Business services

The faster consumers know their personal identification information has been breached, the faster they can take safeguarding precautions. 

Your responsibility

A person who owns, maintains, or licenses personal information used in the course of business, vocation, occupation, or volunteer activities, must notify their customers as soon as possible that there has been a data security breach. Notification can be made in one of the following ways:  

  • Written notification
  • Electronic notice, if this is the customary means of communication between you and your customers
  • Telephone notice provided that you make direct contact the affected customer

A person or company who maintains or possesses personal information on behalf of another must immediately notify that owner or licensor of a security breach.

If there are more than 250 customers affected by the security breach, you must notify the Oregon Attorney General or call 877-877-9392 (toll-free in Oregon).

You may delay notification if a law enforcement agency determines that it will impede a criminal investigation. 

Notification is not required if either of the following is true:

  • An investigation or consultation with a federal, state, or local law enforcement agency leads you to determine that there is no reasonable likelihood of harm to consumers. You must document this determination in writing and maintain the documentation for at least five years.
  • The personal information was encrypted or made unreadable.

Any individual, business, government agency, or organization that is subject to and complies with the notification regulations or guidance adopted under the Gramm-Leach-Bliley Act meets Oregon’s notification requirements. However, if the breach involves your employees, you must comply with Oregon’s notification requirements.

Substitute notice

If you can show that the cost of notifying consumers will exceed $250,000, or those needing to be contacted is more than 350,000, or if you don’t have sufficient contact information to notify affected consumers, you may follow both of these substitute notice requirements:

  • Conspicuous posting of the notice or a link to the notice on your website, if you maintain one.
  • Notifying major statewide Oregon television and newspaper media.

Notifying credit reporting agencies

If the security breach affects more than 1,000 consumers, you must report the timing, distribution, and content to the three credit reporting agencies (TransUnion, Equifax, and Experian), without unreasonable delay.

TransUnion 
Phone: 800-971-4307 (toll-free)

Experian 
Phone: 714-830-5442

Equifax 
Phone: 866-510-4211 (voicemail only) (toll-free)
Email: businessrecordsecurity@equifax.com
Mail: Equifax Fraud Assistance, Attn: Security Breach
P.O. Box 740245, Atlanta, GA 30374​​​​

​​Sample data breach notification letter

Word version
​​​​