ID Theft prevention laws

Oregon's new identity theft law puts additional requirements on businesses to safeguard personal information regarding their customers', members' and clients' personal information.
This includes personal information on consumers that is used in the course of an organization's business, vocation, occupation and volunteer activities.

The law, which became effective Jan. 1, requires for profit, nonprofit and public entities to protect "consumer personal information" which includes the individual's first name or first initial in combination with their Social Security number, driver's license, passport number, financial account numbers, credit or debit cards.

With certain governmental exceptions, Social Security numbers must be excluded from any materials not requested by the consumer. They also should be excluded from documentation of a transaction or service requested by the consumer that is mailed to the consumer, unless the numbers are redacted, meaning only the last four or six digits are used.

Effective January 1, 2008 - Oregon's Consumer Identity Theft Law
The following description was prepared by Tatiana A. Perry, Partner | Tonkon Torp LLP
1600 Pioneer Tower | 888 S.W. Fifth Avenue
Portland, Oregon 97204

"As of January 1, 2008, all Oregon businesses that collect and maintain personal information must be prepared to safeguard such personal information in accordance with Oregon's new consumer identity theft law. 'Personal information' is a consumer's name in combination with his or her social security, passport or driver's license number, or a bank account, credit or debit card number along with the PIN or password to get access to the account.
This law applies to personal information of employees as well as customers, and also requires businesses to give notice to consumers if their personal information has been released or compromised.

The Oregon Department of Consumer and Business Services will enforce the new law and is authorized to impose fines in the amount of $1,000 per violation for each day the violation continues, up to a maximum of $500,000. To avoid a violation of the new law, businesses must implement 'information security plans' that incorporate administrative, physical and technical controls over the personal information collected by the businesses. Technical controls of a compliant information security plan must perform at least the following functions for a business: assessing software- and network-related risks to personal information collected by the business, assessing risks related to information processing, transmission and storage of the personal information, detecting, preventing and responding to attacks or system failures, and regularly testing and monitoring key controls, systems and procedures.

The requirements set by the new law for information security plans in general, and for the technical controls in particular, may have serious impact on small and medium businesses. Small businesses (i.e., those with no more than 50 employees) are treated a bit more leniently under the new law: they need to implement only such controls as would be 'appropriate' for their size and complexity, the nature of their activities and the sensitivity of personal information they collect. However, many small business owners may not be technologically savvy to realize what technical safeguards would be considered ‘appropriate’ for purposes of the new law. At the same time, medium-sized businesses are subject to the full weight of the new law and may require even more help than the small ones in developing information security plans compliant with the new law."

Red Flags Regulations
Background: Nationwide and state-by-state, various Identity theft laws are being created, or amended to ensure companies are doing their best to provide appropriate levels of protection for both the business and its customers.

The law: Recently, the "Red Flags Regulations" were added to the "FACT ACT" (Fair & Accurate Credit Transaction Act became a federal law in December 2003) which requires every business to comply with stronger provisions within the law. Identity Theft Training is now a requirement for every business. These new regulations went into effect January 1, 2008. As part of this law, corporations must prove that they have trained their employees on ID theft prevention by 11/1/2008.

Below is an overview of the law, written by Rick Okamura, Esq., that identifies some very important steps all companies must take to become compliant with the new Oregon Consumer Identity Theft Protection Act (OCITPA) http://www.cbs.state.or.us/dfcs/id_theft.html
Oregon Legislature Declares State of Emergency & Shakes A $500,000 Stick To Prevent Identity Theft
You shoud be aware of significant new legislation, effective in October of this year, the Oregon Consumer Identity Theft Protection Act (OCITPA). The most significant compliance aspects of the new law are outlined for you below.

The Oregon Legislature has declared a state of emergency with regard to the protection of consumers’ personal information, and has designed significant penalties, up to $500,000 for each occurrence in order to solve this problem. This new law applies to everyone who "owns, maintains or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities." Such personal information includes consumers’ social security numbers, driver’s license numbers, passport numbers, credit card numbers, and financial account numbers.

In order to avoid these significant penalties an information security program must be implemented that includes the following administrative, technical, and physical safeguards:

Administrative safeguards such as the following, in which the person:

  1. Designates one or more employees to coordinate the security program;
  2. Identifies reasonably foreseeable internal and external risks;
  3. Assesses the sufficiency of safeguards in place to control the identified risks;
  4. Trains and manages employees in the security program practices and procedures;
  5. Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
  6. Adjusts the security program in light of business changes or new circumstances;

Technical safeguards such as the following, in which the person:

  1. Assesses risks in network and software design;
  2. Assesses risks in information processing, transmission and storage;
  3. Detects, prevents and responds to attacks or system failures; and
  4. Regularly tests and monitors the effectiveness of key controls, systems and procedures;

and

Physical safeguards such as the following, in which the person:

  1. Assesses risks of information storage and disposal;
  2. Detects, prevents and responds to intrusions;
  3. Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information;
    4. and
  4. Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
  5. A person complies with [the OCITPA] if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with [the OCITPA].

Please note that if you contract with any service providers to handle consumers’ personal information (i.e. a shredding service, website host, transaction processor, payroll agency, etc), you must specifically require that they maintain appropriate safeguards in your written contract with them.

In addition to the above safeguards, the Legislature has also largely prohibited the use of consumers’ social security numbers. You may continue to use social security numbers for internal verification or internal administrative purposes, however, as a general rule, you should only use the last four digits of a consumer’s social security number, if at all.

The discussion above only highlights some of the most urgent compliance aspects of the OCITPA. If you have become subject to a breach of information security since October 1, 2007 you should consult with your attorney immediately. Of course, prevention is best.

Fortunately, the Legislature was wise enough to give a break to small businesses, only requiring that their information security program be appropriate to the size and complexity of their particular business. However, with the new law cloaked in the declaration of a state of emergency, it is probably not unreasonable to expect that the Department of Consumer and Business Services is under some pressure to bring the penalty hammer down on a few businesses in order to make news and hang at least a few businesses out as examples.

You can find additional information on the OCITPA at http://www.cbs.state.or.us/dfcs/id_theft.html
This document courtesy of Rick Okamura, Esq. as written in his blog:
http://softwareassociationoforegon.ning.com/profiles/blog/show?id=1153095%3ABlogPost%3A6781

Tatiana A. Perry | Tonkon Torp LLP
1600 Pioneer Tower | 888 S.W. Fifth Avenue
Portland, Oregon 97204
(503) 802-2042 | FAX (503) 972-3742

Oregon's new consumer identity theft law.

Computer recycling requires some thought
http://www.bizjournals.com/portland/stories/2008/01/14/editorial2.html
By Sharon Baker

For many Portland businesses there exists some confusion on how to properly dispose of unwanted computer and electronic equipment. Most companies designate…

Call Today To Speak With One of Our Computer Maintenance Professionals!