Oregon Data Breach Notification Letter Package

(Prepared for compliance with Or. Rev. Stat. §§ 646A.600 – 646A.628)

[// GUIDANCE: This package contains two model letters that satisfy Oregon’s consumer data-breach notice statute:
• Letter A – Notice to the Oregon Attorney General (“AG Notice”)
• Letter B – Notice to Impacted Consumers (“Consumer Notice”)

Both letters (i) track the 45-day statutory deadline, (ii) include all mandatory content elements, and (iii) are drafted to minimize admissions of liability. Replace every bracketed placeholder before issuance. If > 1,000 consumers are affected, remember to send the required notice to nationwide consumer reporting agencies as well. Nothing herein is legal advice; final review by Oregon-licensed counsel is essential.]

LETTER A – NOTICE TO THE OREGON ATTORNEY GENERAL

(Use when the breach affects 250 + Oregon residents, or when specifically requested by the AG)

[Your Letterhead]
[COMPANY LEGAL NAME]
[STREET ADDRESS] • [CITY, STATE ZIP] • [PHONE] • [EMAIL]

[DATE]

Via Certified Mail & E-Mail
Oregon Department of Justice
Attn: Consumer Protection Section
1162 Court Street NE
Salem, OR 97301-4096
[email protected]

Re: Confidential Security Breach Notification – Or. Rev. Stat. §§ 646A.600 – 646A.628

Dear Attorney General [LAST NAME]:

Pursuant to Or. Rev. Stat. §§ 646A.600 – 646A.628 (the “Act”), [COMPANY LEGAL NAME] (“Company”) hereby notifies the Oregon Attorney General of a breach of security involving personal information of Oregon residents.

1. Company Information
   1.1 Legal Name: [COMPANY LEGAL NAME]
   1.2 Trade Name(s): [DBA, if any]
   1.3 Principal Business Address: [ADDRESS]
   1.4 Point of Contact for this Incident: [NAME, TITLE, PHONE, EMAIL]

2. Incident Description
   2.1 Date(s) of Breach: [MM/DD/YYYY – MM/DD/YYYY or “unknown, but believed to have occurred on or about …”]
   2.2 Date of Discovery/Determination: [MM/DD/YYYY]
   2.3 General Description: [Concise factual summary – no speculation]
   2.4 Type of Personal Information Involved: [e.g., full name + Social Security number, driver license number, financial-account credentials, medical information, etc.]

3. Scope of Impact
   3.1 Total Number of Individuals Affected Nationwide: [NUMBER]
   3.2 Number of Oregon Residents Affected: [NUMBER]

4. Consumer Notification
   4.1 Date Consumer Notices Will Begin: [MM/DD/YYYY – must be ≤ 45 days from discovery unless delayed by law-enforcement request]
   4.2 Method(s) of Notice: [First-class mail / E-mail per E-SIGN / Substitute notice under § 646A.604(6), etc.]
   4.3 Sample Copy: Enclosed as Exhibit A.

5. Mitigation Measures
   5.1 Steps Taken or Planned: [Describe containment, investigation, system hardening, etc.]
   5.2 Identity-Theft Services: [“Twelve (12) months of complimentary credit monitoring and identity-theft resolution services through [VENDOR]”]
   Required under § 646A.604(15) when SSNs or account-access credentials are involved.

6. Law-Enforcement Involvement
   6.1 Agency Notified: [“None” or name of agency]
   6.2 Contact Person & Phone: [If applicable]
   6.3 Statement of Non-Interference: [Attach or quote written authorization to proceed if previously delayed]

7. Contact for Additional Information
   Please direct any questions to [NAME, TITLE] at [PHONE] or [EMAIL].

This notice is provided in good faith and is not, and shall not be construed as, an admission of liability or wrongdoing by the Company or any of its affiliates.

Sincerely,

[NAME]
[TITLE]
for [COMPANY LEGAL NAME]

Enclosure: Exhibit A – Consumer Notice (sample)

[// GUIDANCE: Retain proof of mailing and e-mail transmittal. Maintain an internal decision log documenting timing calculations and law-enforcement interactions to defend against potential enforcement actions or statutory penalty assessments.]

LETTER B – NOTICE TO IMPACTED CONSUMERS

(Send to each Oregon resident whose Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person)

[COMPANY LOGO / LETTERHEAD]

[DATE]

[CONSUMER NAME]
[STREET ADDRESS]
[CITY, STATE ZIP]

Re: Notice of Data Security Incident

Dear [CONSUMER NAME]:

1. What Happened
   On [DISCOVERY DATE], we learned of unauthorized access to certain Company systems. Our investigation, completed with leading cybersecurity specialists, determined that between [BREACH DATE RANGE], an unauthorized party accessed files containing personal information.

2. What Information Was Involved
   The accessed files contained some or all of the following information pertaining to you:
   • [☐ Full Name]
   • [☐ Social Security Number]
   • [☐ Driver License / State ID Number]
   • [☐ Financial-Account Number + Access Code]
   • [☐ Medical Information / Health Insurance ID]
   No other data elements were affected.

3. What We Are Doing
   • Immediately isolated affected systems, activated our incident-response plan, and engaged third-party forensics experts.
   • Cooperating with law enforcement.
   • Enhancing network monitoring, multi-factor authentication, and employee security training.
   • Offering you 12 months of complimentary identity-theft protection and credit-monitoring services through [VENDOR NAME], including $1 million in identity-theft insurance and fraud-resolution support. Instructions for enrollment appear in Section 5. These services are provided at no cost to you, consistent with Or. Rev. Stat. § 646A.604.

4. What You Can Do
   We recommend that you:
   a. Carefully review your account statements and immediately report any suspicious activity.
   b. Obtain a free copy of your credit report from each of the three nationwide consumer reporting agencies by visiting www.annualcreditreport.com or calling 1-877-322-8228.
   c. Consider placing a fraud alert or security freeze on your credit file. A security freeze is free and prevents new credit accounts from being opened in your name without your consent. Contact details are provided below.
   d. Remain vigilant and promptly report incidents of suspected identity theft to law enforcement, the FTC, and your state Attorney General.

Nationwide Consumer Reporting Agencies
• Equifax – www.equifax.com • 1-800-525-6285 • P.O. Box 105788, Atlanta, GA 30348-5788
• Experian – www.experian.com • 1-888-397-3742 • P.O. Box 9554, Allen, TX 75013
• TransUnion – www.transunion.com • 1-800-680-7289 • P.O. Box 2000, Chester, PA 19016-2000

Federal Trade Commission
• www.identitytheft.gov • 1-877-ID-THEFT (438-4338) • 600 Pennsylvania Ave NW, Washington, DC 20580

5. How to Enroll in Complimentary Identity-Theft Protection
   To activate your services, visit [VENDOR ENROLLMENT URL] or call [VENDOR PHONE] and provide the following Activation Code: [CODE]. You must enroll by [ENROLLMENT DEADLINE] to receive the full 12-month benefit.

6. For More Information
   If you have questions, please contact our dedicated incident-response line at [TOLL-FREE NUMBER] (Monday-Friday, 8 a.m.–8 p.m. Pacific) or e-mail us at [INCIDENT EMAIL]. For additional guidance on steps you can take to protect yourself, please consult the Federal Trade Commission’s resources at www.identitytheft.gov.

We regret any inconvenience or concern this incident may cause and are committed to safeguarding your information.

Sincerely,

[NAME]
[TITLE]
[COMPANY LEGAL NAME]
[STREET ADDRESS] • [CITY, STATE ZIP] • [PHONE] • [EMAIL]

[// GUIDANCE:
1. Keep the tone factual and reassuring; avoid speculative language.
2. Do not include the full list of impacted data elements if doing so creates additional risk (e.g., do not restate full SSN).
3. Maintain copies of all consumer notices for five years to evidence compliance under § 646A.604(12).]

OPTIONAL EXHIBIT C – SUBSTITUTE NOTICE (for use under § 646A.604(6))

[// GUIDANCE: Insert here a web-posting and statewide media template if > 100,000 residents or mailing costs exceed $250,000.]

RECORD-KEEPING CHECKLIST

☐ Breach determination date documented and filed.
☐ 45-day calendar calculated (include tolled days for any law-enforcement delay).
☐ AG Notice prepared (if ≥ 250 Oregon residents).
☐ Consumer Notices prepared and queued for delivery.
☐ Credit-bureau notices prepared (if ≥ 1,000 consumers nationwide).
☐ Identity-theft services contract executed and activation codes loaded.
☐ All notices saved (retain 5 years).
☐ Incident-response report finalized and preserved under legal-hold protocol.

[// GUIDANCE: End of Template – Counsel should tailor final content to the facts, confirm accuracy of all statutory references, and coordinate with cyber-insurance counsel as needed.]