Text Size: A+| A-| A   |   Text Only Site   |   Accessibility
Division of Finance and Corporate Securities (DFCS)

About Us

Contact Us

DFCS Home

Consumer Alerts & News Releases

En Espaņol

Enf. Order Search

FAQs

Forms

Jobs with DFCS

Legislation

License Holder Search

Licenses/Registrations

Program Links

Publications

Reports & Activity

Site Map

Statutes & Rules

Notification of Security Breach - Effective October 1, 2007

The faster consumers know their personal identification information has been breached, the more opportunity they have to take precautions to ensure their information is not being used fraudulently.

Personal information includes a consumer's name in combination with a Social Security number, Oregon drivers' license or Oregon identification card number, or a financial or credit or debit card number along with a security or access code or password that would allow someone to access a consumer's financial account.

Your Responsibility. . . Anyone who maintains personal information of Oregon consumers must notify their customers if computer files containing that personal information have been subject to a security breach. The notification must be done as soon as possible, in one of the following manners:

  • Written notification

  • Electronic, if this is the customary means of communication between you and your customer, or

  • Telephone notice provided that you can directly contact your customer.

Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation.

If an investigation into the breach or consulation with a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, or if the personal information was encrypted or made unreadable, notification is not required.

Substitute notice
If you demonstrate that the cost of notifying customers would exceed $250,000, that the number of those who need to be contacted is more than 350,000, or if you don't have the means to sufficiently contact consumers, you may give substitute notice. Substitute notice consists of:

  • Conspicuous posting of the notice or a link to the notice on your Web site if one is maintained, and

  • Notification to major statewide Oregon television and newspaper media.

Notifying credit-reporting agencies
If the security breach affects more than 1,000 consumers, the responsible person or organization must report to all nationwide credit-reporting agencies, without reasonable delay, the timing, distribution, and the content of the notice given to the affected consumers.

Exception
Any individual, business, government agency, or organization that is subject to and complies with the notification regulations or guidance adopted under Gramm-Leach-Bliley Act meet Oregon's requirements. However, if the breach involves personal information of your employees, you must follow Oregon's notification requirements.

 

Text Only | About Oregon.gov | Oregon.gov|
File Formats | Oregon Administrative Rules | Oregon Revised Statutes | Privacy Policy |

Get Adobe Acrobat ReaderAdobe Reader is required to view PDF files. Click the "Get Adobe Reader" image to get a free download of the reader from Adobe. Available for Macintosh or Windows.