The credit reporting agency Equifax doesn’t have to notify the estimated 1.7 million Oregonians who may have been impacted by the company’s massive data breach.
Under a 2007 state law, companies that experience electronic security breaches don’t have to personally inform the victims if the number of people affected exceeds 350,000. The Equifax data breach easily surpassed that, with nearly half of Oregon’s population potentially at risk.
Equifax says roughly 143 million Americans were affected by the data theft, which occurred over several months earlier this year.
The breach was the subject of a hearing at the Oregon Capitol Tuesday. Oregon Department of Justice Legislative Director Aaron Knott told members of the Oregon House and Senate Judiciary Committees that some of them were probably affected.
“Look to the person to your right, look to the person to your left, and probably at least half if not more of you have been impacted by this,” Knott said. “This is an incredibly significant breach.”
The decade-old law does require companies with major security breaches to notify the media.