Data Breaches

SCAM ALERT: Oregon DOJ Consumer Protection Office Urges Oregonians To Be Proactive In Wake Of DMV Data Breach

Oregon Consumer Information Protection Act

The Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 to 646A.628 » was first passed in 2007, and updated as recently as 2019, to help protect consumers from the dangers of data breaches. The law uses the term “breach of security,” which is defined as an “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.” In other words, these are referred to as “data breaches.”

A “breach of security” can occur in a variety of circumstances such as when a company’s website or email system is hacked, data is stolen, or devices with personal information on them are left unsecure. The OCIPA requires companies to notify impacted consumers of these incidents, so that Oregonians can take steps to protect themselves from the risk of fraud and identity theft that may result from someone obtaining their personal information.

What is Personal Information?

In the context of the OCIPA, personal information is defined as a consumer’s first name or first initial and last name in combination with:

  • Social Security number
  • driver license number or state identification card number
  • passport number or other identification number issued by the United States
  • financial account number, credit card number or debit card number
  • biometric data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris
  • health insurance policy number or health insurance subscriber identification
  • medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer

A consumer’s username or account ID plus a password or other means of gaining access to a consumer’s account is also personal information. Any combination of these data points, without a consumer’s name, may also constitute personal information under the OCIPA.
Reporting Data Breaches

Oregon law requires entities to notify any Oregon consumer whose personal information was subject to a breach of security within 45 days of discovering the breach of security. If a breach impacts more than 250 Oregon consumers, the law also requires that a report and a sample copy of a breach notice sent to Oregon consumers must also be provided to the Oregon Department of Justice (DOJ), also within 45 days.

To report a data breach, businesses and state agencies can use the Submit Data Breach Notice form » or report through databreach@doj.oregon.gov. The DOJ will contact your entity if we have any follow-up questions.

Consumers do not need to submit anything regarding data breaches to the DOJ. Companies are legally required to submit that information to us. Consumers wishing to file a complaint about a data breach can use our online complaint form ».

Data Breach Resources

For a list of reported data breaches, visit the Search Data Breach Notice database », where you can search by the name of the organization that sent the notice, or simply scroll through the list.

Handout on Oregon Data Breach Reporting

FAQs for Consumers

I’ve received a data breach notice from a company. What should I do?

Consider placing a fraud alert or a security freeze on your credit reports. You can a place a fraud alert with one phone call to one of the three major credit bureaus. This will prevent cyber criminals from opening additional accounts in your name. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to place fraud alerts, and all three will send you credit reports free of charge. Review the reports carefully for accounts you did not open, debts you cannot explain, or inaccurate information.

Equifax: Experian: TransUnion:
800-685-1111 1-888-397-3742 888-909-8872

A security freeze is slightly more restrictive and means that your credit file cannot be shared with potential creditors. You, too, will not be able to open new credit while a freeze is in place. While a credit freeze can provide important protection against identity theft, a credit freeze may not be for everyone. If you plan to open credit soon or apply for an apartment or a job that will require your credit report to be checked, you will need to temporarily lift the freeze.

You can also find more information about each credit reporting agency’s freeze program at their websites:

Continue to monitor your financial accounts and credit reports for suspicious activity.

What does the DOJ do about data breaches?

The DOJ and the Department of Consumer and Business Services (DCBS) share enforcement authority for violations of OCIPA. There is also overlapping enforcement with federal entities governing health data or bank data (depending on the type of company and data involved). In other words, it can be complicated! The OCIPA does not contain a private right of action, which means that consumers cannot enforce it themselves.

The Privacy Unit at the DOJ reviews every data breach report submitted and looks for violations of the law or other issues that may be of concern to consumers. If a business entity has not complied with the OCIPA (such as by failing to notify consumers timely or by failing to implement reasonable data safeguards), the DOJ has the authority to pursue civil penalties.