← All US breach laws·OR

Oregon data breach notification law

Oregon's data breach notification requirements under Ore. Rev. Stat. §§646A.600 to 646A.628 (Consumer Identity Theft Protection Act / Oregon Consumer Information Protection Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Ore. Rev. Stat. §§646A.600 to 646A.628
Enforcer
Oregon Attorney General — Department of Justice
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
In the most expedient manner possible and without unreasonable delay, but not later than 45 days after discovery of the breach
Notify the state regulator
Yes — if more than 250 Oregon residents are affected, written notice to the AG within 45 days
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification not required if, after appropriate investigation, no reasonable likelihood of harm to consumers exists
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Oregon law

First name/initial + last name with SSN, DL/state ID, passport, military ID, financial account + access code, biometric data, health-insurance ID, medical info, OR username/email + password/security Q&A; ALSO standalone any of the above if sufficient for identity theft

Penalties and enforcement

Civil penalty up to $1,000 per violation under Oregon Unlawful Trade Practices Act
Enforced by: Oregon Attorney General — Department of Justice. Official regulator page →

Common pitfalls

Oregon's PI definition expressly includes standalone elements 'sufficient for identity theft' — broader than the typical name + element pairing

Frequently asked questions

How long do I have to notify Oregon residents after a data breach?
In the most expedient manner possible and without unreasonable delay, but not later than 45 days after discovery of the breach
Do I have to notify the Oregon Attorney General?
Yes — if more than 250 Oregon residents are affected, written notice to the AG within 45 days
Does Oregon require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Oregon's breach notification requirement?
Yes — Oregon has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Oregon residents sue me directly for a data breach?
No — Oregon's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Oregon law?
First name/initial + last name with SSN, DL/state ID, passport, military ID, financial account + access code, biometric data, health-insurance ID, medical info, OR username/email + password/security Q&A; ALSO standalone any of the above if sufficient for identity theft
What are the penalties for failing to comply with Oregon's breach notification law?
Civil penalty up to $1,000 per violation under Oregon Unlawful Trade Practices Act

Related state breach laws

Ohio (OH)
Ohio Rev. Code §§1349.19
Oklahoma (OK)
24 Okla. Stat. §§161 to 166
Pennsylvania (PA)
73 Pa. C.S. §§2301 to 2330
Rhode Island (RI)
R.I. Gen. Laws §§11-49.3-1 to 11-49.3-6

Pre-empt the Oregon breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Oregon's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit