Committee considers requiring earlier cyber-incident reporting by public bodies to aid rapid response

Committee staff reviewed a legislative concept to require earlier notification of cybersecurity incidents by public bodies to a central state entity (such as the Department of Justice fusion center or the state CIO’s office). Staff said Oregon’s current breach notification law requires covered entities to notify affected individuals and, for larger breaches, report to the Department of Justice, but those filings are high-level and may be submitted up to 45 days after an incident.

"That's 250 records," staff said when asked about the statutory threshold for reporting to DOJ. Staff noted that many public bodies — counties, cities, school districts, special districts and community colleges — are not required to report to a central entity unless the incident meets breach thresholds, which limits real-time operational awareness that could help other jurisdictions defend against similar exploits.

Staff pointed out that 15 states have enacted earlier-notification statutes to enable timely sharing of cyber-incident information with a central authority and regional partners. Committee members asked whether notifications could remain confidential so entities would not be deterred from reporting; staff said existing law protects incident reports from public disclosure and that other states use secure channels and privacy safeguards to share operational information.

Members expressed interest in drafting a concept that would set reporting timeframes, identify a central repository or center for notification, and preserve confidentiality while enabling timely operational response and assistance. Staff said the Oregon Cybersecurity Advisory Council and statewide associations are willing to partner to refine consensus language before any bill is advanced.