Notification of Security Breach
The faster consumers know their personal identification information
has been breached, the more opportunity they have to take precautions to ensure
their information is not being used fraudulently.
Personal information includes a consumer's name in combination
with a Social Security number, Oregon driver license or Oregon identification
card number, or a financial account or credit or debit card number along
with a security or access code or password that would allow someone to
access a consumer's financial account.
Anyone who maintains personal information of Oregon consumers must
notify their customers if computer files containing that personal information
have been subject to a security breach. The notification must be done as soon
as possible, in one of the following manners:
- Written notification
- Electronic, if this is the customary means of communication
between you and your customer
- Telephone notice provided that you can directly contact
Notification may be delayed if a law enforcement agency determines
that it will impede a criminal investigation.
If an investigation into the breach or consulation with a
federal, state, or local law enforcement agency determines there is no reasonable
likelihood of harm to consumers, or if the personal information was encrypted
or made unreadable, notification is not required.
If you demonstrate that the cost of notifying customers would exceed $250,000,
that the number of those who need to be contacted is more than 350,000, or
if you don't have the means to sufficiently contact consumers, you may give
substitute notice. Substitute notice consists of both of the following:
- Conspicuous posting of the notice or a link to the notice
on your website site if one is maintained
- Notification to major statewide Oregon television and
Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers, you must
report it to the three national credit reporting agencies without
reasonable delay. The agencies need to know when you are sending
the notice, how you are sending it (e.g. through the U.S. Postal
Service or via email), and what the notice tells the affected consumers.
Phone: 1-866-510-4211 (voice mail only)
Mail: Equifax Fraud Assistance, Attn: Security Breach, PO Box 740245,
Atlanta GA 30374
Need help in developing a breach notification
letter? Click here for a sample letter.
Any individual, business, government agency, or organization that is subject
to and complies with the notification regulations or guidance adopted under
Act meets Oregon's requirements. However, if the breach involves personal
information of your employees, you must follow Oregon's notification requirements.