Frequently Asked Questions
Q: What is the Identity Theft Protection Act?
A: The Oregon Legislature passed the act in 2007
requiring businesses, organizations, government agencies, and individuals
that collect and maintain personal identifying information to ensure
the security of that information.
Q: What is "personal identifying information?"
A: A person's name in combination with a Social
Security number, Oregon driver license number or Oregon identification
card number, passport number, financial account or credit or debit
card numbers along with security or access codes or password that
would provide access to a financial account.
Q: What does the law require?
A: The law contains three components to protect
Notification of a Security Breach. Anyone
(business, organization, government agency, or individual) that
maintains personal information of Oregon consumers will be required
to notify his or her customers if computer files containing that
personal information have been subject to a security breach. You
need to notify as soon as possible unless law enforcement determines
it would impede a criminal investigation.
Protection of Social Security numbers.
Those who keep Social Security numbers cannot print Social Security
numbers on cards or documents that are mailed, unless the consumer
has requested information that requires an SSN, or publicly display
or post a Social Security number. This does not apply to the use
of SSNs for internal verification purposes. The law allows an
exception for records that are required by law to be made available
to the public.
Safeguarding Data. If you collect personal
identifying information, you must develop, implement, and maintain
reasonable safeguards to protect the security and confidentiality
of the information. This also includes the proper disposal of
Q: How does a business have to notify consumers in case
of a security breach?
A: In the majority of cases you can notify your
customers in writing; however, the law allows notification through
electronic means if this is the primary manner of communication
between you and your customers. Telephone notification can be used
provided that you directly contact each customer.
Q: Can I just notify people through the media or post it
on my Web site?
A: If the cost of notification is more than $250,000
or the number of individuals to be contacted is more than 350,000,
you can notify through major Oregon television and newspaper media
and conspicuously post a notice and a link to the notice on your
website if you maintain one.
Q. My organization is subject to and complies with the Gramm-Leach-Bliley
Act. Do I need to follow Oregon's requirements for breach notification?
A. If a business, organization, or government agency
is subject to and complies with notification regulations or guidance
adopted under the Gramm-Leach-Bliley Act, it does not need to develop
a further process. However, if the breach involves the personal
identifying information of your employees, you must follow Oregon's
Q: If we have a security breach involving our employees'
personal identifying information and some employees live outside of Oregon,
do we still follow Oregon law to notify them?
A: For the employees living in Oregon, you would
follow Oregon law in notification procedures. However, for those
employees living outside of Oregon, you would follow the employee's
home state notification law, if there is one. Of course, you can
always notify your employee, even if the home state would not require
Q: What do I need to do to comply with the data safeguard
A: In general, you must protect the security, confidentiality,
and integrity of the personal information you maintain, including
the disposal of information that is no longer needed, by developing
and implementing an information security plan.
According to the Identity Theft Protection Act,
a security plan includes:
- Administrative safeguards such as identifying
what personal information you keep and how to keep it safe, training
employees in security program practices and procedures, and ensuring
that contracted service providers are capable of supplying and
maintaining systems that protect sensitive information.
- Technical safeguards such as assessing
risks in network and software design, and detecting, preventing,
and responding to attacks or system failures.
- Physical safeguards such as protecting
against unauthorized access to or use of personal identifying
information, and disposing of information that is no longer needed
by way of shredding, burning, or erasing electronic data that
is unreadable or cannot be reconstructed.
Click here for specific
Q. Is it true that if I follow the data safeguard regulations
in the Health Insurance Portability and Accountability Act (HIPAA), I don't
need to do develop further safeguards?
A. If your business or organization, including
government, is subject to and complies with regulations or guidance
adopted under HIPAA, you do not need to create a further process.
The same is true if you also are subject to and comply with regulations
adopted under the federal Gramm-Leach-Bliley Act in regard to protecting
sensitive information. However, you must follow Oregon's requirements
in safeguarding the personal identifying information of your employees.