Oregon Doesn't Just Defend Compliant Businesses —
It Deems Them Protected

SB 1551 gives organizations with a comprehensive information security program — or GLBA/HIPAA compliance — deemed compliance with Oregon's safeguard requirements, plus an affirmative defense against violation claims.

Effective June 2, 2018 · ORS § 646A.622

The Law

What SB 1551 Does for You

Oregon takes a unique approach to cybersecurity protection. Rather than simply providing a defense at trial, ORS 646A.622 deems compliant organizations as meeting the state's safeguard requirements entirely. Three layers of protection:

Deemed Compliance

GLBA or HIPAA-compliant organizations are automatically deemed compliant with Oregon's safeguard requirements — not just defended, but fully satisfied.

Affirmative Defense

Organizations with a comprehensive information security program can assert an affirmative defense against safeguard violation claims.

Cross-Application Shield

Uniquely, Oregon lets you apply your GLBA or HIPAA security standards as a defense for data that isn't even subject to those federal laws.

How to Qualify

Three Paths to Protection

Oregon offers multiple routes to its safe harbor. Choose the path that fits your organization:

1

GLBA Compliance

Financial institutions complying with the Gramm-Leach-Bliley Act are automatically deemed compliant with Oregon's safeguard requirements.

2

HIPAA/HITECH Compliance

Healthcare entities complying with HIPAA and HITECH security rules are automatically deemed compliant with Oregon's safeguard requirements.

3

Comprehensive Information Security Program

Any organization can qualify by implementing a written program with administrative, technical, and physical safeguards scaled to its size and complexity.

Unlike other states, Oregon does not explicitly recognize frameworks like NIST CSF or CIS Controls. However, implementing these frameworks strengthens your information security program and supports compliance in multiple states.

Common Concern

Only Two Federal Frameworks?

A Strong Program Qualifies — With or Without GLBA/HIPAA

Most Oregon businesses aren't subject to GLBA or HIPAA. That's fine. Path 3 — the comprehensive information security program — is available to every organization. It requires documented administrative, technical, and physical safeguards proportionate to your size and risk. A program built on NIST CSF or CIS Controls will satisfy these requirements and qualify you in other states too.

Important: Oregon's statute references federal regulations as of January 1, 2020. The law does not include a rolling update window — the legislature must amend the statute to update the reference date. Organizations should maintain current-standard security regardless.

How SignumCyber Helps

Turn Compliance into Protection

SB 1551 Requires How We Help

Written information security program

73-domain assessment + policy creation wizard to build your program

Designated employee coordinator & training

Role-based responsibility mapping with security awareness gap analysis

Regular risk identification & safeguard assessment

FAIR risk quantification in dollars with ongoing reassessment

Technical safeguards: patching, detection & testing

Periodic reassessment, vulnerability tracking & validation

Physical safeguards & secure disposal

Physical security assessment with disposal procedure documentation

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Oregon strengthens your defense everywhere.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Oregon's cybersecurity safe harbor law (ORS 646A.622), not legal advice. Consult a qualified attorney for guidance specific to your organization.