Ask Reggi Your Question Now
Can you summarize ORRS 646A.604?
Trade Regulation > Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement.
Short Summary
This legal document governs the breach of security notification requirements for covered entities and vendors. It applies to covered entities and vendors who experience a breach of security or receive notice of a breach of security. The covered entity must notify the consumer whose personal information is affected by the breach, as well as the Attorney General if the number of affected consumers exceeds 250. Vendors must notify the covered entity with which they have a contract within 10 days of discovering or having reason to believe a breach of security occurred. The covered entity must provide notice of the breach of security to affected consumers without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach. The notice must include a description of the breach, the approximate date of the breach, the type of personal information involved, contact information for the covered entity, contact information for consumer reporting agencies, and advice to report suspected identity theft to law enforcement. The covered entity may use various methods of notification, including in writing, electronically, by telephone, or with substitute notice. If the breach affects more than 1,000 consumers, the covered entity must also notify consumer reporting agencies. The document provides exemptions for notification requirements or procedures adopted by federal regulators, state or federal laws providing greater protection, and compliance with regulations under specific acts. Violation of the breach notification requirements is considered an unlawful practice.
Whom does it apply to?
Covered entities and vendors
What does it govern?
Breach of security notification requirements for covered entities and vendors
What are exemptions?
Notification requirements or procedures for a breach of security adopted by the person's primary or functional federal regulator, state or federal laws providing greater protection to personal information, compliance with regulations promulgated under the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009
What are the Penalties?
Violation of this provision is an unlawful practice under ORS 646.607
Jurisdiction
Oregon