Each year thousands of Oregonians become
victims of identity theft. According to the Federal Trade
Commission, Oregon is ranked 30th in the nation for this crime.
Victims of identity theft suffer both financially and emotionally.
Those who have had their personal information stolen may encounter
multiple unauthorized charges on credit cards and unauthorized
withdrawals from their bank accounts. The result may be damaged
credit records, which can take months or even years to clean
up. Identity theft victims also lose their sense of security,
similar to a home burglary.
Recognizing that Oregon has a large percentage
of small businesses, the components of the law can be adapted
and implemented whether you have five employees or 500 employees.
Below are the specific protections of the
All Oregonians can place a security freeze on their
credit file maintained by a credit reporting agency, such
as Equifax, Experian, or TransUnion. A security freeze means
that your file cannot be shared with potential creditors.
Most businesses will not open credit accounts without first
checking a consumer's credit history. There is no fee if
you are a victim of identity theft or you have reported
the theft of their personal information to a law enforcement
agency. For other consumers, each credit reporting agency
will charge a fee of $10 - a total of $30 to freeze your
If you do place a security freeze on your
report you can "thaw" their file to apply for
new credit. Law enforcement agencies and government agencies
including child support and businesses collecting existing
debt still will be able to access your credit file.
Notification of a Breach
Anyone (business, organization, or individual) who maintains
personal information of Oregon consumers will be required
to notify his or her customers if computer files containing
that personal information have been subject to a security
The notification must be done as soon as
possible unless law enforcement believes the notification
will impede a criminal investigation. In most cases you
can notify in writing, but the law allows for electronic
notice if this is the primary manner of communication between
you and the consumer, or telephone notice if you contact
the person directly. If you demonstrate the cost of notification
is more than $250,000 or the number of individuals to be
notified is more than 350,000, you may notify through major
Oregon television and newspaper media.
If an investigation into the breach by
a federal, state or local law enforcement agency determines
there is no reasonable likelihood of harm to consumers,
notification is not required. The same is true if the data
involved in the breach was encrypted or made unreadable.
Note: A business or organization that is
subject to and complies with the Gramm-Leach-Bliley Act's
notification requirements do not need to develop a further
process. However, if the breach involves your employees,
you must follow Oregon's notification requirements.
Protection of Social Security numbers
Consumers are especially vulnerable to identity theft if
their Social Security number has fallen into the wrong hands.
The law prohibits anyone from printing Social Security numbers
on cards or documents or publicly displaying or posting
a Social Security number. This doesn't apply to the use
of SSNs for internal verification purposes. The law allows
an exception for records that are required by law to be
made available to the public or filed with courts.
Safeguarding personal information
If you collect personal information from an individual,
such as driver's license numbers or Social Security numbers,
you must develop, implement and maintain reasonable safeguards
to protect the security and confidentiality of the information.
This also includes the proper disposal of information.
Any individual, business, government agency,
or organization that is subject to and complies with the notification
and data safeguard requirements or guidance adopted under
the Gramm-Leach-Bliley Act already meets Oregons requirements
for notification and data safeguarding. In addition, individuals,
businesses, government agencies, or organizations that are
subject to and comply with the data safeguard requirements
or guidance adopted under the Health Insurance Portability
and Accountability Act (HIPAA) do not need to develop additional
data safeguards. However, none of these exceptions apply when
there is a breach involving your employees information
or you are developing safeguards to protect your employees
The Department of Consumer and Business Services
is charged with enforcing these new laws.