2021 Oregon Revised Statutes
Chapter 646A - Trade Regulation
Section 646A.604 - Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement.


(a) The consumer to whom the personal information pertains.
(b) The Attorney General, either in writing or electronically, if the number of consumers to whom the covered entity must send the notice described in paragraph (a) of this subsection exceeds 250.
(2)(a) A vendor that discovers a breach of security or has reason to believe that a breach of security has occurred shall notify a covered entity with which the vendor has a contract as soon as is practicable but not later than 10 days after discovering the breach of security or having a reason to believe that the breach of security occurred.
(b) If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor shall notify the other vendor of a breach of security as provided in paragraph (a) of this subsection.
(c) A vendor shall notify the Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine. This paragraph does not apply to the vendor if the covered entity described in paragraph (a) or (b) of this subsection has notified the Attorney General in accordance with the requirements of this section.
(3)(a) A covered entity shall give notice of a breach of security in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.
(b) Before providing the notice described in paragraph (a) of this subsection, a covered entity shall undertake reasonable measures that are necessary to:
(A) Determine sufficient contact information for the intended recipient of the notice;
(B) Determine the scope of the breach of security; and
(C) Restore the reasonable integrity, security and confidentiality of the personal information.
(c) A covered entity may delay giving the notice described in paragraph (a) of this subsection only if a law enforcement agency determines that a notification will impede a criminal investigation and if the law enforcement agency requests in writing that the covered entity delay the notification.
(4) A covered entity may notify a consumer of a breach of security:
(a) In writing;
(b) Electronically, if the covered entity customarily communicates with the consumer electronically or if the notice is consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as that Act existed on January 1, 2020;
(c) By telephone, if the covered entity contacts the affected consumer directly; or
(d) With substitute notice, if the covered entity demonstrates that the cost of notification otherwise would exceed $250,000 or that the affected class of consumers exceeds 350,000, or if the covered entity does not have sufficient contact information to notify affected consumers. For the purposes of this paragraph, "substitute notice" means:
(A) Posting the notice or a link to the notice conspicuously on the covered entity’s website if the covered entity maintains a website; and
(B) Notifying major statewide television and newspaper media.
(5) Notice under this section must include, at a minimum:
(a) A description of the breach of security in general terms;
(b) The approximate date of the breach of security;
(c) The type of personal information that was subject to the breach of security;
(d) Contact information for the covered entity;
(e) Contact information for national consumer reporting agencies; and
(f) Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
(6) If a covered entity discovers or receives notice of a breach of security that affects more than 1,000 consumers, the covered entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notice the covered entity gave to affected consumers and shall include in the notice any police report number assigned to the breach of security. A covered entity may not delay notifying affected consumers of a breach of security in order to notify consumer reporting agencies.
(7)(a) If a covered entity must notify a consumer of a breach of security under this section, and in connection with the notification the covered entity or an agent or affiliate of the covered entity offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to the consumer, the covered entity, the agent or the affiliate may not condition the provision of the services on the consumer’s providing the covered entity, the agent or the affiliate with a credit or debit card number or on the consumer’s acceptance of any other service the covered entity offers to provide for a fee.
(b) If a covered entity or an agent or affiliate of the covered entity offers additional credit monitoring services or identity theft prevention and mitigation services for a fee to a consumer under the circumstances described in paragraph (a) of this subsection, the covered entity, the agent or the affiliate must separately, distinctly, clearly and conspicuously disclose in the offer for the additional credit monitoring services or identity theft prevention and mitigation services that the covered entity, the agent or the affiliate will charge the consumer a fee.
(c) The terms and conditions of any contract under which one person offers or provides credit monitoring services or identity theft prevention and mitigation services on behalf of another person under the circumstances described in paragraph (a) of this subsection must require compliance with the requirements of paragraphs (a) and (b) of this subsection.
(8) Notwithstanding subsection (1) of this section, a covered entity does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The covered entity must document the determination in writing and maintain the documentation for at least five years.
(9) This section does not apply to:
(a) Personal information that is subject to, and a person that complies with, notification requirements or procedures for a breach of security that the person’s primary or functional federal regulator adopts, promulgates or issues in rules, regulations, procedures, guidelines or guidance, if the personal information and the person would otherwise be subject to ORS 646A.600 to 646A.628.
(b) Personal information that is subject to, and a person that complies with, a state or federal law that provides greater protection to personal information and disclosure requirements at least as thorough as the protections and disclosure requirements provided under this section.
(c) A covered entity or vendor that complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to that Act.
(d) A covered entity or vendor that complies with regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, 110 Stat. 1936) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts existed on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to those Acts.
(10) Notwithstanding the exemptions set forth in subsection (9) of this section, a person, a covered entity or a vendor shall provide to the Attorney General within a reasonable time at least one copy of any notice the person, the covered entity or the vendor sends to consumers or to the person’s, the covered entity’s or the vendor’s primary or functional regulator in compliance with this section or with other state or federal laws or regulations that apply to the person, the covered entity or the vendor as a consequence of a breach of security, if the breach of security affects more than 250 consumers.
(11)(a) A person’s violation of a provision of ORS 646A.600 to 646A.628 is an unlawful practice under ORS 646.607.
(b) A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not developed, implemented and maintained reasonable safeguards to protect the security, confidentiality and integrity of personal information that is subject to ORS 646A.600 to 646A.628 but is not subject to an Act described in subsection (9)(c) or (d) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 to 646A.628, the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.
(c) The rights and remedies available under this section are cumulative and are in addition to any other rights or remedies that are available under law. [2007 c.759 §3; 2015 c.357 §2; 2018 c.10 §2; 2019 c.180 §3]

