|
OREGON JOINS LIST OF STATES WITH
DATA BREACH LAWS
Earlier this month the recently-enacted Oregon Consumer Identity Theft Protection Act (OCITPA) became law, making Oregon the 38th state to enact a data breach notification statute. OCITPA is intended to protect Oregon consumers against identity theft.
To whom does OCITPA apply?
OCITPA applies to any business, organization, or individual that maintains personal information of Oregon consumers. This includes most employers. The Act defines “personal information” as the consumer’s first name or first initial and last name in combination with any one or more of the following: (1) social security number; (2) driver license number or state identification card number; (3) passport number; or (4) a financial account number with an access code or password. A consumer is an individual residing in Oregon and therefore employees are included.
What does OCITPA require?
• It requires organizations that collect and handle personal information to develop, implement, and maintain reasonable safeguards to protect the security and confidentiality of the personal information by January 1, 2008. OCITPA breaks these safeguards out into three separate categories: administrative, technical, and physical. Small businesses are allowed to implement safeguards which are appropriate to the size and complexity of the business, nature of its activities, and sensitivity of the personal information. In addition, businesses that comply with the requirements of the Gramm-Leach-Bliley Act or HIPAA are not required to develop additional protections.
Further information regarding appropriate safeguards is available at http://www.cbs.state.or.us/dfcs/identity_theft/safeguard_data.html.
• It generally prohibits the public display or disclosure of more than the last four digits of a social security number.
• It requires notification to Oregon consumers “in the most expeditious time possible and without unreasonable delay,” in the event of a security breach that may result in a disclosure of their personal information.
• In most cases the notice required will be written, but OCITPA allows for electronic notice if that is the primary method of communication between the individual and the business, or telephone notice if the individual is contacted directly.
• If the cost of notification is more than $250,000 or the number of individuals to be notified is more than 350,000, the business or organization may notify through a conspicuous posting on its website home page, coupled with concurrent notice through major statewide television and newspaper media.
• OCITPA gives any Oregon resident the right to request a “security freeze” on her credit file, maintained by a credit reporting agency. If the Oregon resident is an actual victim of identity theft, the credit reporting agency may not charge the consumer a fee for the security freeze. For other Oregon residents, the credit reporting agency may charge a reasonable fee of not more than $10.
Who enforces OCITPA and what are the penalties for
violating it?
The Oregon Department of Consumer and Business Services (DCBS) enforces OCITPA. The director of the DCBS may make public or private investigations, subpoena witnesses, and issue cease and desist orders.
In addition, any organization that violates or aids or abets in a violation of OCITPA shall be subject to a penalty of up to $1,000 for every day of any outstanding violation, with the maximum penalty set at $500,000. The organization will also be liable for any actual damages suffered as a result of any identity theft. While OCITPA does not create a new private right of action for consumers, it does permit the DCBS to order compensation to consumers upon finding that a private civil action would be impractical.
Why should you be concerned?
Oregon ranks 13th in the nation in occurrences of identity theft. There are countless ways in which identity theft can occur, from hackers breaching network security, to stolen company laptops, to independent contractors leaking information about your customers.
Damages resulting from a data breach can be huge. In 2005, Providence Health Systems settled claims brought by the Oregon Department of Justice, resulting from the theft of backup computer tapes and disks containing patient personal information and medical records from the parked car of a local Providence employee. Providence was required to pay a large fine, and it agreed to provide credit protection services. Providence is additionally required to compensate patients for any direct financial losses related to the data theft.
Be sure your data systems include the security safeguards mandated by OCITPA, and that your management and IT teams are able to respond quickly and properly in the event of a security breach!
If you would like more information about privacy and security laws, please contact Merrill Baumann or John Miller of Dunn Carney’s corporate counsel practice group, or Jack Cooper, a partner in Dunn Carney’s employment law practice group.
Thanks to summer associate Jeffrey Belcher, who assisted in the preparation of this newsletter.
|
