74th OREGON LEGISLATIVE ASSEMBLY--2007 Regular Session
Enrolled
Senate Bill 583
Sponsored by Senator PROZANSKI; Representative CLEM (at the
request of Governor Theodore R. Kulongoski)
CHAPTER ................
AN ACT
Relating to the Oregon Consumer Theft Protection Act; limiting
expenditures; and declaring an emergency.
Be It Enacted by the People of the State of Oregon:
SECTION 1. { + This 2007 Act shall be known as the Oregon
Consumer Identity Theft Protection Act. + }
SECTION 2. { + As used in this 2007 Act:
(1)(a) 'Breach of security' means unauthorized acquisition of
computerized data that materially compromises the security,
confidentiality or integrity of personal information maintained
by the person.
(b) 'Breach of security' does not include good-faith
acquisition of personal information by a person or that person's
employee or agent for a legitimate purpose of that person if the
personal information is not used in violation of applicable law
or in a manner that harms or poses an actual threat to the
security, confidentiality or integrity of the personal
information.
(2) 'Consumer' means an individual who is also a resident of
this state.
(3) 'Consumer report' means a consumer report as described in
section 603(d) of the federal Fair Credit Reporting Act (15
U.S.C. 1681a(d)), as that Act existed on the effective date of
this 2007 Act, that is compiled and maintained by a consumer
reporting agency.
(4) 'Consumer reporting agency' means a consumer reporting
agency as described in section 603(p) of the federal Fair Credit
Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on the
effective date of this 2007 Act.
(5) 'Debt' means any obligation or alleged obligation arising
out of a consumer transaction, as defined in ORS 646.639.
(6) 'Encryption' means the use of an algorithmic process to
transform data into a form in which the data is rendered
unreadable or unusable without the use of a confidential process
or key.
(7) 'Extension of credit' means the right to defer payment of
debt or to incur debt and defer its payment offered or granted
primarily for personal, family or household purposes.
(8) 'Identity theft' has the meaning set forth in ORS 165.800.
(9) 'Identity theft declaration' means a completed and signed
statement documenting alleged identity theft, using the form
Enrolled Senate Bill 583 (SB 583-B) Page 1
available from the Federal Trade Commission, or another
substantially similar form.
(10) 'Person' means any individual, private or public
corporation, partnership, cooperative, association, estate,
limited liability company, organization or other entity, whether
or not organized to operate at a profit, or a public body as
defined in ORS 174.109.
(11) 'Personal information':
(a) Means a consumer's first name or first initial and last
name in combination with any one or more of the following data
elements, when the data elements are not rendered unusable
through encryption, redaction or other methods, or when the data
elements are encrypted and the encryption key has also been
acquired:
(A) Social Security number;
(B) Driver license number or state identification card number
issued by the Department of Transportation;
(C) Passport number or other United States issued
identification number; or
(D) Financial account number, credit or debit card number, in
combination with any required security code, access code or
password that would permit access to a consumer's financial
account.
(b) Means any of the data elements or any combination of the
data elements described in paragraph (a) of this subsection when
not combined with the consumer's first name or first initial and
last name and when the data elements are not rendered unusable
through encryption, redaction or other methods, if the
information obtained would be sufficient to permit a person to
commit identity theft against the consumer whose information was
compromised.
(c) Does not include information, other than a Social Security
number, in a federal, state or local government record that is
lawfully made available to the public.
(12) 'Redacted' means altered or truncated so that no more than
the last four digits of a Social Security number, driver license
number, state identification card number, account number or
credit or debit card number is accessible as part of the data.
(13) 'Security freeze' means a notice placed in a consumer
report, at the request of a consumer and subject to certain
exemptions, that prohibits the consumer reporting agency from
releasing the consumer report for the extension of credit unless
the consumer has temporarily lifted or removed the freeze. + }
SECTION 3. { + (1) Any person that owns, maintains or
otherwise possesses data that includes a consumer's personal
information that is used in the course of the person's business,
vocation, occupation or volunteer activities and was subject to a
breach of security shall give notice of the breach of security
following discovery of such breach of security, or receipt of
notification under subsection (2) of this section, to any
consumer whose personal information was included in the
information that was breached. The disclosure notification shall
be made in the most expeditious time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement as provided in subsection (3) of this section, and
consistent with any measures necessary to determine sufficient
contact information for the consumers, determine the scope of the
breach and restore the reasonable integrity, security and
confidentiality of the data.
