New Oregon Data Breach Law Tightens Notification Period

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Kyle LaHucik

Oregon residents must be notified within 45 days of the discovery of a breach of their personal data under the state’s amended data protection law, which took effect June 2.

Oregon joins more than a dozen states requiring notification within a specific period of time, Bloomberg Law data show. Oregon previously required notification “without unreasonable delay.”

The law provides that those who own, maintain, possess or have control over or access to data that includes an individual’s personal information that is used in the course of business must develop reasonable safeguards to protect personal data.

Administrative safeguards such as training employees in “security program practices and procedures” must be done “with reasonable regularity.”

Another amendment to the law stipulates the holders of personal information must review “user access privileges with reasonable regularity.” Applying a security patch management program to vulnerable software is another safeguard under the amended law.

Oregon’s attorney general must be notified if more than 250 people are affected by a breach.

Personal information, the breach of which triggers the requirement to notify, includes biometric data. It also includes a consumer’s financial account number, credit card number or debit card number, in combination with an access code or password that would unlock the account, “or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account,” according to the new law.

Individuals whose personal information is breached don’t have to provide their credit or debit card number to get free credit monitoring.

To contact the reporter on this story: Kyle LaHucik in Washington at

To contact the editor responsible for this story: David Mark at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security