ORS 646A.604
Notice of breach of security

  • delay
  • methods of notification
  • contents of notice
  • application of notice requirement

(1)

If a covered entity is subject to a breach of security or receives notice of a breach of security from a vendor, the covered entity shall give notice of the breach of security to:

(a)

The consumer to whom the personal information pertains.

(b)

The Attorney General, either in writing or electronically, if the number of consumers to whom the covered entity must send the notice described in paragraph (a) of this subsection exceeds 250.

(2)

Intentionally left blank —Ed.

(a)

A vendor that discovers a breach of security or has reason to believe that a breach of security has occurred shall notify a covered entity with which the vendor has a contract as soon as is practicable but not later than 10 days after discovering the breach of security or having a reason to believe that the breach of security occurred.

(b)

If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor shall notify the other vendor of a breach of security as provided in paragraph (a) of this subsection.

(c)

A vendor shall notify the Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine. This paragraph does not apply to the vendor if the covered entity described in paragraph (a) or (b) of this subsection has notified the Attorney General in accordance with the requirements of this section.

(3)

Intentionally left blank —Ed.

(a)

A covered entity shall give notice of a breach of security in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.

(b)

Before providing the notice described in paragraph (a) of this subsection, a covered entity shall undertake reasonable measures that are necessary to:

(A)

Determine sufficient contact information for the intended recipient of the notice;

(B)

Determine the scope of the breach of security; and

(C)

Restore the reasonable integrity, security and confidentiality of the personal information.

(c)

A covered entity may delay giving the notice described in paragraph (a) of this subsection only if a law enforcement agency determines that a notification will impede a criminal investigation and if the law enforcement agency requests in writing that the covered entity delay the notification.

(4)

A covered entity may notify a consumer of a breach of security:

(a)

In writing;

(b)

Electronically, if the covered entity customarily communicates with the consumer electronically or if the notice is consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as that Act existed on January 1, 2020;

(c)

By telephone, if the covered entity contacts the affected consumer directly; or

(d)

With substitute notice, if the covered entity demonstrates that the cost of notification otherwise would exceed $250,000 or that the affected class of consumers exceeds 350,000, or if the covered entity does not have sufficient contact information to notify affected consumers. For the purposes of this paragraph, “substitute notice” means:

(A)

Posting the notice or a link to the notice conspicuously on the covered entity’s website if the covered entity maintains a website; and

(B)

Notifying major statewide television and newspaper media.

(5)

Notice under this section must include, at a minimum:

(a)

A description of the breach of security in general terms;

(b)

The approximate date of the breach of security;

(c)

The type of personal information that was subject to the breach of security;

(d)

Contact information for the covered entity;

(e)

Contact information for national consumer reporting agencies; and

(f)

Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.

(6)

If a covered entity discovers or receives notice of a breach of security that affects more than 1,000 consumers, the covered entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notice the covered entity gave to affected consumers and shall include in the notice any police report number assigned to the breach of security. A covered entity may not delay notifying affected consumers of a breach of security in order to notify consumer reporting agencies.

(7)

Intentionally left blank —Ed.

(a)

If a covered entity must notify a consumer of a breach of security under this section, and in connection with the notification the covered entity or an agent or affiliate of the covered entity offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to the consumer, the covered entity, the agent or the affiliate may not condition the provision of the services on the consumer’s providing the covered entity, the agent or the affiliate with a credit or debit card number or on the consumer’s acceptance of any other service the covered entity offers to provide for a fee.

(b)

If a covered entity or an agent or affiliate of the covered entity offers additional credit monitoring services or identity theft prevention and mitigation services for a fee to a consumer under the circumstances described in paragraph (a) of this subsection, the covered entity, the agent or the affiliate must separately, distinctly, clearly and conspicuously disclose in the offer for the additional credit monitoring services or identity theft prevention and mitigation services that the covered entity, the agent or the affiliate will charge the consumer a fee.

(c)

The terms and conditions of any contract under which one person offers or provides credit monitoring services or identity theft prevention and mitigation services on behalf of another person under the circumstances described in paragraph (a) of this subsection must require compliance with the requirements of paragraphs (a) and (b) of this subsection.

(8)

Notwithstanding subsection (1) of this section, a covered entity does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The covered entity must document the determination in writing and maintain the documentation for at least five years.

(9)

This section does not apply to:

(a)

Personal information that is subject to, and a person that complies with, notification requirements or procedures for a breach of security that the person’s primary or functional federal regulator adopts, promulgates or issues in rules, regulations, procedures, guidelines or guidance, if the personal information and the person would otherwise be subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys).

