HB 4055
Requires a local government, local service district or special government body to notify and submit a report to the State Chief Information Officer within 48 hours of an information security incident or ransomware incident.
Jurisdiction
Oregon
Session
2026 Regular Session
At the request of
(at the request of Joint Legislative Committee on Information Management and Technology for Representative Nancy Nathanson)
Committee
Information Management and Technology
Take action
Record your position on this measure.
Sign in to record your position, submit testimony, or contact your legislator.
Sign in to take actionPublic sentiment
Support
25%
Oppose
75%
- Introduced
- Passed House
- Passed Senate
- To Governor
- Became Law
Bill overview
This bill requires Oregon’s local governments, service districts, and special government bodies to quickly report information security incidents or ransomware attacks to the State Chief Information Officer within 48 hours. The report must detail the incident and the steps taken to address it. The State Chief Information Officer will establish a secure reporting system, create a public instructions webpage, and provide an annual report to the Governor and the Legislative Committee on Information Management and Technology. Reports are exempt from public disclosure, and the information can be shared with relevant authorities to prevent future incidents.
Sponsors
Official sponsors from legislative records.
Primary sponsor
Cosponsor
Joint Legislative Committee on Information Management and Technology
Arguments in favor
Reasons to support this legislation.
Supporters of the measure advocate for its passage, with many testifiers emphasizing the importance of public notice and transparency in government operations. Notably, a majority of mandating notification of cyber security breaches to a central state agency, with most requesting a 72-hour timeline to allow smaller districts to comply with the current requirement, which they deem unfeasible due to resource constraints. This extension would enable smaller districts to better prepare and respond to breach notifications, ensuring more equitable compliance and minimizing potential disruptions to public services. By prioritizing transparency and fairness, proponents of the measure aim to strengthen the state's cybersecurity posture and promote a more inclusive and responsive governance framework.
Source: Testimony Summaries
Arguments opposed
Reasons to oppose this legislation.
Opponents of HB 4055 express concerns about the bill's potential impact on local agencies, small districts, and rural communities. They argue that the new reporting requirements could create unnecessary complexity, undermine local agency flexibility during cybersecurity incidents, and divert critical resources from small cities with limited budgets and resources. Specifically, they point to the 48-hour incident reporting requirement as potentially infeasible for counties and parks agencies due to limited IT resources and operational responsibilities, and express concerns about the disparate treatment of municipally owned and operated electric utilities compared to investor-owned utilities and rural electric cooperatives.
Read the latest version inline or switch to a previous version.