Enrolled Senate Bill 583 (SB 583-B) Page 2
(2) Any person that maintains or otherwise possesses personal
information on behalf of another person shall notify the owner or
licensor of the information of any breach of security immediately
following discovery of such breach of security if a consumer's
personal information was included in the information that was
breached.
(3) The notification to the consumer required by this section
may be delayed if a law enforcement agency determines that the
notification will impede a criminal investigation and that agency
has made a written request that the notification be delayed. The
notification required by this section shall be made after that
law enforcement agency determines that its disclosure will not
compromise the investigation and notifies the person in writing.
(4) For purposes of this section, notification to the consumer
may be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice if the person's customary method of
communication with the consumer is by electronic means or is
consistent with the provisions regarding electronic records and
signatures set forth in the Electronic Signatures in Global and
National Commerce Act (15 U.S.C. 7001) as that Act existed on the
effective date of this 2007 Act.
(c) Telephone notice, provided that contact is made directly
with the affected consumer.
(d) Substitute notice, if the person demonstrates that the cost
of providing notice would exceed $250,000, that the affected
class of consumers to be notified exceeds 350,000, or if the
person does not have sufficient contact information to provide
notice. Substitute notice consists of the following:
(A) Conspicuous posting of the notice or a link to the notice
on the Internet home page of the person if the person maintains
one; and
(B) Notification to major statewide television and newspaper
media.
(5) Notice under this section shall include at a minimum:
(a) A description of the incident in general terms;
(b) The approximate date of the breach of security;
(c) The type of personal information obtained as a result of
the breach of security;
(d) Contact information of the person subject to this section;
(e) Contact information for national consumer reporting
agencies; and
(f) Advice to the consumer to report suspected identity theft
to law enforcement, including the Federal Trade Commission.
(6) If a person discovers a breach of security affecting more
than 1,000 consumers that requires disclosure under this section,
the person shall notify, without unreasonable delay, all consumer
reporting agencies that compile and maintain reports on consumers
on a nationwide basis of the timing, distribution and content of
the notification given by the person to the consumers. In no case
shall a person that is required to make a notification required
by this section delay any notification in order to make the
notification to the consumer reporting agencies. The person shall
include the police report number, if available, in its
notification to the consumer reporting agencies.
(7) Notwithstanding subsection (1) of this section,
notification is not required if, after an appropriate
investigation or after consultation with relevant federal, state
or local agencies responsible for law enforcement, the person
determines that no reasonable likelihood of harm to the consumers
Enrolled Senate Bill 583 (SB 583-B) Page 3
whose personal information has been acquired has resulted or will
result from the breach. Such a determination must be documented
in writing and the documentation must be maintained for five
years.
(8) This section does not apply to:
(a) A person that complies with the notification requirements
or breach of security procedures that provide greater protection
to personal information and at least as thorough disclosure
requirements pursuant to the rules, regulations, procedures,
guidance or guidelines established by the person's primary or
functional federal regulator.
(b) A person that complies with a state or federal law that
provides greater protection to personal information and at least
as thorough disclosure requirements for breach of security of
personal information than that provided by this section.
(c) A person that is subject to and complies with regulations
promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of
1999 (15 U.S.C. 6801 to 6809) as that Act existed on the
effective date of this 2007 Act. + }
SECTION 4. { + (1) A consumer may elect to place a security
freeze on the consumer's consumer report by sending a written
request to a consumer reporting agency at an address designated
by the agency to receive such requests, or a secure electronic
request at a website designated by the agency to receive such
requests if such method is made available by the consumer
reporting agency at the agency's discretion.
