Text Size:   A+ A- A   •   Text Only
Division of Finance and Corporate Securities (DFCS)

About Us

Contact Us

DFCS Home

En Espaņol

Forms

Jobs with DFCS

Legislation

License Holder Search

Licenses/Registrations

Public Records Requests

Publications

Reports & Activity

Requests for Opinions and Interpretations

Search for Enforcement Orders

Site Map

Statutes & Rules

Safeguarding personal information

Your Responsibility. . .
The Oregon Identity Theft Protection Act requires you to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of the information. Safeguarding also means properly disposing of information.

The following steps will assist you in implementing an information security program that will help minimize breach risks.

Assess

Know what information you have on computers and in files by taking inventory of all information you have by type and location. This also includes how you receive personal information through Web sites, from contractors, and others. Be sure you know what sensitive information is stored on laptops, employees' home computers, flash drives, cell phones, and personal digital assistants (PDAs).

As part of the assessment, take a look at the effectiveness of existing security safeguards to see if there are any foreseeable internal or external risks with your network or the software used.

Protect

Lost or stolen paper documents containing personal identifying information makes you vulnerable to a security breach. The best defense in securing paper documents, as well as CDs, floppy disks, zip drives, tapes, and backups, is locking them in a file cabinet or placing them in a locked room with limited access. Develop a plan for your employees outlining procedures to securely store sensitive information, including if or how devices can be taken off the premises. And ensure that sensitive information stored on laptops is encrypted.

Reduce

If you don't have a need for certain personal identifying information, don't keep it. And don't collect sensitive consumer information, such as a Social Security number, if there is not a legitimate business need. If this information does serve a need, design a record retention plan that outlines what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely once you no longer need it.

Train

Make sure employees know what personal identifying information is, know how important it is to safeguard it, and know your security program practices and procedures. Personal identifying information includes a person's name in combination with a Social Security number, Oregon driver's license number or Oregon identification card number, or a financial, credit or debit card number along with security or access codes or passwords that allow someone to access your financial accounts. Likewise, train your employees on notification procedures in the event of a security breach.

To help spread the word, designate one or more employees to coordinate the training of the security program.

Detect

Regularly assess security risks by testing and monitoring key controls, systems, and procedures. In addition, look at any risk to your information storage whether it is a locking file cabinet or electronic system. This will help in quickly responding to any attacks or intrusions.

When selecting outside service providers, know their capabilities in maintaining appropriate safeguards and require these safeguards in your contract with them.

Destroy

Protect against any unauthorized access or use of the personal identifying information you maintain and no longer need by properly destroying it. Hard copy records with sensitive information should be shred, burned, or pulverized. Any electronic records should be erased in such a way that they cannot be read or reconstructed.

The Oregon Legislature recently passed a law to encourage the recycling of electronic devices including desktop and laptop computers. Because you are responsible for safeguarding any personal identifying information that may be on a computer, if you choose to recycle you should first properly dispose of any electronic records that contain personal identifying information by erasing or destroying the hard drive or reach an agreement with the company collecting the equipment that it will properly dispose of the information.

Exceptions

Any individual, business or organization that is subject to and complies with data safeguard regulations or guidance adopted under Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), (click on the HIPAA Law pdf) do not need to develop additional processes. However, if you are developing safeguards to protect the personal information of your employees, you must follow Oregon's data safeguard requirements.

Requirements for safeguarding data
According to the Oregon Identity Theft Protection Act, a security program includes the following and will be considered in compliance with the requirements to maintain reasonable safeguards to protect personal information:

  • Administrative safeguards
    • Designate one or more employees to coordinate the security program.
    • Identify reasonably foreseeable internal and external risks.
    • Assess the sufficiency of safeguards in place to control the identified risks.
    • Train and manage employees in the security program practices and procedures.
    • Select service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract.
    • Adjust the security program in light of business changes or new circumstances.

  • Technical safeguards
    • Assess risks in network and software design.
    • Assess risks in information processing, transmission and storage.
    • Detect, prevent and respond to attacks or system failures.
    • Regularly test and monitor the effectiveness of key controls, systems and procedures.

  • Physical safeguards
    • Assess risks of information storage and disposal.
    • Detect, prevent and respond to intrusions.
    • Protect against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information.
    • Dispose of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying electronic media so that the information cannot be read or reconstructed.

Owners of a small business, defined as 200 or less employees in manufacturing business or 50 or less employees in other types of business, comply with the safeguard requirements if its information security and disposal program contains the administrative, technical and physical safeguards and disposal measures appropriate to the business' size and complexity as well as the nature, scope of its activities, and the sensitively of the personal information it collects including personnel records.

The Federal Trade Commission has additional information in assessing risk and safeguarding sensitive data:

Security Check: Reducing Risks to your Computer System

Information Compromise and the Risk of Identity Theft

Financial Institutions and Customer Information: Complying with the Safeguards Rule

Protecting Personal Information - A Guide for Business