Oregon - Legislature Provides Identity Theft Protections to Employees
 
May 14, 2008
 
Louis Santiago - Portland

To paraphrase a statement by the Federal Trade Commission concerning the compromise of personal information and the risk of identity theft, today it is impossible to be a law abiding employer and not collect or hold personally identifying information about employees and job applicants. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.

Last year, Oregon joined a parade of states led by California that have enacted security breach notification laws in the last four years. As of the end of 2007, 39 states have joined the parade. The security breach notification requirement of Oregon’s new law – formally known as the Oregon Consumer Identity Theft Protection Act – affects employers and became effective on October 1, 2007.

While security breach notification laws are now commonplace, state legislation mandating affirmative programs to secure the personal information of employees is only now gaining traction. Oregon’s new law requires businesses that employ Oregon residents to take affirmative steps to secure their personal information. The information security program requirement of Oregon’s new law became effective on January 1, 2008.

Personal Information

Oregon’s new law generally defines personal information as an individual’s first name or first initial and last name in combination with any one or more of the following data elements:

• social security number
• driver’s license number
• state identification card number
• passport number or other U.S. issued identification number
• financial account, credit card or debit card number in combination with any required security code, access code or password

Required Information Security Program

Oregon requires a business that employs Oregon residents and possesses personal information about them to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.” A compliant employer must have an information security program that includes administrative, technical and physical safeguards.

Reasonable administrative safeguards include protective measures where the employer:

• designates one or more employees to coordinate the security program
• identifies reasonably foreseeable internal and external risks
• assesses the sufficiency of safeguards in place to control the identified risks
• trains and manages employees in the security program practices and procedures
• selects service providers capable of maintaining appropriate safeguards and requires those safeguards by contract
• adjusts the security program in light of business changes or new circumstances

Reasonable technical safeguards include protective measures where the employer:

• assesses risks in network and software design
• assesses risks in information processing, transmission and storage
• detects, prevents and responds to attacks or system failures
• regularly tests and monitors the effectiveness of key controls, systems and procedures

Reasonable physical safeguards include protective measures where the employer:

• assesses risks of information storage and disposal
• detects, prevents and responds to intrusions
• protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information
• disposes of personal information after it is no longer needed for business purposes or as required by other laws by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed

Small employers (manufacturing businesses with 200 or fewer employees and all other businesses having 50 or fewer employees) do not need a full-blown information security program. Instead, small employers are in compliance with the new law if their program contains administrative, technical and physical safeguards as well as disposal measures appropriate to the size and complexity of their business, the nature and scope of their activities, and the sensitivity of the personal information collected from their employees.

Finally, an employer that is subject to and complies with Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §§ 6801-6809) or the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. pts. 160 and 164), as those acts existed on October 1, 2007, is also in compliance with the new Oregon law.

Breach Notification Requirements

Generally, an employer must notify an employee who resides in Oregon of a breach of the security of that employee’s computerized personal information when the employer either discovers a breach or is otherwise notified about it. The disclosure notification must be made in the most expeditious way possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. The notification may be made by written notice, electronic notice if the customary method of communicating with the employee is by electronic means, or telephone notice. The notice should include, at a minimum, a description of the incident, the approximate date of the security breach, the type of personal information obtained as a result of the security breach, contact information for the employer and for national consumer reporting agencies, and advice to the employee to report suspected identity theft to law enforcement, including the Federal Trade Commission.

Penalties for Noncompliance

Violations of the new Oregon law can result in civil penalties of $1,000 for each violation. Each day’s breach is a separate violation. The law sets a $500,000 maximum penalty.

For more information, email Louis A. Santiago at louis.santiago@hklaw.com or call toll free, 1.888.688.8500.