<< Previous
Next >>

Structure 2021 Oregon Revised Statutes

2021 Oregon Revised Statutes

Volume : 16 - Trade Practices, Labor and Employment

Chapter 646A - Trade Regulation

Section 646A.030 - Definitions for ORS 646A.030 to 646A.042.

Section 646A.032 - Price list for health spa services.

Section 646A.034 - Contracts; contents.

Section 646A.038 - Moneys paid prior to facility opening; disposition; priority of claim; refund.

Section 646A.050 - Definitions.

Section 646A.052 - Form of purchase agreement.

Section 646A.060 - Purchase of used goods; records; application to pawnbrokers.

Section 646A.064 - Definitions for ORS 646A.064 to 646A.067.

Section 646A.065 - Records required for transactions involving items of precious metal; maintenance required of precious metal secondhand dealer; retention of items of precious metal.

Section 646A.066 - Applicability to local ordinances.

Section 646A.068 - Penalty for violating ORS 646A.065.

Section 646A.070 - Sale of telephonic equipment; disclosure requirements; enforcement; penalty.

Section 646A.072 - Exceptions to disclosure requirements.

Section 646A.075 - Required information prior to purchase of dog.

Section 646A.077 - Qualification for full refund; replacement dog; reimbursement for cost of veterinary care; exceptions.

Section 646A.080 - Sale of novelty item containing mercury; penalty.

Section 646A.081 - Prohibition on sale or installation of mercury vapor outdoor lighting fixtures.

Section 646A.082 - Floral retail sales; disclosure of principal place of business; enforcement; penalty.

Section 646A.085 - Sale of rights by distributor to exhibit motion picture without first giving exhibitor opportunity to view motion picture prohibited; attorney fees.

Section 646A.090 - Offer to sell or lease motor vehicle under retail installment contract or lease agreement; return of items if lender does not approve loan; charges for use of vehicle; exceptions.

Section 646A.092 - Advertisements for sale or lease of motor vehicle; exceptions.

Section 646A.093 - Disclosures for handling and shipping consumer goods required in advertisements, offers and sales; penalty.

Section 646A.095 - Disclosure required when purchaser of product offered technical support through information delivery system.

Section 646A.097 - Payment of sales commissions following termination of contract between sales representative and principal; definitions; civil action.

Section 646A.100 - Definitions for ORS 646A.100 to 646A.110.

Section 646A.102 - Notice of intent to conduct going out of business sale; display and filing; exceptions; prohibited activities.

Section 646A.104 - Information required in notice of intent.

Section 646A.108 - Prohibited conduct.

Section 646A.110 - Applicability of ORS 646A.100 to 646A.110 and 646A.112.

Section 646A.112 - Injunction of sham sale; evidence; attorney fees; defense; definitions.

Section 646A.115 - Software prohibited that interferes with sale of admission tickets to entertainment events; unlawful practice.

Section 646A.120 - Definitions for ORS 646A.120 to 646A.134.

Section 646A.122 - Applicability of ORS 646A.120 to 646A.134.

Section 646A.124 - General disclosure requirements.

Section 646A.126 - Specific disclosure requirements.

