What Oregon Businesses Need to Remember About Data Security and Privacy
Why should my Oregon business care about data security?
The news is filled with stories of data security breaches and privacy concerns. Although modern headlines are often dominated by tales involving banks, large retailers, and technology companies, data security and privacy should be of concern to every Oregon business that has personal information about consumers. Why?
The Oregon Consumer Identity Theft Protection Act requires that individuals and organizations that own, maintain, or possess data with a consumer's personal information "develop, implement[,] and maintain reasonable safeguards to protect the security, confidentiality[,] and integrity of the personal information, including disposal of the data."
The statute's application is quite broad. It pertains to "any individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization, or other entity," including non-profit organizations and government bodies.
What if my company ignores the law?
The penalties for noncompliance can include not only an order to cease and desist, but also an order of compensation to consumers upon a finding that enforcement of the consumers' rights through private civil action would be impractical due to burden or expense.
In addition, anyone who "procures, aids[,] or abets" in a violation is subject to monetary penalties, including continuing penalties not to exceed $500,000. The statute does not preclude or limit individual lawsuits for negligence, breach of contract, or violations of consumer protection law.
What can my business do to comply?
Businesses should implement an information security program or otherwise comply with state or federal laws that provide greater protection to personal information. Companies that are subject to and comply with the Health Insurance Portability and Accountability Act will be deemed to comply with Oregon's law, as will companies that are subject to and comply with Title V of the Gramm-Leach-Bliley Act.
Otherwise, a company should implement a three-part information security program that includes administrative, technical, and physical safeguards. A company implements administrative safeguards when it does the following:
(i) Designates one or more employees to coordinate the security program;
(ii) Identifies reasonably foreseeable internal and external risks;
(iii) Assesses the sufficiency of safeguards in place to control the identified risks;
(iv) Trains and manages employees in the security program practices and procedures;
(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(vi) Adjusts the security program in light of business changes or new circumstances.
Technical safeguards include those in which a company:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission[,] and storage;
(iii) Detects, prevents[,] and responds to attacks or system failures; and
(iv) Regularly tests and monitors the effectiveness of key controls, systems[,] and procedures.
A business that implements the statute's physical safeguards:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents[,] and responds to intrusions;
(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation[,] and destruction or disposal of the information; and
(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state[,] or federal law by burning, pulverizing, shredding[,] or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
Although this might sound like an onerous list, a business that implements such an information security program "shall be deemed in compliance" with the statute.
What if my company is a small business?
The Oregon Legislature recognized that not all companies are the same. Therefore, a person who owns a small business (i.e., 100 or fewer employees) complies with the statute if the person's information security and disposal program contains administrative, technical, and physical safeguards and disposal measures that are "appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers."
Companies seeking to update or confirm their compliance with Oregon's data security law should consult a privacy attorney of their choice.
 Personal information means an Oregon resident's first name or first initial and last name in combination with one of the following unencrypted elements:
(i) Social Security number;
(ii) Driver license number or state identification card number issued by the Department of Transportation;
(iii) Passport number or other United States issued identification number; or
(iv) Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account.
If these elements are rendered unusable through encryption or redaction, then they are not considered personal information, unless the encryption key has been acquired.
Colin Folawn co-chairs the Privacy and Data Security practice group at Schwabe, Williamson & Wyatt, P.C. The interdisciplinary group is composed of attorneys from a variety of practice areas. Mr. Folawn practices law in Portland and Seattle. He can be reached at 503.796.7462, 206.407.1500, or firstname.lastname@example.org.