Tualatin chamber offers anti-identity theft help for area businesses

Press Release-4282008

The Tualatin Chamber of Commerce can now help area businesses meet the requirements of Oregon’s tough, new anti-identity theft law.

The Oregon Consumer Identity Theft Protection Act (OCITPA) and your business.

State Law (SB_583) Effective January 1, 2008, Oregon’s new law requires a business to have;

-A comprehensive information security program with pre-determined safeguards in place.

-It also requires that a business that uses service providers, contractors, and vendors ensure that those entities agree to and adhere to Oregon Law (SB_583) by contract.

-It is also required that a business notifies its customers, clients, or business partners when non-public data is lost.

A business found not to be in compliance faces fines up to $1,000 for each violation (per day) with a cap of $500,000, plus compensation to victims.

The Tualatin Chamber of Commerce can help.
To help the Tualatin business community to avoid these problems, The Tualatin Chamber of Commerce has partnered with CASHTOOLS, Inc.’s Sue Whittaker. Sue is the co-author of Oregon law (SB_583) and is one of the nation’s top experts on business anti-identity theft protocol and compliance. Sue is joined by Michael Thayer who is available to answer your questions and assist your business with the new law as well.

To help facilitate your businesses’ compliance with the law, team members will visit your business, provide a consultation and the required materials. Please call 503-515-6383 with questions or to schedule your appointment.

How Oregon Senate Bill 583 effects your business

The Oregon Consumer Identity Theft Protection Act – Effective January 1, 2008

CLICK HERE (pdf) SENATE BILL 583

Your business must implement an information security program that includes the following:
-Establish administrative safeguards.

-Designate one or more employees to coordinate the security program.

-Identify reasonably foreseeable internal and external risks.

-Assess the sufficiency of safeguards in place to control the identified risks.

-Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract.

-Adjust the security program in light of business changes or new circumstances.

Technical safeguards such as the following:

-Assess risks in network and software design.

-Assess risks in information processing, transmission and storage.

-Detect, prevent and respond to attacks or system failures.

-Regularly tests and monitors the effectiveness of key controls, systems and procedures.

Physical safeguards such as the following:

-Assess risks of information storage and disposal.

-Detects, prevents and responds to intrusions.

-Protect against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information.

-Dispose of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information

New ID theft law imposes duties on Oregon corporations

Required security programs must contain a lengthy list of checks and safeguards

Portland Business Journal – by Rob LeChevallier

Oregon’s new identity theft law puts additional requirements on businesses to safeguard personal information regarding their customers’, members’ and clients’ personal information.

This includes personal information on consumers that is used in the course of an organization’s business, vocation, occupation and volunteer activities.

The law, which became effective Jan. 1, requires for profit, nonprofit and public entities to protect “consumer personal information” which includes the individual’s first name or first initial in combination with their Social Security number, driver’s license, passport number, financial account numbers, credit or debit cards.

With certain governmental exceptions, Social Security numbers must be excluded from any materials not requested by the consumer. They also should be excluded from documentation of a transaction or service requested by the consumer that is mailed to the consumer, unless the numbers are redacted, meaning only the last four or six digits are used.

The new law also requires that such “persons” who own, maintain or otherwise possess such data must develop, implement and maintain reasonable safeguards to protect the data, confidentiality and integrity of the personal information. This includes disposal of the data.

This security program must include administrative safeguards, designate employees to coordinate the program, assess the risks in network and software design, and require that data service providers are capable of maintaining appropriate safeguards. The program must also be adjustable in light of business changes or new circumstances. This program is not limited to electronic security but also must include physical safeguards such as assessing the risks of information storage and disposal and protecting against unauthorized access to or use of personal information.

Manufacturers with less than 200 employees or other businesses with 50 or less employees may comply with new requirements if the information security and disposal program they adopt contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities and the sensitivity of the personal information collected from or about consumers.

If there is a breach of data security, the new law requires mandatory reporting and notice to the consumers, television and newspaper media, governmental agencies and consumer reporting agencies. With certain exceptions consumers can also put a “security freeze” on their consumer credit report.

What does this mean for the average Oregon business?

• You must review the information that is collected on your customers. Is the data stored in a secure place? Who has access to this information? Are your computer files password-protected? Does the janitor or the cleaning staff have access to your customers’ confidential information? Do you shred all confidential information after use?
• Are you collecting Social Security numbers, driver’s license numbers, credit card numbers and other sensitive information? Is this information really necessary, or are there alternative means of identification? Do you redact these numbers so only the last few digits appear? What do you mail to your customers and could your mailings include sensitive data?
• What kind of network security do you have? Do you have confidentiality agreements with your vendors, including your IT professionals and archive services? Do you purge old client or customer personal information?
• If you are involved on the board of a nonprofit or charitable organization (think church or soccer league) make sure that the information they possess is protected the same way as a business would. The standards are exactly the same.
• Have you drafted a written program on information security and designated a person in your office to train employees to implement the program?

The penalties for violating the new act can be severe. In addition to all other penalties, the Oregon Department of Consumer and Business Services can impose fines of $1,000 for every violation.

The real penalty is not the threat of fines but the risk to your goodwill or customer base. A year or two ago, one of my clients was notified by the police that his mortgage application file was found as part of an arrest of an identity theft ring. He came to me wanting to sue the mortgage company that had failed to protect the security of his personal information. Can you imagine the loss of customers (let alone liability) your business would have if an identity theft was publicized and if your clients or customers knew that that their confidential personal information was being sold on the street?

Rob LeChevallier is a business attorney in the law firm of Buckley LeChevallier PC in Lake Oswego. He can be reached at 503-620-8900 and at rlc@buckley-law.com.