Notification of Security Breach
The faster consumers know their personal identification information
has been breached, the more opportunity they have to take precautions to ensure
their information is not being used fraudulently.
Personal information includes a consumer's name in combination
with a Social Security number, Oregon drivers' license or Oregon identification
card number, or a financial or credit or debit card number along with
a security or access code or password that would allow someone to access a
consumer's financial account.
Your Responsibility. . . Anyone who maintains personal information
of Oregon consumers must notify their customers if computer files containing
that personal information have been subject to a security breach. The notification
must be done as soon as possible, in one of the following manners:
- Written notification
- Electronic, if this is the customary means of communication
between you and your customer, or
- Telephone notice provided that you can directly contact
Notification may be delayed if a law enforcement agency determines
that it will impede a criminal investigation.
If an investigation into the breach or consulation with a
federal, state or local law enforcement agency determines there is no reasonable
likelihood of harm to consumers, or if the personal information was encrypted
or made unreadable, notification is not required.
If you demonstrate that the cost of notifying customers would exceed $250,000,
that the number of those who need to be contacted is more than 350,000, or
if you don't have the means to sufficiently contact consumers, you may give
substitute notice. Substitute notice consists of:
- Conspicuous posting of the notice or a link to the notice
on your Web site if one is maintained, and
- Notification to major statewide Oregon television and
Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers, the responsible
person or organization must report to all nationwide credit-reporting agencies,
without reasonable delay, the timing, distribution, and the content of the
notice given to the affected consumers.
Need help in developing a breach notification letter? Click
here for a sample letter.
Any individual, business, government agency, or organization that is subject
to and complies with the notification regulations or guidance adopted under
Act meet Oregon's requirements. However, if the breach involves personal
information of your employees, you must follow Oregon's notification requirements.