Section 646A.128 - Provisions prohibited in lease-purchase agreements.

Section 646A.130 - Reinstatement of lease-purchase agreement by consumer; receipt for each payment.

Section 646A.132 - Renegotiation or extension of lease-purchase agreement.

Section 646A.134 - Disclosures required in advertisement for lease-purchase agreements.

Section 646A.140 - Definitions for ORS 646A.140 and 646A.142.

Section 646A.142 - Rental vehicle collision damage waiver notice.

Section 646A.150 - Applicability of ORS 646A.150 to 646A.172.

Section 646A.152 - Definitions for ORS 646A.150 to 646A.172.

Section 646A.154 - Service contract defined; registration; proof of financial stability; bond; action; rules; applicability of Insurance Code.

Section 646A.156 - Required contents of service contracts.

Section 646A.158 - Prohibited conduct.

Section 646A.160 - Service contract obligor as agent of insurer; indemnification or subrogation rights of insurer.

Section 646A.162 - Investigation of violations; inspection of records; subpoenas; discontinue or desist order; civil penalties.

Section 646A.164 - Complaints and investigations confidential; exceptions.

Section 646A.166 - Refusal to continue or suspension or revocation of registration.

Section 646A.168 - Assessment fee; rules; purpose; registration fee.

Section 646A.172 - Rules; exemption of certain obligors.

Section 646A.200 - Definitions for ORS 646A.202 and 646A.204.

Section 646A.204 - Customer information.

Section 646A.210 - Requiring credit card number as condition for accepting check or share draft prohibited; exceptions.

Section 646A.214 - Verification of identity in credit or debit card transactions.

Section 646A.220 - Credit card solicitation; required disclosure; definitions.

Section 646A.222 - Charge card solicitation; required disclosure; definitions.

Section 646A.230 - Action by Attorney General or district attorney; civil and criminal penalties.

Section 646A.240 - Treatment of child support obligations by creditor in applications for extensions of credit.

Section 646A.244 - Cause of action for violation of ORS 646A.240; injunction; attorney fees; defenses.

Section 646A.274 - Definitions for ORS 646A.276 and 646A.278.

Section 646A.276 - Sale of gift card that expires, declines in value, includes fee or does not give option to redeem.

Section 646A.278 - Requirements for sale of gift card that expires.

Section 646A.280 - Definitions for ORS 646A.280 to 646A.290.

Section 646A.282 - Simulated invoices prohibited.

Section 646A.284 - Cause of action by Attorney General; judgment; attorney fees.

Section 646A.286 - Cause of action by private party; judgment; attorney fees.

Section 646A.288 - Presumptions in cause of action brought under ORS 646A.284 or 646A.286.

Section 646A.290 - Construction; other remedies.

Section 646A.293 - Definitions for ORS 646A.293 and 646A.295.

Section 646A.295 - Prohibited actions; requirements; timing; failure to obtain consent; exceptions.

Section 646A.300 - Definitions for ORS 646A.300 to 646A.322.

Section 646A.304 - Payment for farm implements, parts, software, tools and signs upon termination of retailer agreement.

Section 646A.306 - Repurchase of inventory by supplier; effect of new retailer agreement.

Section 646A.308 - Civil action for supplier’s failure to pay; venue.

Section 646A.310 - Prohibited conduct by supplier.

Section 646A.312 - Termination, cancellation or nonrenewal of retailer agreement; notice; good cause.

Section 646A.314 - New or relocated dealership; notice; area of responsibility.

Section 646A.316 - Warranty claims; payment; time for completion.

Section 646A.318 - Warranty claims; processing.

Section 646A.320 - Retailer’s improvements to products.

Section 646A.322 - Remedies; arbitration; cause of action; attorney fees; injunctive relief.

Section 646A.325 - Repurchase of motor vehicle by manufacturer; notice to dealer; contents of notice; notice to prospective buyer.

Section 646A.340 - Definitions for ORS 646A.340 to 646A.348.

Section 646A.342 - Prohibited conduct; required verifications and notice.

Section 646A.344 - Bond or letter of credit; action; exceptions.

Section 646A.348 - Action by Attorney General; civil penalty; injunction; damages; attorney fees and costs.

Section 646A.360 - Unsolicited facsimile machine transmissions.

Section 646A.362 - Exclusion of name from sweepstakes promotion mailing list; written request; rules.

Section 646A.370 - Definitions for ORS 646A.370 to 646A.374.

