Companies now must notify state of large data breaches

For the first time, the Oregon attorney general must now be notified when there has been a consumer data breach involving more than 250 Oregonians.

The new law, which went into effect Jan. 1 requires businesses and government agencies to notify the Oregon attorney general’s office when the personal data of at least 250 Oregonians has been compromised.

“The sheer amount of data that is collected and stored every day can be a treasure trove to the wrong person,” said Attorney General Ellen Rosenblum. “This law sees to it that when sensitive health or financial information is breached, the attorney general and consumers are notified and can search our website to determine whether a business or agency has properly reported a data breach. A big thank you to the 2015 Oregon Legislature for passing this important consumer law.”

The new law defines protected data to include any medical, health insurance or biometric information as well as Social Security numbers, government ID numbers or certain financial information.

Oregonians can search the names of companies or organizations that have reported data breaches here.

Under the new law, a company or state agency must notify the Oregon Department of Justice in a reasonable time if the personal information of 250 or more Oregonians has been breached. Breached entities can report a breach here