Oregon Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to Oregon residents, a data breach triggers specific legal obligations under the Oregon Consumer Information Protection Act. ORS 646A.600 through 646A.628 sets out who must be notified, what information triggers the duty, and how quickly you need to act. Originally enacted in 2007 and significantly strengthened through Senate Bill 601 (2015), Oregon's law stands out for its broad definition of personal information, strict 45-day notification deadline, and separate requirement to maintain reasonable security safeguards.

This guide covers the full scope of Oregon's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, enforcement penalties, exemptions, and how the law connects to the state's [broader data privacy framework](/us-laws/data-privacy-laws/oregon-data-privacy-laws).

Who Must Comply With Oregon's Breach Notification Law

Oregon's breach notification law applies to any person that owns, maintains, or otherwise possesses data that includes a consumer's personal information and that is used in the course of the person's business, vocation, occupation, or volunteer activities. This covers a wide range of entities, including for-profit businesses, nonprofits, and volunteer organizations.

The law also applies to any person that maintains personal information on behalf of another entity. If a third-party data maintainer discovers a breach, it must notify the data owner as soon as practicable. The data owner then carries the primary obligation to notify affected consumers and regulators.

Oregon's law applies to businesses located outside the state if they hold data belonging to Oregon residents.

What Qualifies as a Breach of Security

Under ORS 646A.602, a breach of security means the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information that a person maintains or possesses.

The "materially compromises" threshold means not every unauthorized access triggers notification. The access must create a meaningful impact on the security or confidentiality of the data.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the person for the purposes of the person's business does not constitute a breach, provided the personal information is not used for an unauthorized purpose and is not subject to further unauthorized disclosure.

The Encryption Safe Harbor

Oregon provides a conditional encryption safe harbor. Encrypted or redacted data does not trigger notification, unless the encryption key has also been acquired during the breach. If both the encrypted data and the key are compromised, the safe harbor does not apply and notification is required.

This is a critical distinction from states that provide an unconditional encryption safe harbor. Businesses should not assume encryption alone eliminates notification obligations.

What Personal Information Triggers the Law

Oregon has one of the broadest definitions of personal information among state breach notification laws. Under ORS 646A.602, personal information means a consumer's first name or first initial and last name in combination with any of the following data elements, when not rendered unusable through encryption, redaction, or other methods:

• Social Security number
• Driver's license number or state identification card number
• Passport number or other United States-issued identification number
• Financial account number, credit card number, or debit card number, in combination with any required security code
• Biometric data (fingerprints, retina scans, iris images, or other unique biological data used to authenticate identity)
• Health insurance policy number or subscriber identification number
• Medical information (any information about a consumer's medical history or mental or physical condition)
• Data from automatic measurements of a consumer's physical characteristics (such as an image of a fingerprint, retina, or iris) used to authenticate the consumer's identity

Additionally, Oregon provides a standalone trigger: any of the above data elements, even without a name, qualifies as personal information if it would enable a person to commit identity fraud.

Personal information does not include information in federal, state, or local government records (other than Social Security numbers) that is lawfully made available to the public.

Notification Timeline

Oregon imposes a firm 45-day deadline. Under ORS 646A.604, notification must be provided to affected consumers as soon as practicable but no later than 45 days after discovering or receiving notification of the breach.

The 45-day clock starts from the date of discovery, not the date the breach occurred. There is no general extension for investigation purposes.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation or jeopardize national security. Once law enforcement determines that notification will no longer compromise the investigation, the entity must provide notice as soon as practicable.

Who Must Be Notified

Affected Individuals

Every Oregon consumer whose personal information was subject to a breach of security must receive notification. The notice must include:

• A description of the incident in general terms
• The approximate date of the breach
• The type of personal information subject to the breach
• Contact information for the person providing notice
• Contact information for the Federal Trade Commission and the Oregon Attorney General
• Advice to the consumer to report suspected identity theft to law enforcement

Attorney General

The Oregon Department of Justice Consumer Protection Division must be notified when a breach affects 250 or more Oregon consumers. The AG notification must include a copy of the notice sent to consumers and the number of affected individuals.

Oregon's 250-person AG notification threshold is among the lowest in the country, ensuring the Attorney General has visibility into relatively small breaches.

Consumer Reporting Agencies

When a breach affects 1,000 or more Oregon consumers, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The CRA notification must include the timing, distribution, and content of the consumer notice.

Methods of Notification

Businesses can provide notification through:

• Written notice sent to the consumer's postal address in the most current records of the person
• Electronic notice consistent with the federal E-SIGN Act
• Telephone notice directly to the affected consumer

Substitute Notice

Substitute notice is available if the person demonstrates that:

• The cost of providing direct notice would exceed $250,000, or
• The affected class exceeds 350,000 consumers, or
• The person does not have sufficient contact information

Note that Oregon's substitute notice threshold for affected class size (350,000) is lower than the 500,000 threshold used in many states.

Substitute notice must include: email notice (where available), conspicuous posting on the person's website, and notification to major statewide media.

Enforcement and Penalties

Attorney General Enforcement

The Oregon Attorney General enforces the breach notification law as an unlawful trade practice under ORS 646.607. A violation of ORS 646A.604 (breach notification) or ORS 646A.622 (reasonable safeguards) is treated as an unlawful trade practice.

Civil Penalties

Under ORS 646A.624, the penalties structure is:

• Up to $1,000 per violation
• Up to $500,000 for a continuing violation

The $500,000 cap for continuing violations makes Oregon's penalty structure among the more significant in the country, particularly for businesses that knowingly delay notification or fail to maintain required safeguards.

No Express Private Right of Action

Oregon's breach notification statute does not create an express private right of action. However, because violations are classified as unlawful trade practices, consumers may have remedies under Oregon's general Unlawful Trade Practices Act, which does provide for private enforcement in certain circumstances.

Reasonable Safeguards Requirement

Unlike many states that focus solely on breach notification, Oregon imposes a separate obligation to maintain reasonable safeguards. Under ORS 646A.622, any person that owns, maintains, or otherwise possesses personal information must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that information.

This means Oregon businesses face compliance obligations before any breach occurs. Failure to maintain reasonable safeguards is itself a violation, regardless of whether a breach has happened.

Reasonable safeguards must be appropriate to the volume and nature of the personal information maintained. This gives businesses flexibility but also sets a minimum standard that scales with the sensitivity and amount of data held.

Exemptions

HIPAA Compliance Exemption

Entities subject to and in compliance with HIPAA's breach notification requirements are deemed in compliance with Oregon's law.

Financial Institution Exemption

Financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act's breach notification guidelines are also exempt.

Own Notification Policy Exemption

Entities that maintain their own notification procedures as part of an information privacy or security policy are deemed in compliance, provided those procedures are consistent with the timing requirements of Oregon law (45 days) and the entity follows its own procedures.

More Oregon Laws

• Oregon Recording Laws
• Oregon Car Seat Laws
• Oregon Data Privacy Laws
• Oregon Recording Laws
• Oregon Recording Laws
• Oregon Recording Laws
• Oregon Child Support Laws
• Oregon Recording Laws

Sources and References

This article draws from the following official Oregon government sources:

• ORS 646A.600-628 (Oregon Consumer Information Protection Act) - Full text of Oregon's breach notification statute
• Senate Bill 601 (2015) - Major 2015 amendment strengthening notification requirements
• Oregon DOJ: Data Security Breaches - Attorney General breach reporting portal
• Oregon DFR: Oregon Consumer Information Protection Act - Division of Financial Regulation guidance

This article provides general legal information about Oregon data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Oregon for guidance specific to your situation.