Oregon

The law applies to a ‘Breach of Security’ that is defined as the ‘unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person.

Any person that owns, maintains or otherwise possesses data that includes Personal Information that is used in the course of the person's business, vocation, occupation or volunteer activities, and was subject to a breach of security must give notice of the breach to any consumer whose personal information was included in the information that was breached.

The law covers first name or initial and last name in combination with any one of the following:

1. Social Security number,
2. Driver's license or state ID card number,
3. Financial account number, credit or debit card number in combination with any required security or access code that would permit access to an individual's financial account.

Excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.

‘Personal information’ is broader than most states and also includes passport number. Also includes any combination of data elements of PI when not combined with first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the info obtained would be sufficient to permit a person to commit ID theft.