Text Size: A+| A-| A   |   Text Only Site   |   Accessibility
Division of Finance and Corporate Securities (DFCS)

About Us

Contact Us

DFCS Home

Consumer Alerts & News Releases

En Espaņol

Enf. Order Search

FAQs

Forms

Jobs with DFCS

Legislation

License Holder Search

Licenses/Registrations

Program Links

Publications

Reports & Activity

Site Map

Statutes & Rules

 

Protect the Information You Keep

A key piece of Oregon's identity theft law takes Jan. 1, 2008. By that date, Oregon businesses, organizations, and government agencies will need to have a plan in place to protect the sensitive data they collect, keep and share.

The law requires you to develop, implement, and maintain reasonable safeguards. This includes a number of measures such as designating one or more of your employees to coordinate a security program; assessing your information processing, transmission, and storage risks; and detecting, preventing, and responding to computerized intrusions. It also includes the proper disposal of information through shredding, or burning, or rendering it unreadable in electronic form through encryption or similar procedure. Click here for more information.


Tools for Consumers
Tools for Businesses


How to Obtain a Security Freeze

Frequently Asked Questions

Tips to Protect Your Identity

What to do if you are an ID Theft Victim

Federal Trade Commission ID Theft
Complaint Input Form

Additional Resources

Publication - Protecting Your Personal Information

 


Protecting Social Security numbers

Data Breach Notification Requirements

Sample Notification Letter

Protecting Data

Frequently Asked Questions

Additional Resources

Publication - Protecting Your Personal Information - A Business Guide

The Department's Division of Finance and Corporate Securities has developed materials and presentations for consumers and businesses to better understand their rights and responsibilities.

If you would like to schedule a presentation, please contact Diane Childs, Identity Theft Program Outreach Coordinator at 503-947-7423 or diane.m.childs@state.or.us.


The Oregon Identity Theft Protection Act

The Oregon Consumer Identity Theft Protection Act - passed by the 2007 legislature - means consumers will have more tools to protect themselves against identity theft, and Oregon businesses and government will have clear direction and expectations to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer's name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer's financial account.

Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. Victims of identity theft suffer both financially and emotionally. Those who have had their personal information stolen may encounter multiple unauthorized charges on credit cards and unauthorized withdrawals from their bank accounts. The result may be damaged credit records, which can take months or even years to clean up. Identity theft victims also lose their sense of security, similar to a home burglary.

Recognizing that Oregon has a large percentage of small businesses, the components of the law can be adapted and implemented whether you have five employees or 500 employees.

Below are the specific protections of the law:

· Security Freeze - Effective October 1, 2007
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion. A security freeze means that your file cannot be shared with potential creditors. Most businesses will not open credit accounts without first checking a consumer's credit history. There is no fee if you are a victim of identity theft or you have reported the theft of their personal information to a law enforcement agency. For other consumers, each credit reporting agency will charge a fee of $10 - a total of $30 to freeze your files.

If you do place a security freeze on your report you can "thaw" their file to apply for new credit. Law enforcement agencies and government agencies including child support and businesses collecting existing debt still will be able to access your credit file.

· Notification of a Breach - Effective October 1, 2007
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.

The notification must be done as soon as possible unless law enforcement believes the notification will impede a criminal investigation. In most cases you can notify in writing, but the law allows for electronic notice if this is the primary manner of communication between you and the consumer, or telephone notice if you contact the person directly. If you demonstrate the cost of notification is more than $250,000 or the number of individuals to be notified is more than 350,000, you may notify through major Oregon television and newspaper media.

If an investigation into the breach by a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, notification is not required. The same is true if the data involved in the breach was encrypted or made unreadable.

Note: A business or organization that is subject to and complies with the Gramm-Leach-Bliley Act's notification requirements do not need to develop a further process. However, if the breach involves your employees, you must follow Oregon's notification requirements.

· Protection of Social Security numbers - Effective October 1, 2007
Consumers are especially vulnerable to identity theft if their Social Security number has fallen into the wrong hands. The law prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.

· Safeguarding personal information - Effective January 1, 2008
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.

Any individual, business, government agency, or organization that is subject to and complies with the notification and data safeguard requirements or guidance adopted under the Gramm-Leach-Bliley Act already meets Oregon’s requirements for notification and data safeguarding. In addition, individuals, businesses, government agencies, or organizations that are subject to and comply with the data safeguard requirements or guidance adopted under the Health Insurance Portability and Accountability Act (HIPAA) do not need to develop additional data safeguards. However, none of these exceptions apply when there is a breach involving your employees’ information or you are developing safeguards to protect your employees’ information.

The Department of Consumer and Business Services is charged with enforcing these new laws.

Click here to see a copy of Senate Bill 583

 

 

Text Only | About Oregon.gov | Oregon.gov|
File Formats | Oregon Administrative Rules | Oregon Revised Statutes | Privacy Policy |

Get Adobe Acrobat ReaderAdobe Reader is required to view PDF files. Click the "Get Adobe Reader" image to get a free download of the reader from Adobe. Available for Macintosh or Windows.