Text Size:   A+ A- A   •   Text Only

Safeguarding personal information

Your Responsibility. . .
The Oregon Identity Theft Protection Act requires you to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of the information. Safeguarding also means properly disposing of information.

The following steps will help you implement an information security program that will help minimize breach risks.

Assess

Know what information you have on computers and in files by taking inventory of all information you have by type and location. This also includes how you receive personal information through websites, from contractors, and others. Be sure you know what sensitive information is stored on laptops, tablets, employees' home computers, flash drives, and cell phones.

As part of the assessment, take a look at the effectiveness of existing security safeguards to see if there are any foreseeable internal or external risks with your network or the software used.

Protect

Lost or stolen paper documents containing personal identifying information makes you vulnerable to a security breach. The best defense in securing paper documents, as well as CDs, zip drives, tapes, and backups, is locking them in a file cabinet or placing them in a locked room with limited access. Develop a plan for your employees outlining procedures to securely store sensitive information, including if or how devices can be taken off the premises. Ensure that sensitive information stored on laptops is encrypted.

Reduce

If you do not need certain personal identifying information, don't keep it. Do not collect sensitive consumer information, such as a Social Security number, if there is not a legitimate business need. If this information does serve a need, design a record retention plan that outlines what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely once you no longer need it.

Train

Make sure employees know what personal identifying information is, how important it is to safeguard it, and your security program practices and procedures. Personal identifying information includes a person's name in combination with a Social Security number, Oregon driver license number or Oregon identification card number, or a financial account or credit or debit card number along with security or access codes or passwords that allow someone to access your financial accounts. Likewise, train your employees on notification procedures in the event of a security breach.

To help spread the word, designate one or more employees to coordinate the training of the security program.

Detect

Regularly assess security risks by testing and monitoring key controls, systems, and procedures. In addition, look at any risk to your information storage, whether it is a locking file cabinet or electronic system. This will help in quickly responding to any attacks or intrusions.

When selecting outside service providers, know their capabilities in maintaining appropriate safeguards and require these safeguards in your contract with them.

Destroy

Protect against any unauthorized access or use of the personal identifying information you maintain and no longer need by properly destroying it. Hard-copy records with sensitive information should be shredded, burned, or pulverized. Any electronic records should be erased in such a way that they cannot be read or reconstructed.

Recycling electronic equipment

You can recycle your old computers and monitors at certain collection and service sites near you by contacting the Oregon E-cycle Program at 1-888-532-9253 or by going to their website. Just remember, you are responsible for safeguarding any personal identifying information that may be on a computer so before you recycle, make sure you properly erase or destroy any electronic records or the hard drive with personal information.

Exceptions

Note: Any individual, business, government agency, or organization that is subject to and complies with data safeguard regulations or guidance adopted under the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA) does not need to develop additional processes. However, you must follow Oregon’s requirements to protect your employee’s personal information, such as Social Security numbers or financial data as HIPAA does not cover this information.

Requirements for safeguarding data
According to the Oregon Identity Theft Protection Act, a security program includes the following and will be considered in compliance with the requirements to maintain reasonable safeguards to protect personal information:

  • Administrative safeguards
    • Designate one or more employees to coordinate the security program.
    • Identify reasonably foreseeable internal and external risks.
    • Assess the sufficiency of safeguards in place to control the identified risks.
    • Train and manage employees in the security program practices and procedures.
    • Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract.
    • Adjust the security program in light of business changes or new circumstances.

  • Technical safeguards
    • Assess risks in network and software design.
    • Assess risks in information processing, transmission and storage.
    • Detect, prevent, and respond to attacks or system failures.
    • Regularly test and monitor the effectiveness of key controls, systems, and procedures.

  • Physical safeguards
    • Assess risks of information storage and disposal.
    • Detect, prevent, and respond to intrusions.
    • Protect against unauthorized access to or use of personal information during or after the collection, transportation, and destruction or disposal of the information.
    • Dispose of personal information after it is no longer needed for business purposes or as required by local, state, or federal law by burning, pulverizing, shredding, or modifying a physical record and by destroying electronic media so that the information cannot be read or reconstructed.

Owners of a small business, defined as 200 or fewer employees in manufacturing business or 50 or fewer employees in other types of business, comply with the safeguard requirements if its information security and disposal program contains the administrative, technical, and physical safeguards and disposal measures appropriate to the size and complexity of the business as well as the nature, scope of its activities, and the sensitively of the personal information it collects including personnel records.

The Federal Trade Commission has more information in assessing risk and safeguarding sensitive data:

Security Check: Reducing Risks to your Computer System

Information Compromise and the Risk of Identity Theft

Financial Institutions and Customer Information: Complying with the Safeguards Rule

Protecting Personal Information - A Guide for Business