Following the anniversary of GDPR coming into force we’re seeing a wide range of breach notification timeframes from 24 hours (e.g. California), through 72 hours (GDPR), 10 days (Oregon) up to 30 days. Given that multinationals may have to notify in multiple jurisdictions it’s best to plan and test for 24 hours…:
[…] On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684, which requires vendors, service providers and other entities that maintain or possess consumers’ personal information to notify consumers of a security breach.
Effective January 1, 2020, the Oregon Consumer Identity Theft Protection Act, which the amendment renames as the Oregon Consumer Information Protection Act (the “Act”), requires vendors that discover a breach of security or have reason to believe that a breach of security has occurred to (1) notify any contracted covered entities as soon as practicable but no later than 10 days after discovering (or having reason to believe that) a breach has occurred and (2) notify the Attorney General if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.