Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- $1,000 per violation, up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Attorney General if the breach affects more than 250 consumers.
  • Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 consumers.
  • The law defines specific requirements for consumer notification and disclosure of a breach to the State Attorney General.
  • The State Attorney General may publish the name of the breached entity and corresponding information.
  • Documentation (written) must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.
  • A requirement of the information security program is disposing of personal information when it is no longer needed for business purposes or as required by law.  Contracting with another person engaged in the business of record destruction to dispose of personal information is considered in compliance.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • ORS §§ 646A.600 – 646A.628  Oregon Consumer Identity Theft Protection Act

    ORS § 646A.622  Requirement to develop safeguards for personal information

    ORS § 646A.624  Powers of director, penalties

BAck to map