Oregon Cybersecurity Requirements
Understanding Oregon's Consumer Information Protection Act (OCIPA) and its requirements for protecting personal information of Oregon residents.
Important Disclaimer
The information provided on this page is for general informational purposes only. State cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for Oregon operations.
Overview
Oregon regulates data security and breach notification largely through the Oregon Consumer Information Protection Act (OCIPA), codified at ORS 646A.600–646A.628. The law requires organizations to safeguard certain personal information of Oregon residents and to notify consumers (and in some cases the Oregon Department of Justice) when breaches occur.
Who is Covered?
- Any person or entity that owns, licenses, or maintains personal information about Oregon residents in connection with business or governmental operations
- Includes financial institutions, mortgage lenders, servicers, and other companies storing consumer data
Security and Program Expectations
While OCIPA focuses heavily on breach response and notification, it also expects reasonable security practices:
Reasonable Safeguards
- Businesses must implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure
Vendor Management
- If an organization discloses personal information to a third party, it must ensure that the third party also maintains reasonable security safeguards
Incident Response Planning
- State guidance emphasizes that agencies and organizations should have written incident response plans and coordinate with applicable regulations when handling security incidents
Breach Notification Obligations
- If a "breach of security" involving Oregon consumers' personal information occurs, businesses must notify affected consumers within 45 days of discovering the breach, with limited exceptions (e.g., law enforcement delays)
- If more than 250 Oregon residents are affected, the organization must also notify the Oregon Department of Justice, providing a copy of the consumer notice and additional details
- Specific content and methods of notification are prescribed, and credit monitoring must sometimes be offered, depending on the nature of the breach