(b)

Personal information that is subject to, and a person that complies with, a state or federal law that provides greater protection to personal information and disclosure requirements at least as thorough as the protections and disclosure requirements provided under this section.

(c)

A covered entity or vendor that complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on January 1, 2020, if personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) is also subject to that Act.

(d)

A covered entity or vendor that complies with regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, 110 Stat. 1936) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts existed on January 1, 2020, if personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) is also subject to those Acts.

(10)

Notwithstanding the exemptions set forth in subsection (9) of this section, a person, a covered entity or a vendor shall provide to the Attorney General within a reasonable time at least one copy of any notice the person, the covered entity or the vendor sends to consumers or to the person’s, the covered entity’s or the vendor’s primary or functional regulator in compliance with this section or with other state or federal laws or regulations that apply to the person, the covered entity or the vendor as a consequence of a breach of security, if the breach of security affects more than 250 consumers.

(11)

Intentionally left blank —Ed.

(a)

A person’s violation of a provision of ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) is an unlawful practice under ORS 646.607 (Unlawful business, trade practices).

(b)

A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not developed, implemented and maintained reasonable safeguards to protect the security, confidentiality and integrity of personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) but is not subject to an Act described in subsection (9)(c) or (d) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys), the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.

(c)

The rights and remedies available under this section are cumulative and are in addition to any other rights or remedies that are available under law. [2007 c.759 §3; 2015 c.357 §2; 2018 c.10 §2; 2019 c.180 §3]

Source: Section 646A.604 — Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement, https://www.­oregonlegislature.­gov/bills_laws/ors/ors646A.­html.

646A.030
Definitions for ORS 646A.030 to 646A.042
646A.032
Price list for health spa services
646A.034
Contracts
646A.036
Contracts and rules
646A.038
Moneys paid prior to facility opening
646A.040
Waiver of provisions of ORS 646A.030 to 646A.042
646A.042
Remedies and obligations supplementary to existing remedies
646A.050
Definitions
646A.052
Form of purchase agreement
646A.054
Rules
646A.060
Purchase of used goods
646A.062
Penalty for violation of ORS 646A.060
646A.064
Definitions for ORS 646A.064 to 646A.067
646A.065
Records required for transactions involving items of precious metal
646A.066
Applicability to local ordinances
646A.067
Preemption of local requirements applicable to pawnbrokers
646A.068
Penalty for violating ORS 646A.065
646A.070
Sale of telephonic equipment
646A.072
Exceptions to disclosure requirements
646A.075
Required information prior to purchase of dog
646A.077
Qualification for full refund
646A.080
Sale of novelty item containing mercury
646A.081
Prohibition on sale or installation of mercury vapor outdoor lighting fixtures
646A.082
Floral retail sales
646A.085
Sale of rights by distributor to exhibit motion picture without first giving exhibitor opportunity to view motion picture prohibited
646A.090
Offer to sell or lease motor vehicle under retail installment contract or lease agreement
646A.092
Advertisements for sale or lease of motor vehicle
646A.093
Disclosures for handling and shipping consumer goods required in advertisements, offers and sales
646A.095
Disclosure required when purchaser of product offered technical support through information delivery system
646A.097
Payment of sales commissions following termination of contract between sales representative and principal
646A.100
Definitions for ORS 646A.100 to 646A.110
646A.102
Notice of intent to conduct going out of business sale
646A.104
Information required in notice of intent
646A.106
Circumstances in which going out of business sale prohibited
646A.108
Prohibited conduct
646A.110
Applicability of ORS 646A.100 to 646A.110 and 646A.112
646A.112
Injunction of sham sale
646A.115
Software prohibited that interferes with sale of admission tickets to entertainment events
646A.120
Definitions for ORS 646A.120 to 646A.134
646A.122
Applicability of ORS 646A.120 to 646A.134
646A.124
General disclosure requirements
646A.126
Specific disclosure requirements
646A.128
Provisions prohibited in lease-purchase agreements
646A.130
Reinstatement of lease-purchase agreement by consumer
646A.132
Renegotiation or extension of lease-purchase agreement
646A.134
Disclosures required in advertisement for lease-purchase agreements
646A.140
Definitions for ORS 646A.140 and 646A.142
646A.142
Rental vehicle collision damage waiver notice
646A.150
Applicability of ORS 646A.150 to 646A.172
646A.152
Definitions for ORS 646A.150 to 646A.172
646A.154
Service contract defined
646A.156
Required contents of service contracts
646A.158
Prohibited conduct
646A.160
Service contract obligor as agent of insurer
646A.162
Investigation of violations
646A.164
Complaints and investigations confidential
646A.166
Refusal to continue or suspension or revocation of registration
646A.168
Assessment fee
646A.170
Remedies not exclusive
646A.172
Rules
646A.200
Definitions for ORS 646A.202 and 646A.204
646A.202
Payment processing systems
646A.204
Customer information
646A.206
Rules
646A.210
Requiring credit card number as condition for accepting check or share draft prohibited
646A.212
“Credit card” defined
646A.214
Verification of identity in credit or debit card transactions
646A.220
Credit card solicitation
646A.222
Charge card solicitation
646A.230
Action by Attorney General or district attorney
646A.232
Effect of compliance with federal law
646A.240
Treatment of child support obligations by creditor in applications for extensions of credit
646A.242
“Creditor” defined
646A.244
Cause of action for violation of ORS 646A.240
646A.274
Definitions for ORS 646A.276 and 646A.278
646A.276
Sale of gift card that expires, declines in value, includes fee or does not give option to redeem
646A.278
Requirements for sale of gift card that expires
646A.280
Definitions for ORS 646A.280 to 646A.290
646A.282
Simulated invoices prohibited
646A.284
Cause of action by Attorney General
646A.286
Cause of action by private party
646A.288
Presumptions in cause of action brought under ORS 646A.284 or 646A.286
646A.290
Construction
646A.292
Legislative intent
646A.293
Definitions for ORS 646A.293 and 646A.295
646A.295
Prohibited actions
646A.300
Definitions for ORS 646A.300 to 646A.322
646A.302
Application of ORS 646A.300 to 646A.322 to successor in interest or assignee of supplier
646A.304
Payment for farm implements, parts, software, tools and signs upon termination of retailer agreement
646A.306
Repurchase of inventory by supplier
646A.308
Civil action for supplier’s failure to pay
646A.310
Prohibited conduct by supplier
646A.312
Termination, cancellation or nonrenewal of retailer agreement
646A.314
New or relocated dealership
646A.316
Warranty claims
646A.318
Warranty claims
646A.320
Retailer’s improvements to products
646A.322
Remedies
646A.325
Repurchase of motor vehicle by manufacturer
646A.327
Attorney fees for action under ORS 646A.325
646A.340
Definitions for ORS 646A.340 to 646A.348
646A.342
Prohibited conduct
646A.344
Bond or letter of credit
646A.346
Damages
646A.348
Action by Attorney General
646A.350
Delivery of unrequested hazardous substances prohibited
646A.352
Penalty
646A.360
Unsolicited facsimile machine transmissions
646A.362
Exclusion of name from sweepstakes promotion mailing list
646A.365
Check, draft or payment instrument creating obligation for payment
646A.370
Definitions for ORS 646A.370 to 646A.374
646A.372
Limits on usage of automatic dialing and announcing device
646A.374
Prohibited actions
646A.376
Enforcement
646A.400
Definitions for ORS 646A.400 to 646A.418
646A.402
Availability of remedy
646A.404
Consumer’s remedies
646A.405
Manufacturer action under ORS 646A.404
646A.406
Presumption of reasonable attempt to conform
646A.408
Use of informal dispute settlement procedure as condition for remedy
646A.410
Informal dispute settlement procedure
646A.412
Action in court
646A.414
Limitations on actions against dealers
646A.416
Limitation on commencement of action
646A.418
Remedies supplementary to existing statutory or common law remedies
646A.430
Definitions for ORS 646A.430 to 646A.450
646A.432
Applicability of ORS 646A.430 to 646A.450
646A.434
Sale of vehicle protection product
646A.436
Warrantor registration
646A.438
Reimbursement insurance
646A.440
Required provisions of reimbursement insurance policy
646A.442
Vehicle protection product warranty administrator
646A.444
Recordkeeping requirements for warrantor
646A.446
Prohibited conduct for warrantor
646A.448
Prohibited activities
646A.450
Rules
646A.452
Enforcement by Attorney General
646A.460
Definitions for ORS 646A.460 to 646A.476
646A.462
Express warranty
646A.464
Repair of assistive device
646A.466
Replacement or refund after attempt to repair
646A.468
Procedures for replacement or refund
646A.470
Sale or lease of returned assistive device
646A.472
Dispute resolution
646A.474
Applicability of other laws
646A.476
Civil action for damages
646A.480
Definitions for ORS 646A.480 to 646A.495
646A.482
Estimate required before beginning work
646A.486
Prohibited actions if estimate exceeds $200
646A.490
Additional prohibited actions
646A.495
Owner designee
646A.500
Legislative findings
646A.502
Short title
646A.504
Definitions for ORS 646A.500 to 646A.514
646A.506
Prohibited conduct
646A.508
Penalties
646A.510
Exemptions
646A.512
Private right of action
646A.514
Scope of remedies
646A.525
Definitions for ORS 646A.525 to 646A.535
646A.530
Prohibited sales of certain children’s products
646A.535
Assistance of Attorney General in obtaining recall notices
646A.540
Definitions
646A.542
Requirement to document compliance
646A.544
Local government enforcement
646A.550
Short title
646A.555
License to engage in business activity not required for individual under 17 years of age
646A.560
Legislative findings
646A.562
Definitions for ORS 646A.560 to 646A.566
646A.564
Standards for mercury content in electric lamps
646A.566
Considerations for state agency procurement of lighting devices that contain mercury
646A.575
Definitions for ORS 646A.575 to 646A.590
646A.577
Limited license required
646A.580
Cost of coverage
646A.582
Written disclosure requirements
646A.585
Exceptions to license requirement
646A.588
Restrictions on modification or termination of coverage
646A.590
Rules
646A.592
Enforcement
646A.600
Short title
646A.602
Definitions for ORS 646A.600 to 646A.628
646A.604
Notice of breach of security
646A.606
Security freeze
646A.608
Deadline for placing security freeze
646A.610
Fees not permitted
646A.612
Conditions for lifting or removing security freeze
646A.614
Effect of security freeze on use of consumer reports or protective records
646A.616
Effect of request for consumer report subject to security freeze
646A.618
Prohibition on changes to consumer report subject to security freeze
646A.620
Prohibition on printing, displaying or posting Social Security numbers
646A.622
Requirement to develop safeguards for personal information
646A.624
Powers of director
646A.626
Rules
646A.628
Allocation of moneys
646A.640
Definitions
646A.643
License requirement to engage in debt buying
646A.646
License application
646A.649
Licensee’s principal place of business and registered agent
646A.652
Required notices
646A.655
Compliance with director’s standards
646A.658
Prohibited practices
646A.661
Director’s supervisory authority
646A.664
Enforcement actions
646A.667
Preemption
646A.670
Legal action to collect debt
646A.673
Rules
646A.677
Requirement to screen for financial assistance before transferring medical debt for collection
646A.680
Legislative intent
646A.683
Requirement to report increase in drug price
646A.686
Short title
646A.689
Requirement to report certain information concerning drug manufacturing and pricing
646A.692
Civil penalty
646A.693
Prescription Drug Affordability Board
646A.694
Annual affordability determination for identified drugs and insulin products
646A.695
Annual fees assessed against drug manufacturers
646A.696
Report to Health Care Cost Growth Target program and Legislative Assembly
646A.697
Study of market for generic drugs
646A.700
Short title
646A.702
Definitions for ORS 646A.702 to 646A.720
646A.705
Persons that are not foreclosure consultants
646A.710
Foreclosure consulting contract
646A.715
Cancellation
646A.720
Prohibited acts of foreclosure consultant
646A.725
Definitions for ORS 646A.725 to 646A.750
646A.730
Persons that are not equity purchasers
646A.735
Written contract
646A.740
Cancellation
646A.745
Required and prohibited acts
646A.750
Rebuttable presumptions
646A.755
Acts not precluded
646A.760
Civil action for damages
646A.765
Penalties
646A.770
Definitions
646A.773
Applicability of Insurance Code
646A.776
Required disclosures
646A.779
Determination of amount of waiver
646A.781
Cancellation and expiration
646A.784
Reimbursement insurance policies for guaranteed asset protection waivers
646A.787
Fiduciary responsibilities
646A.790
Unlawful practices
646A.800
Late fees on delinquent cable service accounts
646A.801
Termination of residential cable service or residential telecommunications service for certain persons
646A.803
Contest and sweepstakes solicitations
646A.806
Website with photographs and information about arrested persons
646A.808
Obtaining personal information by false representation via electronic media
646A.810
Patent infringement claim made in bad faith
646A.813
Security requirements for Internet-connected devices
Green check means up to date. Up to date