Relating to security of personal information.


 
 
 
     73rd OREGON LEGISLATIVE ASSEMBLY--2005 Regular Session
 
NOTE:  Matter within  { +  braces and plus signs + } in an
amended section is new. Matter within  { -  braces and minus
signs - } is existing law to be omitted. New sections are within
 { +  braces and plus signs + } .
 
LC 2188
 
                         Senate Bill 626
 
Sponsored by Senator PROZANSKI (at the request of OSPIRG)
 
 
                             SUMMARY
 
The following summary is not prepared by the sponsors of the
measure and is not a part of the body thereof subject to
consideration by the Legislative Assembly. It is an editor's
brief statement of the essential features of the measure as
introduced.
 
  Requires person who owns or uses personal information to notify
individual when there is unauthorized acquisition of personal
information that compromises security of information.
 
                        A BILL FOR AN ACT
Relating to security of personal information.
Be It Enacted by the People of the State of Oregon:
  SECTION 1.  { + (1) As used in this section, 'personal
information' means the first name or first initial and last name
in combination with any of the following information about an
individual if the information is not lawfully made available to
the public and regardless of encryption:
  (a) Date of birth;
  (b) Social Security number;
  (c) Driver license or identification card number;
  (d) Passport number;
  (e) Number on a credit card or debit card, both as defined in
ORS 646.886;
  (f) Number identifying the consumer to a financial institution,
as defined in ORS 706.008; and
  (g) Any required security code, access code or password in
combination with an account number that would provide access to a
financial account of the individual.
  (2)(a) Except as provided in subsection (3) of this section,
any person that owns or uses the personal information of a
resident of this state shall notify the resident when there has
been an unauthorized acquisition of data that compromises the
security of the personal information maintained by the person. A
good faith acquisition of personal information by an employee or
agent of the person in the ordinary course of legitimate business
is not a breach in security of the personal information if the
personal information is not used or subject to further
unauthorized disclosures.
  (b) The person shall provide the notice required under
paragraph (a) of this subsection as expediently as possible and
without unreasonable delay, consistent with the legitimate needs
of law enforcement as provided in subsection (3) of this section,
or with any measures necessary to determine the scope of the
breach in security and restore the reasonable integrity, security
and confidentiality of the data.
 
  (3) The person may delay providing the notice required under
subsection (2) of this section if a law enforcement agency
determines that the notification may impede a criminal
investigation. The person shall provide notice under subsection
(2) of this section after the law enforcement agency determines
that the notice will not compromise the investigation.
  (4) For purposes of this section, notice to residents may be
provided by any of the following methods:
  (a) Written notice;
  (b) Electronic notice, if the notice provided is consistent
with the provisions regarding electronic records and signatures
for notices legally required to be in writing under the federal
Electronic Signatures in Global and National Commerce Act, 15
U.S.C. 7001 et seq; or
  (c) Substitute notice, if the person demonstrates that the cost
of providing notice would exceed $250,000, that the affected
class of persons requiring notification exceeds 500,000 or that
the person does not have sufficient contact information.
Substitute notice shall consist of:
  (A) Notice by electronic mail to all affected persons for which
the person has an electronic mail address;
  (B) Conspicuous posting of the notice on the official website
of the person if the person maintains a website; and
  (C) Notice to major statewide media. + }
  SECTION 2.  { + The Director of the Department of Consumer and
Business Services may adopt rules to implement section 1 of this
2005 Act. + }
  SECTION 3.  { + An individual injured by a violation of section
1 of this 2005 Act may:
  (1) Bring an action in an appropriate court to recover actual
damages plus court costs and attorney fees reasonably incurred in
the action; or
  (2) Apply to the circuit court for a temporary or permanent
injunction restraining any person from violating any provision of
section 1 of this 2005 Act. + }
  SECTION 4.  { + Sections 1 to 3 of this 2005 Act apply to
unauthorized acquisitions of data that occur on or after the
effective date of this 2005 Act. + }
                         ----------