Section 646A.372 - Limits on usage of automatic dialing and announcing device.

Section 646A.374 - Prohibited actions.

Section 646A.400 - Definitions for ORS 646A.400 to 646A.418.

Section 646A.402 - Availability of remedy.

Section 646A.404 - Consumer’s remedies; manufacturer’s affirmative defenses.

Section 646A.405 - Manufacturer action under ORS 646A.404; request to Department of Transportation; notice to buyer; unlawful practice; rules.

Section 646A.406 - Presumption of reasonable attempt to conform; extension of time for repairs; notice to manufacturer.

Section 646A.412 - Action in court; damages if manufacturer does not act in good faith; attorney fees; expert witness fees; costs.

Section 646A.414 - Limitations on actions against dealers.

Section 646A.416 - Limitation on commencement of action.

Section 646A.430 - Definitions for ORS 646A.430 to 646A.450.

Section 646A.432 - Applicability of ORS 646A.430 to 646A.450; applicability of other law.

Section 646A.434 - Sale of vehicle protection product; conditions and requirements.

Section 646A.436 - Warrantor registration; requirements; expiration; fees; rules.

Section 646A.438 - Reimbursement insurance; requirements; insurer qualifications.

Section 646A.440 - Required provisions of reimbursement insurance policy; cancellation; notice.

Section 646A.444 - Recordkeeping requirements for warrantor; record retention.

Section 646A.446 - Prohibited conduct for warrantor.

Section 646A.448 - Prohibited activities.

Section 646A.450 - Rules; investigative powers of department.

Section 646A.460 - Definitions for ORS 646A.460 to 646A.476.

Section 646A.462 - Express warranty; duration.

Section 646A.464 - Repair of assistive device.

Section 646A.466 - Replacement or refund after attempt to repair.

Section 646A.468 - Procedures for replacement or refund.

Section 646A.470 - Sale or lease of returned assistive device.

Section 646A.472 - Dispute resolution.

Section 646A.476 - Civil action for damages; attorney fees; limitation on actions.

Section 646A.480 - Definitions for ORS 646A.480 to 646A.495.

Section 646A.482 - Estimate required before beginning work; contents; evaluation.

Section 646A.486 - Prohibited actions if estimate exceeds $200; revision of estimate; methods to obtain owner authorization.

Section 646A.490 - Additional prohibited actions; reassembly required; copies.

Section 646A.495 - Owner designee; waiver of authorization requirement.

Section 646A.500 - Legislative findings; declaration of purpose.

Section 646A.504 - Definitions for ORS 646A.500 to 646A.514.

Section 646A.506 - Prohibited conduct.

Section 646A.508 - Penalties.

Section 646A.510 - Exemptions.

Section 646A.525 - Definitions for ORS 646A.525 to 646A.535.

Section 646A.530 - Prohibited sales of certain children’s products; recall notices and warnings; disposal of recalled children’s products; compliance with warning instructions.

Section 646A.540 - Definitions; labeling and packaging requirements; preemption.

Section 646A.542 - Requirement to document compliance.

Section 646A.544 - Local government enforcement; notice required; penalties.

Section 646A.555 - License to engage in business activity not required for individual under 17 years of age.

Section 646A.560 - Legislative findings.

Section 646A.562 - Definitions for ORS 646A.560 to 646A.566.

Section 646A.564 - Standards for mercury content in electric lamps; exceptions.

Section 646A.575 - Definitions for ORS 646A.575 to 646A.590.

Section 646A.577 - Limited license required; application; fee; renewal; prohibited representations.

Section 646A.580 - Cost of coverage; billing requirements; remission to insurer or supervising entity; funds held in trust; compensation.

Section 646A.582 - Written disclosure requirements.

Section 646A.585 - Exceptions to license requirement; prohibited representations; acts of employees.

Section 646A.588 - Restrictions on modification or termination of coverage; notice; consent to notice.

Section 646A.592 - Enforcement.

Section 646A.602 - Definitions for ORS 646A.600 to 646A.628.

Section 646A.604 - Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement.

Section 646A.606 - Security freeze; requirements; proof of authority; effect.

Section 646A.608 - Deadline for placing security freeze; protective record creation; use and release of information; confirmation; personal identification number; exception; lifting and removal.

Section 646A.610 - Fees not permitted.

Section 646A.612 - Conditions for lifting or removing security freeze.

Section 646A.614 - Effect of security freeze on use of consumer reports or protective records.

