|
SecurityFreeze
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion.
BreachNotification
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.
ProtectSSNs
The law prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.
SafeguardPII
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:
The following shall be deemed in compliance:
Section A:
- A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
- A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.
- A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.
- A person that implements an information security program that includes the following administrative safeguards such as the following, in which the person:
- (i) Designates one or more employees to coordinate the security program;
- (ii) Identifies reasonably foreseeable internal and external risks;
- (iii) Assesses the sufficiency of safeguards in place to control the identified risks;
- (iv) Trains and manages employees in the security program practices and procedures;
- (v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- (vi) Adjusts the security program in light of business changes or new circumstances;
Section B:
- Technical safeguards such as the following, in which the person:
- (i) Assesses risks in network and software design;
- (ii) Assesses risks in information processing, transmission and storage;
- (iii) Detects, prevents and responds to attacks or system failures; and
- (iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
- Physical safeguards such as the following, in which the person:
- (i) Assesses risks of information storage and disposal;
- (ii) Detects, prevents and responds to intrusions;
- (iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
- (iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
.
|
