Oregon passed a bill amending security breach disclosure requirements. Under the bill, persons that own, license or otherwise possess personal information must provide a security breach disclosure to affected Oregon residents and to the Attorney General (if applicable) no later than 45 days after discovering or receiving notification of a security breach. In addition, the bill: amended the definition of “personal information”; mandates the information that must be included with a security breach notification provided to the Attorney General (if applicable); sets forth provisions with respect to an offer of credit monitoring services, or identity theft prevention and mitigation services; and amends provisions with respect to information security programs implemented to safeguard personal information. The bill becomes effective June 2, 2018.
See Oregon State Legislature website for the full text of the Statue:
https://olis.leg.state.or.us/liz/2018R1/Downloads/MeasureDocument/SB1551/Enrolled
