Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- $1,000 per violation, up to $500,000

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach notifications to any affected Oregon residents must be made within 45 days of discovery of a breach.
  • Notification to the Attorney General is required when 250 or more residents are affected.
  • Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 Oregon residents.
  • If a contracted vendor experiences a breach or suspected breach of security, they must notify the data owner within 10 days of discovering the breach.
  • If a contracted Vendor who experiences a breach of security affecting more than 250 Oregon residents (or if the Vendor cannot determine the number affected) finds that the Organization has not provided breach notification to the Attorney General, the Vendor must complete the breach notification.
  • Documentation must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.
  • The State Attorney General may publish the name of the breached entity and corresponding information.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations and their contracted vendors must develop, implement and maintain an information security program to protect personal information it possesses and accesses.
  • Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect the personal information of the Organization.
  • The information security program includes requirements for the secure disposal of personal information when it is no longer needed for business purposes or as required by law. An organization contracted with a record destruction vendor is considered in compliance with the requirement if the vendor provides the same level of data protection and security.
  • Vendors must have the same level of security and protection for personal information as Organizations, including a program for protection and security with administrative, technical and physical safeguards.
  • Vendors must have the same safeguards in place during data disposal.
  • Data disposal vendors must be contracted.
  • Organizations may be fined or penalized for Vendor violations.
Statutes and Laws
  • ORS §§ 646A.600 – 646A.628  Oregon Consumer Information Protection Act

    ORS § 646A.604  Notice of breach of security

    ORS § 646A.622  Requirement to develop safeguards for personal information

    ORS § 646A.624  Powers of director, penalties

    OAR § 847-012-0000  Patient’s Access to Medical Records

    OAR §§ 581-021-0220 – 581-021-0440  Student Education Records

    OAR § 581-021-0270  Right of Inspection and Review of Education Records

BAck to map