Text Size: A+| A-| A   |   Text Only Site   |   Accessibility
Division of Finance and Corporate Securities (DFCS)

About Us

Contact Us

DFCS Home

Consumer Alerts & News Releases

En EspaƱol

FAQs

Forms

Jobs with DFCS

Legislation

License Holder Search

Licenses/Registrations

Program Links

Publications

Reports & Activity

Requests for Opinions and Interpretations

Search for Enforcement Orders

Site Map

Statutes & Rules

 

The Oregon Identity Theft Protection Act

The Oregon Consumer Identity Theft Protection Act - passed by the 2007 legislature - means consumers will have more tools to protect themselves against identity theft, and Oregon businesses and government will have clear direction and expectations to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer's name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer's financial account.

Tools for Consumers
Tools for Businesses
 
Click here to see Oregon Revised Statute 646A.600 - Identity Theft Protection Act
Note: Please scroll down below the section descriptions to access full text of 646A.600.
 
Webinar Available - Oregon and Federal Information on Identity (ID) Theft
Attention small business owners, financial institutions, and payroll or tax professionals. Learn about the types of ID Theft, and how businesses, taxpayers, IRS, your Social Security or Employer Identification Number may be impacted. Representatives from the state of Oregon, Federal Trade Commission, Social Security Administration, & Internal Revenue Service will provide you with the knowledge to help you learn how to protect your identity and your business.

For technical help, please call 1-800-843-9166

The Department's Division of Finance and Corporate Securities has developed materials and presentations for consumers and businesses to better understand their rights and responsibilities.

If you would like to schedule a presentation, please contact Diane Childs, Identity Theft Program Outreach Coordinator at 503-947-7423 or diane.m.childs@state.or.us.


Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. Victims of identity theft suffer both financially and emotionally. Those who have had their personal information stolen may encounter multiple unauthorized charges on credit cards and unauthorized withdrawals from their bank accounts. The result may be damaged credit records, which can take months or even years to clean up. Identity theft victims also lose their sense of security, similar to a home burglary.

Recognizing that Oregon has a large percentage of small businesses, the components of the law can be adapted and implemented whether you have five employees or 500 employees.

Below are the specific protections of the law:

Security Freeze
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion. A security freeze means that your file cannot be shared with potential creditors. Most businesses will not open credit accounts without first checking a consumer's credit history. There is no fee if you are a victim of identity theft or you have reported the theft of their personal information to a law enforcement agency. For other consumers, each credit reporting agency will charge a fee of $10 - a total of $30 to freeze your files.

If you do place a security freeze on your report you can "thaw" their file to apply for new credit. Law enforcement agencies and government agencies including child support and businesses collecting existing debt still will be able to access your credit file.

Notification of a Breach
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.

The notification must be done as soon as possible unless law enforcement believes the notification will impede a criminal investigation. In most cases you can notify in writing, but the law allows for electronic notice if this is the primary manner of communication between you and the consumer, or telephone notice if you contact the person directly. If you demonstrate the cost of notification is more than $250,000 or the number of individuals to be notified is more than 350,000, you may notify through major Oregon television and newspaper media.

If an investigation into the breach by a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, notification is not required. The same is true if the data involved in the breach was encrypted or made unreadable.

Note: A business or organization that is subject to and complies with the Gramm-Leach-Bliley Act's notification requirements do not need to develop a further process. However, if the breach involves your employees, you must follow Oregon's notification requirements.

Protection of Social Security numbers
Consumers are especially vulnerable to identity theft if their Social Security number has fallen into the wrong hands. The law prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.

Safeguarding personal information
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.

Any individual, business, government agency, or organization that is subject to and complies with the notification and data safeguard requirements or guidance adopted under the Gramm-Leach-Bliley Act already meets Oregon’s requirements for notification and data safeguarding. In addition, individuals, businesses, government agencies, or organizations that are subject to and comply with the data safeguard requirements or guidance adopted under the Health Insurance Portability and Accountability Act (HIPAA) do not need to develop additional data safeguards. However, none of these exceptions apply when there is a breach involving your employees’ information or you are developing safeguards to protect your employees’ information.

The Department of Consumer and Business Services is charged with enforcing these new laws.

 

 


Text Only | About Oregon.gov | Oregon.gov|
File Formats | Oregon Administrative Rules | Oregon Revised Statutes | Privacy Policy |

Get Adobe Acrobat ReaderAdobe Reader is required to view PDF files. Click the "Get Adobe Reader" image to get a free download of the reader from Adobe. Available for Macintosh or Windows.