Section 646A.618 - Prohibition on changes to consumer report subject to security freeze; entities subject to requirement to place security freeze.

Section 646A.620 - Prohibition on printing, displaying or posting Social Security numbers; exemptions.

Section 646A.622 - Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses.

Section 646A.624 - Powers of director; penalties.

Section 646A.628 - Allocation of moneys.

Section 646A.640 - Definitions.

Section 646A.643 - License requirement to engage in debt buying; exemptions.

Section 646A.646 - License application; requirements; application through Nationwide Multistate Licensing System; fee; insurance; license renewal; director’s investigation; license term; suspension or revocation; rules.

Section 646A.649 - Licensee’s principal place of business and registered agent; assumed business name; display of license; rules.

Section 646A.652 - Required notices.

Section 646A.655 - Compliance with director’s standards; rules.

Section 646A.658 - Prohibited practices.

Section 646A.661 - Director’s supervisory authority; examinations and investigations; referral to Attorney General; costs of examination or investigation; consultation and cooperation with trade association and members of public.

Section 646A.664 - Enforcement actions; penalties.

Section 646A.667 - Preemption.

Section 646A.670 - Legal action to collect debt; requirements for pleadings; judgments; attorney fees.

Section 646A.677 - Requirement to screen for financial assistance before transferring medical debt for collection; permitted interest rate; unlawful collection practices.

Section 646A.683 - Requirement to report increase in drug price; exemptions.

Section 646A.689 - Requirement to report certain information concerning drug manufacturing and pricing; contents of report; penalty; rules.

Section 646A.692 - Civil penalty.

Section 646A.693 - Prescription Drug Affordability Board; membership and qualifications of members; terms of office; duties; conflicts of interest; rules.

Section 646A.694 - Annual affordability determination for identified drugs and insulin products; criteria for and limitations on determination; confidentiality; rules.

Section 646A.695 - Annual fees assessed against drug manufacturers; rules.

Section 646A.696 - Report to Health Care Cost Growth Target program and Legislative Assembly; contents of report.

Section 646A.697 - Study of market for generic drugs; effect of pricing on insurance premiums; report to Legislative Assembly.

Section 646A.702 - Definitions for ORS 646A.702 to 646A.720.

Section 646A.705 - Persons that are not foreclosure consultants.

Section 646A.710 - Foreclosure consulting contract; requirements; void provisions.

Section 646A.715 - Cancellation; effective date; payment for services provided before cancellation or breach; form; sufficiency of notice.

Section 646A.720 - Prohibited acts of foreclosure consultant.

Section 646A.725 - Definitions for ORS 646A.725 to 646A.750.

Section 646A.730 - Persons that are not equity purchasers.

Section 646A.735 - Written contract; requirements; void provisions; power of attorney prohibited.

Section 646A.740 - Cancellation; effective date; rebuttable presumption of delivery; payment for services; form; sufficiency of notice; return of documents.

Section 646A.745 - Required and prohibited acts.

Section 646A.750 - Rebuttable presumptions; accounting; bona fide purchaser; memorandum of agreement; form.

Section 646A.755 - Acts not precluded.

Section 646A.760 - Civil action for damages; attorney fees and costs; limitation on commencement of action.

Section 646A.770 - Definitions.

Section 646A.773 - Applicability of Insurance Code; statement of costs; exemptions.

Section 646A.776 - Required disclosures; cancellation provisions; effect on motor vehicle purchaser’s credit.

Section 646A.779 - Determination of amount of waiver; waivers that are required and waivers that are not required.

Section 646A.781 - Cancellation and expiration; refunds; effect of sale, assignment or transfer.

Section 646A.784 - Reimbursement insurance policies for guaranteed asset protection waivers.

Section 646A.787 - Fiduciary responsibilities.

Section 646A.800 - Late fees on delinquent cable service accounts; amount; disclosure; notice.

Section 646A.801 - Termination of residential cable service or residential telecommunications service for certain persons.

Section 646A.803 - Contest and sweepstakes solicitations; required disclosures; prohibited representations.

Section 646A.806 - Website with photographs and information about arrested persons; requirement to remove photographs and information upon request; penalty.

Section 646A.808 - Obtaining personal information by false representation via electronic media.

Section 646A.810 - Patent infringement claim made in bad faith; enforcement as unlawful practice; limitations; rules.

Section 646A.813 - Security requirements for Internet-connected devices; exemptions; penalty.