Oregon Breach Notification Law Now Applicable

by | Jan 12, 2016

Organizations operating in Oregon must now adhere with a new data breach law that came into effect on January 1, 2016. If a data breach that exposes the personal information of more than 250 state residents is experienced, a breach notice must be filed to the Oregon Attorney General.

On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) amending the Oregon Consumer Identity Theft Protection Act of 2007. The amendment widened the definition of “personal information” to include biometric information such as a retina or iris images and fingerprints, as well as medical and health insurance information.

Other data defined as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial data including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial means a breach notice to be issued. Oregon is one of a few states that needs a breach notice to be issued even if a person’s name is not exposed, if there is potential for a person to be identified by the exposed data.

Under Oregon law, a data breach is classeed as “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that an entity maintains.”

According to the new Oregon breach notification law, if a data breach is experienced which affects more than 250 state residents, a breach notice must be filed electronically via a new website created specifically to record data breaches, similar to that put in place by the California Attorney General.

In addition to displaying the date that the violation was suffered, the date that the breach was reported to the attorney general, and the date breach notifications were issued to consumers is also displayed on the website.

The site can be used by consumers to find organizations that have suffered data breaches that have affected Oregon residents and see whether organizations have reported those breaches properly.

Oregon attorney general Ellen Rosenblum recently thanked the 2015 Oregon Legislature for introducing  the new law, which will ensure that state residents’ personal data is better protected.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy