|Oregon Consumer Identity Theft Protection Act|
|CITATION||Oregon Rev. Stat. § 646A.600 et seq.|
The law applies to a ‘Breach of Security’ that is defined as the ‘unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person.
Any person that owns, maintains or otherwise possesses data that includes Personal Information that is used in the course of the person's business, vocation, occupation or volunteer activities, and was subject to a breach of security must give notice of the breach to any consumer whose personal information was included in the information that was breached.
The law covers first name or initial and last name in combination with any one of the following:
Excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.
‘Personal information’ is broader than most states and also includes passport number. Also includes any combination of data elements of PI when not combined with first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the info obtained would be sufficient to permit a person to commit ID theft.
|INDUSTRY||Any person that owns, maintains or otherwise possesses data that includes Personal Information that is used in the course of the person's business, vocation, occupation or volunteer activities.|
|PENALTIES||Allows recovery of actual damages, a penalty of not more than one thousand dollars ($1,000) for each violation with a maximum of five hundred thousand dollars ($500,000) per incident; civil penalty.|