security

    ORS § 646A.622  Requirement to develop safeguards for personal information

    ORS § 646A.624  Powers of director, penalties

    OAR § 847-012-0000  Patient’s Access to Medical Records

    OAR §§ 581-021-0220 – 581-021-0440  Student Education Records

    OAR § 581-021-0270  Right of Inspection and Review of Education Records

BAck to map