Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

Oregon


Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626

S.B. 583 (signed into law July 12, 2007)

Effective October 1, 2007 
Application.  Any individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in Or. Rev. Stat. § 174.109 (collectively, Entity) that owns, maintains or otherwise possesses data that includes an individual’s PI that is used in the course of the Entity’s business, vocation, occupation or volunteer activities and was subject to the breach of security.

Security Breach Definition.  Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained by the Entity.
    • Does not include good-faith acquisition of PI by an Entity or that Entity’s employee or agent for a legitimate purpose of that Entity if the PI is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the PI.
Notification Obligation.  Any Entity to which the statute applies shall give notice of the breach of security following discovery of such breach of security, or receipt of notification, to any Entity whose PI was included in the information that was breached.
    • Notification is not required if, after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the Entity reasonably determines that the breach has not and will not likely result in harm to the individuals whose PI has been acquired and accessed. Such a determination must be documented in writing and the documentation must be maintained for five years.
Notification to Consumer Reporting Agencies. If an Entity discovers a breach of security affecting more than 1,000 individuals that requires disclosure under this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on individuals on a nationwide basis of the timing, distribution and content of the notification given by the Entity to the individuals. The Entity shall include the police report number, if available, in its notification to the consumer reporting agencies.

Third-Party Data Notification.  Any person that maintains or otherwise possesses PI through a licensing agreement with another person shall notify the owner or licensee of the information of any breach of security immediately following discovery of such breach of security if an individual’s PI was included in the information that was breached.

Timing of Notification.  The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine sufficient contact information for the individuals, determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data.

Personal Information Definition.  An OR resident’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
    • Social Security Number;

    • Driver license number or state identification card number issued by the department of transportation;

    • Identification number issued by a foreign nation;

    • Passport number or other United States-issued identification number;

    • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an OR resident’s financial account.
PI also includes any PI data element or any combination of the PI data elements if the information would be sufficient to permit an individual to fraudulently assume the identity of the OR resident whose information was compromised. PI does not include publicly available information, other than a Social Security Number, that is lawfully made available to the general public from federal, state or local government records.

Notice Required.  Notice shall include at a minimum:
    • A description of the incident in general terms;

    • The approximate date of the breach of security;

    • The type of PI obtained as a result of the breach of security;

    • Contact information of the person subject to this section;

    • Contact information for national consumer reporting agencies; and

    • Advice to the individual to report suspected identity theft to law enforcement.
Notice may be provided by one of the following methods:
    • Written notice;

    • Telephone notice, provided that contact is made directly with the affected individual; or

    • Electronic notice if the Entity’s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If the Entity demonstrates that the cost of providing notice would exceed $250,000, that the affected class of individuals to be notified exceeds 350,000, or if the Entity does not have sufficient contact information to provide notice. Substitute notice consists of the following:
    • Conspicuous posting of the notice or a link to the notice on the home page of the Entity’s Web site if the Entity maintains one; and

    • Notification to major statewide television and newspaper media.
Exception: Compliance with Other Laws.
    • Primary Regulator. An Entity that complies with the notification requirements or breach of security procedures that provide greater protection to PI and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by the Entity’s primary or functional federal regulator shall be deemed to be in compliance.

    • Gramm-Leach-Bliley Act.  A person that complies with regulations regarding notification requirements or breach of security procedures that provide greater protection to PI and at least as thorough disclosure requirements promulgated pursuant to Title V of the Gramm-Leach-Bliley Act shall be deemed to be in compliance.

    • More Restrictive State or Federal Law. An Entity that complies with a state or federal law that provides greater protection to PI and at least as thorough disclosure requirements for breach of security of PI than that provided by this section shall be deemed to be in compliance. 
Other Key Provisions:
    • Delay for Law Enforcement. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and that agency has made a written request that the notification be delayed. The required notification shall be made after that law enforcement agency determines that its disclosure will not compromise the investigation and notifies the Entity in writing.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP