2013 ORS § 646A.604¹
Notice of breach of security
- • delay
- • methods of notification
- • contents of notice
- • application of notice requirement
(1) Any person that owns, maintains or otherwise possesses data that includes a consumers personal information that is used in the course of the persons business, vocation, occupation or volunteer activities and was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection (2) of this section, to any consumer whose personal information was included in the information that was breached. The disclosure notification shall be made in the most expeditious time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (3) of this section, and consistent with any measures necessary to determine sufficient contact information for the consumers, determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data.
(2) Any person that maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumers personal information was included in the information that was breached.
(3) The notification to the consumer required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and that agency has made a written request that the notification be delayed. The notification required by this section shall be made after that law enforcement agency determines that its disclosure will not compromise the investigation and notifies the person in writing.
(4) For purposes of this section, notification to the consumer may be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice if the persons customary method of communication with the consumer is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as that Act existed on October 1, 2007.
(c) Telephone notice, provided that contact is made directly with the affected consumer.
(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $250,000, that the affected class of consumers to be notified exceeds 350,000, or if the person does not have sufficient contact information to provide notice. Substitute notice consists of the following:
(A) Conspicuous posting of the notice or a link to the notice on the Internet home page of the person if the person maintains one; and
(B) Notification to major statewide television and newspaper media.
(5) Notice under this section shall include at a minimum:
(a) A description of the incident in general terms;
(b) The approximate date of the breach of security;
(c) The type of personal information obtained as a result of the breach of security;
(d) Contact information of the person subject to this section;
(e) Contact information for national consumer reporting agencies; and
(f) Advice to the consumer to report suspected identity theft to law enforcement, including the Federal Trade Commission.
(6) If a person discovers a breach of security affecting more than 1,000 consumers that requires disclosure under this section, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notification given by the person to the consumers. In no case shall a person that is required to make a notification required by this section delay any notification in order to make the notification to the consumer reporting agencies. The person shall include the police report number, if available, in its notification to the consumer reporting agencies.
(7) Notwithstanding subsection (1) of this section, notification is not required if, after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.
(8) This section does not apply to:
(a) A person that complies with the notification requirements or breach of security procedures that provide greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by the persons primary or functional federal regulator.
(b) A person that complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security of personal information than that provided by this section.
(c) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1, 2007. [2007 c.759 §3]