Oregon has one of the most expansive identify theft prevention laws in the nation, and changes that went into effect this past January further broadened its application. Codified at ORS 646A.600 et seq., the Oregon Consumer Identity Theft Prevention Act (“the Act”) requires both individuals and a range of corporate entities to protect the personal information of Oregon residents. In general terms, the Act directs that persons who maintain the personal information of consumers must (1) notify consumers of security breaches, and (2) implement data security protocols.
What is “personal information”? Personal information includes an individual’s first and last name in combination with one or more of the following: SSN, driver’s license number or Department of Transportation ID; Passport or federal ID number; credit/debit card or financial account number with security code; biometric data; health insurance policy or subscriber number; and any information about medical history, mental or physical condition, or diagnosis by a medical provider. However, data that is protected by encryption is not considered personal information.
Who must give notice when a security breach occurs? The Act requires that a “person” who owns or licenses personal information that the “person” uses in the course of her business, vocation, occupation, or volunteer activities, and which was the subject of a security breach, must give notice of the breach. The definition of “person” is expansive and includes any individual, corporation, partnership, cooperative, association, estate, limited liability, organization, or other entity, or public body.
Notice may be given in written, electronic, or telephonic form, and must include, among other things, a general description of the breach, the approximate date of the breach, and the type of personal information at issue. When more than 250 consumers are implicated, notice must also be given to the Oregon Attorney General. When more than 1000 consumers are implicated, notice must also be given to credit reporting companies. Although there is no specific time frame for giving notice, the Act directs that notice be given “in the most expeditious manner possible, without unreasonable delay, consistent with the legitimate needs of law enforcement . . . and consistent with any measures that are necessary to determine sufficient contact information for the affected consumer, determine the scope of the breach of security and restore the reasonably integrity, security and confidentiality of the personal information.” Notice is not necessary if the person reasonably determines through investigation or consultation with law enforcement that consumers are unlikely to suffer harm.
Who must implement data security protocols? Any person who owns, maintains or otherwise possesses personal information is potentially subject to the data security requirements of the Act. These persons must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including safeguards that protect the personal information when the person disposes of the personal information.” Security protocols must take into account administrative, technical, and physical safeguards for both electronic and physical records, including proper disposal of such records once no longer needed for business purposes. The Act does not impose any specific technical requirements, but instead mandates a process-oriented approach. The “small businesses” exception for companies with 100 or fewer employees allows for a program that is appropriate to the size, needs, and complexity of the small business. There is no one-size-fits-all solution.
A final word on enforcement — the Act allows for government investigation and action against violators, including civil penalties, injunctive relief, and restitution to consumers. The civil penalties are steep, and may reach up to $1,000 per violation per day, not to exceed $500,000 per occurrence. The Act does not specifically include a private civil right of action, though it does not expressly preclude other actions allowed by law from being maintained. In addition, the Act allows the attorney general to prosecute as a violation of the Unlawful Trade Practices Act.
The Act’s application is broad, and the trend both locally and across the nation has been toward further expansion of these data security and notice requirements. Any business that maintains the sensitive “personal information” of Oregon residents, regardless of where that business is physically located, must pay close attention.