The Oregon Identity Theft Protection Act
The Oregon Consumer Identity Theft Protection Act - passed
by the 2007 legislature - means consumers will have more tools to protect
themselves against identity theft, and Oregon businesses and government will
have clear direction and expectations to ensure the safety of the personal
identifying information they maintain. Personal information includes a consumer's
name in combination with a Social Security number, Oregon drivers license
number or Oregon identification card, financial, credit or debit card number
along with a security or access code or password that would allow someone
access to a consumer's financial account.
Tools for Consumers
|
|
Tools for Businesses
|
|
|
|
|
|
Webinar Available - Oregon
and Federal Information on Identity (ID) Theft
Attention small business owners, financial institutions, and payroll or
tax professionals. Learn about the types of ID Theft, and how businesses,
taxpayers, IRS, your Social Security or Employer Identification Number
may be impacted. Representatives from the state of Oregon, Federal Trade
Commission, Social Security Administration, & Internal Revenue Service
will provide you with the knowledge to help you learn how to protect your
identity and your business.
For technical help, please call 1-800-843-9166
|
The Department's Division of Finance
and Corporate Securities has developed materials and presentations for
consumers and businesses to better understand their rights and responsibilities.
If you would like to schedule a presentation,
please contact Diane Childs, Identity Theft Program Outreach Coordinator
at 503-947-7423 or diane.m.childs@state.or.us.
|
Each year thousands of Oregonians become victims of identity
theft. According to the Federal Trade Commission, Oregon is ranked 13th in
the nation for this crime. Victims of identity theft suffer both financially
and emotionally. Those who have had their personal information stolen may
encounter multiple unauthorized charges on credit cards and unauthorized withdrawals
from their bank accounts. The result may be damaged credit records, which
can take months or even years to clean up. Identity theft victims also lose
their sense of security, similar to a home burglary.
Recognizing that Oregon has a large percentage of small businesses,
the components of the law can be adapted and implemented whether you have
five employees or 500 employees.
Below are the specific protections of the law:
Security Freeze
All Oregonians will be able to place a security freeze on their credit
file maintained by a credit reporting agency, such as Equifax, Experian,
or TransUnion. A security freeze means that your file cannot be shared with
potential creditors. Most businesses will not open credit accounts without
first checking a consumer's credit history. There is no fee if you are a
victim of identity theft or you have reported the theft of their personal
information to a law enforcement agency. For other consumers, each credit
reporting agency will charge a fee of $10 - a total of $30 to freeze your
files.
If you do place a security freeze on your report you can
"thaw" their file to apply for new credit. Law enforcement agencies
and government agencies including child support and businesses collecting
existing debt still will be able to access your credit file.
Notification of a Breach
Anyone (business, organization, or individual) who maintains personal information
of Oregon consumers will be required to notify his or her customers if computer
files containing that personal information have been subject to a security
breach.
The notification must be done as soon as possible unless
law enforcement believes the notification will impede a criminal investigation.
In most cases you can notify in writing, but the law allows for electronic
notice if this is the primary manner of communication between you and the
consumer, or telephone notice if you contact the person directly. If you
demonstrate the cost of notification is more than $250,000 or the number
of individuals to be notified is more than 350,000, you may notify through
major Oregon television and newspaper media.
If an investigation into the breach by a federal, state
or local law enforcement agency determines there is no reasonable likelihood
of harm to consumers, notification is not required. The same is true if
the data involved in the breach was encrypted or made unreadable.
Note: A business or organization that is subject to and
complies with the Gramm-Leach-Bliley Act's notification requirements do
not need to develop a further process. However, if the breach involves your
employees, you must follow Oregon's notification requirements.
Protection of Social Security numbers
Consumers are especially vulnerable to identity theft if their Social Security
number has fallen into the wrong hands. The law prohibits anyone from printing
Social Security numbers on cards or documents or publicly displaying or
posting a Social Security number. This doesn't apply to the use of SSNs
for internal verification purposes. The law allows an exception for records
that are required by law to be made available to the public or filed with
courts.
Safeguarding personal information
If you collect personal information from an individual, such as driver's
license numbers or Social Security numbers, you must develop, implement
and maintain reasonable safeguards to protect the security and confidentiality
of the information. This also includes the proper disposal of information.
Any individual, business, government agency, or organization
that is subject to and complies with the notification and data safeguard requirements
or guidance adopted under the Gramm-Leach-Bliley Act already meets Oregons
requirements for notification and data safeguarding. In addition, individuals,
businesses, government agencies, or organizations that are subject to and
comply with the data safeguard requirements or guidance adopted under the
Health Insurance Portability and Accountability Act (HIPAA) do not need to
develop additional data safeguards. However, none of these exceptions apply
when there is a breach involving your employees information or you are
developing safeguards to protect your employees information.
The Department of Consumer and Business Services is charged
with enforcing these new laws.