Text Size:   A+ A- A   •   Text Only

Notification of Security Breach

The faster consumers know their personal identification information has been breached, the more opportunity they have to take precautions to ensure their information is not being used fraudulently.

Personal information includes a consumer's name in combination with a Social Security number, Oregon driver license or Oregon identification card number, or a financial account or credit or debit card number along with a security or access code or password that would allow someone to access a consumer's financial account.

Your Responsibility. . . Anyone who maintains personal information of Oregon consumers must notify their customers if computer files containing that personal information have been subject to a security breach. The notification must be done as soon as possible, in one of the following manners:

  • Written notification

  • Electronic, if this is the customary means of communication between you and your customer

  • Telephone notice provided that you can directly contact your customer

Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation.

If an investigation into the breach or consulation with a federal, state, or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, or if the personal information was encrypted or made unreadable, notification is not required.

Substitute notice
If you demonstrate that the cost of notifying customers would exceed $250,000, that the number of those who need to be contacted is more than 350,000, or if you don't have the means to sufficiently contact consumers, you may give substitute notice. Substitute notice consists of both of the following:

  • Conspicuous posting of the notice or a link to the notice on your website site if one is maintained

  • Notification to major statewide Oregon television and newspaper media

Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers, you must report it to the three national credit reporting agencies without reasonable delay. The agencies need to know when you are sending the notice, how you are sending it (e.g. through the U.S. Postal Service or via email), and what the notice tells the affected consumers.

TransUnion
Phone: 1-800-971-4307

Experian
Email: BusinessRecordsVictimAssistance@experian.com

Equifax
Phone: 1-866-510-4211 (voice mail only)
Email: businessrecordsecurity@equifax.com
Mail: Equifax Fraud Assistance, Attn: Security Breach, PO Box 740245, Atlanta GA 30374

Need help in developing a breach notification letter? Click here for a sample letter.

Exception
Any individual, business, government agency, or organization that is subject to and complies with the notification regulations or guidance adopted under Gramm-Leach-Bliley Act meets Oregon's requirements. However, if the breach involves personal information of your employees, you must follow Oregon's notification requirements.