Oregon Statutes § 646A.600 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"(a) “Breach of security” means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.
(b) “Breach of security” does not include an inadvertent acquisition of personal information by a person or the person’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information."
When is notice required?
Notice is required for all affected residents "in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement...and consistent with any measures that are necessary to determine sufficient contact information for the affected consumer, determine the scope of the breach of security and restore the reasonable integrity, security and confidentiality of the personal information." The Attorney General also receives notice for all breaches affecting over 250 residents. Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances, but must include the six items in § 646A.604(5). Should the breach affect over 1,000 residents then consumer credit agencies must be notified as well.
What are the penalties for non-compliance?
Violations have their own section of the law, § 646A.604(9), which reads as follows, and makes violations an unlawful trade practice:
"(a) A person’s violation of a provision of ORS 646A.600 to 646A.628 is an unlawful practice under ORS 646.607.
(b) The rights and remedies available under this section are cumulative and are in addition to any other rights or remedies that are available under law."