The Oregon Consumer Identity Theft Protection Act, Oregon 2007 Laws, Chapter 759, §§1-18, now provides greater protection to Oregon consumers. Before passage of the 2007 Act, Oregon businesses were not required to notify consumers when someone without authorization accessed the personal information. The legislation passed in the wake of Providence Health System’s loss of computerized patient records on more than 300,000 patients. Full disclosure: Paul & Sugerman represent consumers affected by the Providence data loss.
Under the Act, Oregon businesses must take steps to protect consumers’ personal information. While there is leeway for small businesses, the Act provides that businesses employing more than 50 people must take significant steps to protect consumer information. Oregon businesses have to be especially careful about not publishing or otherwise disclosing social security numbers, except when they are otherwise required by state or federal law.
The new law provides that when a business suffers a security breach affecting consumers’ personal information, the business must take certain steps to notify various entities. While the details may vary, businesses generally must notify law enforcement, consumers and credit reporting agencies.
Best of all, Section 4 allows consumers to place a security freeze on their consumer reports by sending a written request to consumer reporting agencies. You may be charged a fee for this service, and proper identification will be required, as well.
It’s not the best statute. Violations are enforced by State, and whether they will be enforced at all depends on government officials. But it’s better than what we have, and it at least provides some important protections for consumers, as long as the State makes it real through necessary enforcement.
David F. Sugerman
Paul & Sugerman, PC