Oregon
|
Click here to review text of state statute (see Oregon Rev. Stat. §646A.600 et seq.) [For specific rules applicable to income tax return preparers – click here. See §305.804] |
Information Covered / Important Definitions
Information covered:
Personal information of Oregon consumers.
Definition includes (i) a passport number or other identification number issued by the United States; (ii) data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction; (iii) a health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or (iv) information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer. Definition also includes a user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.
If data elements have not been encrypted, redacted or rendered unusable and the data element taken would enable a person to commit identity theft, the data element can be considered personal information.
Important definitions:
“Security Breach” means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possess.
“Encryption” means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person, legal entity or public body (as defined in ORS 174.019) that owns, or licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information, or that has access to personal information as a consequence of a contract, that the person uses in the course of the person’s business, vocation, occupation or volunteer activities.
Third party recipients:
A person that maintains, stores, manages, collects, processes, acquires or otherwise possesses or has access to personal information on behalf of, as a consequence of a contract, or under license of, another person shall notify the other person after discovering a breach of security.
Notice Procedures & Timing / Other Obligations
Written, telephonic or electronic notice must be provided to victims of a security breach in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 250,000 persons, or covered entity has insufficient contact information.
- Notice not required if, after appropriate investigation or consultation with relevant law enforcement authorities, it is determined that no affected consumers are likely to suffer harm. Written documentation of this determination is required and must be retained for 5 years.
A vendor shall notify the Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.
Other obligations:
Any covered entity that must notify more than 1,000 Oregon residents at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies without delaying notice to affected Oregon residents.
Covered entities must develop, implement and maintain administrative, technical and physical safeguards to protect personal information. Note: ORS §654A.22(2)(d) contains expanded information security requirements.
A vendor that discovers a breach of security or has reason to believe that a breach of security has occurred must notify a covered entity with which the vendor has a contract not later than 10 days after discovering the breach.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted, redacted or otherwise rendered unusable by other methods.
Safe harbor not available if a security breach involves encrypted data but the encryption key has been compromised.
Other exemptions:
Exemption for good faith and inadvertent acquisition of personal information by a covered entity or a covered entity’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.
A covered entity is deemed in compliance with the Oregon statute if it complies with notification requirements or procedures imposed by its primary or functional federal regulator that are at least as protective as Oregon’s statute.
Statute not applicable to a covered entity that complies with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 if person information that is subject to the ORS 646A.600 to 646A.628 is also subject to those acts.
A covered entity that complies with other state or federal law that is at least as thorough as Oregon’s statute is exempt from Oregon’s statute.
A covered entity that is subject to GLBA or HIPAA is exempt from Oregon’s statute.
Notification to Regulator / Waiver
Attorney General must be notified electronically or by mail if a single breach affects 250 residents.
Attorney General must receive within a reasonable time at least one copy of any notice the person sends to consumers or to the person’s primary or functional regulator.
A vendor must notify the Attorney General electronically or by mail if a breach involves more than 250 residents or the number of residents cannot be determined.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
Penalties
Violations are an unlawful practice under ORS 646.607.
Penalties can include $1,000 per violation.
In the case of a continuing violation, each day’s continuance is a separate violation. Maximum penalty of $500,000.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by the Director of the Department of Consumer and Business Services.
If the director has reason to believe that any person has engaged or is engaging in any violation of the Oregon statute, the director may issue a cease and desist order, or require the person to pay compensation to consumers injured by the violation. The director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute (see Oregon Rev. Stat. §646A.600 et seq.) |