Requirements of Oregon’s New Identity Theft Law for Oregon Businesses

Jun.19.2008

COPYRIGHT AND DISCLAIMER

The following article and all information contained on this website are for informational purposes only and do not constitute legal advice. This information is not intended to create an attorney-client relationship, and the receipt or viewing of it does not create or constitute an attorney-client relationship. You should not act upon any information contained on this website without consulting an attorney for individual advice regarding your own situation.
© 2012 Buckley Law All rights reserved.

Share:           

Oregon adopted a new identity theft law effective the first of this year that puts additional requirements on businesses to safeguard the “consumer personal information” of their customers, members, and clients. (Chapter 759 Oregon Laws 2007) Consumer personal information includes the individual’s first name or first initial in combination with his or her social security number, driver’s license, passport number, financial account numbers, and credit or debit cards.

With certain governmental exceptions, Social Security numbers must not be printed on (i) any materials not specifically requested by the consumer, or (ii) any documents mailed to the consumer, unless the numbers are redacted.

The new law also requires that any person or entity with access to personal information must develop, implement, and maintain reasonable safeguards to protect the confidentiality and integrity of the information, including secure disposal.

This information security program must include administrative safeguards, designate employees to coordinate the program, assess the risks in network and software design, and require that data service providers be capable of maintaining appropriate safeguards. The program must also be adjustable in light of business changes or new circumstances. The requirements are not limited to electronic security but must also include physical safeguards such as assessing the risks of information storage and disposal and preventing unauthorized access.

Manufacturers with fewer than 200 employees (or other businesses with fewer than 50 employees) may comply with new requirements if the information security and disposal program they adopt contains administrative, technical, and physical safeguards, as well as disposal measures appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the personal information collected.

If there is a breach of data security, the new law requires mandatory reporting and notice to consumers, television and newspaper media, governmental agencies, and consumer reporting agencies. Consumers can also put a “security freeze” on their consumer credit report which will prevent information from the credit report from being released (with certain exceptions) without prior express authorization from the individual.

What does this mean for the average Oregon business?

  • Review the information you collect on your customers. Is the data stored in a secure place? Who has access to this information? Are your computer files password protected? Do janitorial or maintenance personnel have access to your customers’ confidential information? Do you shred all confidential information after use?
  • Are you collecting Social Security numbers, drivers’ license numbers, credit card numbers, and other sensitive information? Is this information really necessary or are there alternative means of identification? Do you redact these numbers so only the last four digits are used? Do your customer mailings include sensitive data?
  • What kind of network security do you have? Do you have confidentiality agreements with your vendors, including your IT professionals and archive services? Do you purge old client or customer personal information?
  • If you are involved on the board of a non-profit or charitable organization (think church or soccer league), make sure they protect information the same way a business would — the standards are no different.
  • Have you drafted a written information security program and designated a person in your office to train employees to implement the program?

The penalties for violating the new act can be severe. In addition to all other penalties, the Department of Consumer and Business Services can impose fines of $1,000 for every violation. Each violation is a separate offence and in the case of a continuing violation each day’s continuance is a separate violation. The maximum penalty per occurrence is $500,000.

The real penalty is not the threat of fines but the risk to your goodwill. A year or two ago, one of my clients was notified by the police that his mortgage application file was discovered during the arrest of an identity theft ring. He came to me wanting to sue the mortgage company that had failed to protect the security of his personal information. Can you imagine the loss of customers (let alone liability) your business would suffer if an identity theft was publicized and your customers found out that that their confidential information was being sold on the street?

Share: