Text Size:   A+ A- A   •   Text Only
Division of Finance and Corporate Securities (DFCS)

About Us

Contact Us

DFCS Home

En Espaņol

Forms

Jobs with DFCS

Legislation

License Holder Search

Licenses/Registrations

Public Records Requests

Publications

Reports & Activity

Requests for Opinions and Interpretations

Search for Enforcement Orders

Site Map

Statutes & Rules

Notification of Security Breach

The faster consumers know their personal identification information has been breached, the more opportunity they have to take precautions to ensure their information is not being used fraudulently.

Personal information includes a consumer's name in combination with a Social Security number, Oregon drivers' license or Oregon identification card number, or a financial or credit or debit card number along with a security or access code or password that would allow someone to access a consumer's financial account.

Your Responsibility. . . Anyone who maintains personal information of Oregon consumers must notify their customers if computer files containing that personal information have been subject to a security breach. The notification must be done as soon as possible, in one of the following manners:

  • Written notification

  • Electronic, if this is the customary means of communication between you and your customer, or

  • Telephone notice provided that you can directly contact your customer.

Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation.

If an investigation into the breach or consulation with a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, or if the personal information was encrypted or made unreadable, notification is not required.

Substitute notice
If you demonstrate that the cost of notifying customers would exceed $250,000, that the number of those who need to be contacted is more than 350,000, or if you don't have the means to sufficiently contact consumers, you may give substitute notice. Substitute notice consists of:

  • Conspicuous posting of the notice or a link to the notice on your Web site if one is maintained, and

  • Notification to major statewide Oregon television and newspaper media.

Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers, the responsible person or organization must report to all nationwide credit-reporting agencies, without reasonable delay, the timing, distribution, and the content of the notice given to the affected consumers.

Need help in developing a breach notification letter? Click here for a sample letter.

Exception
Any individual, business, government agency, or organization that is subject to and complies with the notification regulations or guidance adopted under Gramm-Leach-Bliley Act meet Oregon's requirements. However, if the breach involves personal information of your employees, you must follow Oregon's notification requirements.