Oregon Data Disposal (OR Rev Stat § 646A.622)

Oregon Data Disposal

OR Rev Stat § 646A.622

 

Oregon Revised Statutes

Volume: 16 - Trade Practices, Labor and Employment

Chapter 646A - Trade Regulation

IDENTITY THEFT PREVENTION

Section 646A.602 - Definitions for ORS 646A.600 to 646A.628.

Section 646A.622 - Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses.

 

§ 646A.602 - Definitions for ORS 646A.600 to 646A.628.

As used in ORS 646A.600 to 646A.628:

(1)(a) "Breach of security" means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.

(b) "Breach of security" does not include an inadvertent acquisition of personal information by a person or the person’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

(2) "Consumer" means an individual resident of this state.

(3) "Consumer report" means a consumer report as described in section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)), as that Act existed on January 1, 2020, that a consumer reporting agency compiles and maintains.

(4) "Consumer reporting agency" means a consumer reporting agency as described in section 603(p) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on January 1, 2020.

(5)(a) "Covered entity" means a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.

(b) "Covered entity" does not include a person described in paragraph (a) of this subsection to the extent that the person acts solely as a vendor.

(6) "Debt" means any obligation or alleged obligation arising out of a consumer transaction.

(7) "Encryption" means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.

(8) "Extension of credit" means a right to defer paying debt or a right to incur debt and defer paying the debt, that is offered or granted primarily for personal, family or household purposes.

(9) "Identity theft" has the meaning set forth in ORS 165.800.

(10) "Identity theft declaration" means a completed and signed statement that documents alleged identity theft, using a form available from the Federal Trade Commission, or another substantially similar form.

(11) "Person" means an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.

(12)(a) "Personal information" means:

(A) A consumer’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired:

(i) A consumer’s Social Security number;

(ii) A consumer’s driver license number or state identification card number issued by the Department of Transportation;

(iii) A consumer’s passport number or other identification number issued by the United States;

(iv) A consumer’s financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account;

(v) Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;

(vi) A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

(vii) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

(B) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

(C) Any of the data elements or any combination of the data elements described in subparagraph (A) or (B) of this paragraph without the consumer’s user name, or the consumer’s first name or first initial and last name, if:

(i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and

(ii) The data element or combination of data elements would enable a person to commit identity theft against a consumer.

(b) "Personal information" does not include information in a federal, state or local government record, other than a Social Security number, that is lawfully made available to the public.

(13) "Proper identification" means written information or documentation that a consumer or representative can present to another person as evidence of the consumer’s or representative’s identity, examples of which include:

(a) A valid Social Security number or a copy of a valid Social Security card;

(b) A certified or otherwise official copy of a birth certificate that a governmental body issued; and

(c) A copy of a driver license or other government-issued identification.

(14) "Protected consumer" means an individual who is:

(a) Not older than 16 years old at the time a representative requests a security freeze on the individual’s behalf; or

(b) Incapacitated or for whom a court or other authority has appointed a guardian or conservator.

(15) "Protective record" means information that a consumer reporting agency compiles to identify a protected consumer for whom the consumer reporting agency has not prepared a consumer report.

(16) "Redacted" means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, passport number or other number issued by the United States, financial account number, credit card number or debit card number is visible or accessible.

(17) "Representative" means a consumer who provides a consumer reporting agency with sufficient proof of the consumer’s authority to act on a protected consumer’s behalf.

(18) "Security freeze" means a notice placed in a consumer report at a consumer’s request or a representative’s request or in a protective record at a representative’s request that, subject to certain exemptions, prohibits a consumer reporting agency from releasing information in the consumer report or the protective record for an extension of credit, unless the consumer temporarily lifts the security freeze on the consumer’s consumer report or a protected consumer or representative removes the security freeze on or deletes the protective record.

(19) "Vendor" means a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity. [2007 c.759 §2; 2013 c.415 §1; 2015 c.357 §1; 2018 c.10 §1; 2019 c.180 §2]

 

§ 646A.622 - Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses.

(1) A covered entity and a vendor shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.

(2) A covered entity or vendor complies with subsection (1) of this section if the covered entity or vendor:

(a) Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides.

(b) Complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to the Act.

(c) Complies with regulations that implement the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts were in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to those Acts.

(d) Implements an information security program that includes:

(A) Administrative safeguards such as:

(i) Designating one or more employees to coordinate the security program;

(ii) Identifying reasonably foreseeable internal and external risks with reasonable regularity;

(iii) Assessing whether existing safeguards adequately control the identified risks;

(iv) Training and managing employees in security program practices and procedures with reasonable regularity;

(v) Selecting service providers that are capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;

(vi) Adjusting the security program in light of business changes, potential threats or new circumstances; and

(vii) Reviewing user access privileges with reasonable regularity;

(B) Technical safeguards such as:

(i) Assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address the risks and vulnerabilities;

(ii) Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

(iii) Monitoring, detecting, preventing and responding to attacks or system failures; and

(iv) Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and

(C) Physical safeguards such as:

(i) Assessing, in light of current technology, risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;

(ii) Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;

(iii) Protecting against unauthorized access to or use of personal information during or after collecting, using, storing, transporting, retaining, destroying or disposing of the personal information; and

(iv) Disposing of personal information, whether the covered entity or vendor disposes of the personal information on or off the covered entity’s or vendor’s premises or property, after the covered entity or vendor no longer needs the personal information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(3) A covered entity or vendor complies with subsection (2)(d)(C)(iv) of this section if the covered entity or vendor contracts with another person engaged in the business of record destruction to dispose of personal information in a manner that is consistent with subsection (2)(d)(C)(iv) of this section.

(4) A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not complied with subsection (1) of this section with respect to personal information that is subject to ORS 646A.600 to 646A.628 but is not subject to an Act described in subsection (2)(b) or (c) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 to 646A.628, the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.

(5) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. [2007 c.759 §12; 2015 c.357 §3; 2018 c.10 §6; 2019 c.180 §4]

 

 

For more information, see here:  https://oregon.public.law/statutes/ors_chapter_646

AND

https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.