M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Data Breach Laws in Oregon: Notification Regulations

In the state of Oregon, any business or person that experiences a data breach must notify affected Oregon residents as soon as possible. Notification can be sent by mail, telephone, or email unless more than 350,000 people have been affected, or the cost of notification exceeds $250,000. In these instances, public service announcements are acceptable. When a breach impacts 1,000 or more people, all consumer-reporting agencies must be informed.

Name of Law / Statute

Oregon Consumer Identity Theft Protection Act

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes + passports + any combination of data elements that allows identity theft

Who Is Subject to Law?

Any business that owns, licenses, or otherwise possesses resident PI

Notification of Consumers?

Yes, unless determination of no harm by business

By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; specific info must be included in notice

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >350k residents

Notification of authorities / regulators required?


By what means?


Regulatory Fines

$1,000/violation/day, up to $500k

Credit monitoring requirement?


Private lawsuits allowed?

Yes (but only if not too expensive or burdensome)

Private damages cap?


Regulatory actions allowed?

Yes (if private action burdensome)

HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised) or redacted

Link to complete law


Read the full text of Oregon’s data breach law.

70% of businesses raise prices or cut hiring when sued