Or. Admin. Code § 150-305-0481
Example 1. Joe Smith, a CPA, notices that five of his efiled returns were rejected due to a return already having been received by the IRS. Joe believes this may indicate a data security breach and a quick review of his records confirms this possibility. Joe still has access to his client records and notifies the Oregon Department of Revenue within five days and provides the name, address and identification number of 30 of his clients impacted by the breach.
Example 2. Nancy works for a satellite office of CPA Inc., which is an international company. CPA Inc. discovers a possible data security breach on February 15 and begins their investigation but doesn't notify their satellite offices. The investigation concludes on April 1 and on April 2 Nancy is notified of a data security breach. Nancy notifies the department of the data security breach within five days of receiving this information and provides her PTIN. On April 30 she receives a list of her impacted clients, which she then provides to the department within 15 days on May 15.
Example 3. Mary's office is burglarized, and a couple of her computers were stolen on October 1. All of Mary's records are on these computers, after filing a police report, Mary notifies the department within five days of a possible data security breach and providers her PTIN. On March 1, the computers are recovered but law enforcement needs to hold them as evidence and on July 1 they are returned to Mary. Mary is able to access and identify the impacted clients of the data security breach and provides a list to the department within 15 days of receiving the laptops.
Or. Admin. Code § 150-305-0481
Statutory/Other Authority: ORS 305.100 & Chapter 353, 2021 Oregon Laws
Statutes/Other Implemented: Chapter 353, 2021 Laws