Oregon Consumer Identity Theft Protection Act (OCITPA)

For Oregon ORS646A.600 compliance, you can purchase a professionally developed Cybersecurity & Data Protection Program (CDPP) for your business and have it ready to implement the next business day. You will receive the CDPP in Microsoft Word format (via email delivery), as well as helpful guidance on how to properly implement the CDPP and what controls in the CDPP map to the Oregon Consumer Identity Theft Protection Act (OCITPA) requirements.

For a reason to buy a Cybersecurity & Data Protection Program (CDPP), it is hard to beat an excerpt directly from the Oregon law itself since there is a legal requirement have written information security policies, procedures and standards in place:

Oregon ORS646A.600: “Any person that owns, maintains or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.”

Key Takeaways - Oregon Consumer Identity Theft Protection Act

Oregon ORS 646A.600 requires reasonable safeguards for any business handling Oregon consumers' personal information. Effective January 1, 2008.
Four pillars. Security freezes, breach notification (45 days), SSN protection, and PII safeguarding.
Applies to any person, business, organization or government. Including those outside Oregon handling Oregonians' data.
Breach notification must occur within 45 days of discovering or receiving notice of a security breach.
HIPAA-covered entities do not need additional processes for patient data but must still protect employee personal information under OCITPA.
ComplianceForge products map to OCITPA requirements through the SCF.

Overview

Oregon Consumer ID Theft Protection Act Compliant Cybersecurity & Data Protection Program (CDPP)

The State of Oregon adopted a strict Information Security law, which became effective on January 1, 2008. The law is broken up into four sections (please read the requirements of those two sections below). The Cybersecurity & Data Protection Program (CDPP) meets ALL of the requirements of Oregon ORS 646A.600 so any business that maintains PCI DSS-related data on an Oregon resident could purchase and implement a CDPP to become compliant with this new law.

What Are The Requirements?

Requirements of the Oregon Consumer Identity Theft Protection Act

OCITPA is built on four core protections that work together to safeguard Oregon consumers' personal information from identity theft and unauthorized disclosure.

Security Freeze

All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion.

Breach Notification

Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.

Protect SSNs

The law prohibits anyone from printing Social Security Numbers (SSNs) on cards or documents or publicly displaying or posting a SSN. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.

Safeguard PII

If you collect personal information from an individual, such as driver's license numbers or SSNs, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.

The following shall be deemed in compliance:

Section A

A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.
A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.
A person that implements an information security program that includes the following administrative safeguards such as the following, in which the person:
This is some text inside of a div block.
- Designates one or more employees to coordinate the security program;
- Identifies reasonably foreseeable internal and external risks;
- Assesses the sufficiency of safeguards in place to control the identified risks
- Trains and manages employees in the security program practices and procedures;
- Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- Adjusts the security program in light of business changes or new circumstances;

Section B

Technical safeguards such as the following, in which the person:

Assesses risks in network and software design;
Assesses risks in information processing, transmission and storage;
Detects, prevents and responds to attacks or system failures; and
Regularly tests and monitors the effectiveness of key controls, systems and procedures; and

Physical safeguards such as the following, in which the person:

Assesses risks of information storage and disposal;
Detects, prevents and responds to intrusions;
Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.