OR HB4055

Local governments, local service districts, and special government bodies must notify the State Chief Information Officer and submit a report within 48 hours of discovering an information security incident or ransomware incident

Reports must describe actions taken or planned to prevent, mitigate, or recover from damage, unauthorized access, or impairments to the public body's information system

The State Chief Information Officer must establish a secure, confidential reporting system and maintain a webpage with reporting instructions within 90 days of the act's effective date

Incident reports are exempt from public records disclosure but may be shared with the Oregon Cybersecurity Center of Excellence, law enforcement, and other entities deemed appropriate

The State Chief Information Officer must provide annual reports to the Governor and Joint Legislative Committee on Information Management and Technology summarizing incident notifications received; becomes operative July 1, 2026