New Oregon Privacy Laws: The Cost of Shifting Risks

New Oregon Privacy Laws: The Cost of Shifting Risks

By Shannon Raye Martinez
Saalfeld Griggs PC

Identity theft has become a hot topic and concern for all across the country, so it should come as no surprise that the Oregon legislature adopted new laws relating to identity theft in the last legislative session. This new statute, called the Oregon Consumer Identity Theft Protection Act (“CTPA”), creates some new safeguards for consumers. The statute also places many obligations on all individuals and businesses that possess financial data. This article provides an overview of some of the new rules and obligations.

CTPA applies to all “persons” that own, maintain or possess consumers’ personal information in their occupation, business and volunteer activities. “Persons” include businesses and individuals. “Personal information” includes social security numbers, drivers’ license numbers and any financial account numbers. Employers and financial institutions will be affected by CTPA the most, but the new law applies to all for-profit and non-profit businesses.

There are two main requirements of CTPA that will affect many businesses. First, the law imposes new notice requirements, which already went into effect on October 1, 2007. These provisions require persons holding the personal information to follow certain procedures in the event of a security breach. Written notification must be sent to anyone who owns the information without unreasonable delay. Telephone notice is not enough, unless you can show that you talked directly to the affected consumer. CTPA also imposes specific requirements for the content of the notice, including detailed information about the security breach.

Second, CTPA requires all persons who own, maintain or possess consumers’ personal information to put safeguards in place to protect the consumers’ personal information. The safeguard provisions of CTPA will go into effect on January 1, 2008. Information security programs must be implemented by those who possess the consumers’ personal information no later than the first of the year. Businesses will be required to review their current practices and programs, assess foreseeable risks and adjust their programs to meet potential risks. Several different types of safeguards are required under CTPA in three distinct categories: administrative, technical and physical.

Administrative safeguards include such items as employee training in security programs and practices and the designation of employees to coordinate the security program. Technical safeguards involve review and testing of the sufficiency of the network and software where the personal information is stored electronically. Physical safeguards include such things as ensuring that the personal information is disposed of properly and the prevention of unauthorized access to the building.

Small businesses, as defined by statute and typically including businesses of less than fifty employees, are deemed in compliance with the safeguarding requirements of CTPA if their security and disposal program contains measures appropriate to the nature of the business and the sensitivity of the personal information. While this provision appears to provide some type of safe harbor or lesser requirements to the small business, unfortunately CTPA does not provide small businesses with guidance or clarifications as to what procedures they should follow to be in compliance with the law.

The Department of Consumer and Business Services enforces CTPA and has the right to penalize anyone who does not comply with the statute. A person can be fined $1,000 for each violation, and for continuing violations, the penalty is a fine of $1,000 per day, up to $500,000. These penalties are in addition to any civil liability to the consumer for failing to properly safeguard their information.

This article provides only a brief overview of the requirements of CTPA. CTPA is very detailed and contains many rules and regulations for those who possess consumers’ personal information. Those individuals and businesses affected by CTPA will need to carefully review the law and their policies with respect to financial information. If you have questions regarding CTPA or the implementation of safeguards to protect personal information, please contact a member of the firm’s Litigation and Employment Group.