(2) If the consumer is the victim of identity theft or has
reported to a law enforcement agency the theft of personal
information, the consumer may include a copy of the police
report, incident report or identity theft declaration.
(3) The consumer must provide proper identification and any fee
authorized by section 6 of this 2007 Act.
(4) Except as provided in section 8 of this 2007 Act, if a
security freeze is in place, information from a consumer report
may not be released without prior express authorization from the
consumer.
(5) This section does not prevent a consumer reporting agency
from advising a third party that a security freeze is in effect
with respect to the consumer report. + }
SECTION 5. { + (1) A consumer reporting agency shall place a
security freeze on a consumer report no later than five business
days after receiving from the consumer:
(a) The request described in section 4 (1) of this 2007 Act;
(b) Proper identification; and
(c) A fee, if applicable.
(2) The consumer reporting agency shall send a written
confirmation of the security freeze to the consumer, to the last
known address for the consumer as contained in the consumer
report maintained by the consumer reporting agency, within ten
business days after placing the freeze and, with the
confirmation, shall provide the consumer with a unique personal
identification number or password or similar device to be used by
the consumer when providing authorization for release of the
consumer's consumer report for a specific period of time or for
permanently removing the security freeze. The consumer reporting
agency shall also include with such written confirmation
information regarding the process of lifting a freeze, and the
process of temporarily lifting a freeze for allowing access to
information from the consumer's credit report for a period of
time while the freeze is in place.
Enrolled Senate Bill 583 (SB 583-B) Page 4
(3) If a consumer wishes to allow the consumer's consumer
report to be accessed for a specific period of time while a
freeze is in effect, the consumer shall contact the consumer
reporting agency using a point of contact designated by the
consumer reporting agency, request that the freeze be temporarily
lifted and provide the following:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section;
(c) The information regarding the time period for which the
consumer report shall be available to users of the credit report;
and
(d) A fee, if applicable.
(4) A consumer reporting agency that receives a request from
the consumer to temporarily lift a freeze on a credit report
pursuant to subsection (3) of this section shall comply with the
request no later than three business days after receiving from
the consumer:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section;
(c) The information regarding the time period for which the
consumer report shall be available; and
(d) A fee, if applicable.
(5) A security freeze shall remain in place until the consumer
requests, using a point of contact designated by the consumer
reporting agency, that the security freeze be removed. A consumer
reporting agency shall remove a security freeze within three
business days of receiving a request for removal from the
consumer, who provides:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section; and
(c) A fee, if applicable.
(6) No later than December 31, 2008, the Director of the
Department of Consumer and Business Services shall report to the
chairs of the legislative committees that considered this 2007
Act concerning the minimum amount of time necessary, using
current technology, to place, temporarily lift or remove a freeze
on a consumer report, and to verify a consumer's identity. If the
chair of any legislative committee is vacant at the time of
making the report, the report shall also be made to the President
of the Senate and the Speaker of the House of
Representatives. + }
SECTION 6. { + (1) A consumer reporting agency may not charge
a fee to a consumer who is the victim of identity theft or who
has reported to a law enforcement agency the theft of personal
information, provided the consumer has submitted to the consumer
reporting agency a copy of a valid police report, incident report
or identity theft declaration.
(2) A consumer reporting agency may charge a reasonable fee of
no more than $10 to a consumer, other than a consumer described
in subsection (1) of this section, for each freeze, temporary
lift of the freeze, removal of the freeze or replacing a lost
personal identification number or password previously provided to
the consumer, regarding access to a consumer credit report. + }
Enrolled Senate Bill 583 (SB 583-B) Page 5
SECTION 7. { + A consumer reporting agency shall temporarily
lift or remove a freeze placed on a consumer's credit report only
in the following cases:
(1) Upon the consumer's request, pursuant to section 5 (3) or
(5) of this 2007 Act.
(2) If the consumer's credit report was frozen due to a
material misrepresentation of fact by the consumer, the consumer
reporting agency may remove the security freeze. If a consumer
reporting agency intends to remove a freeze upon a consumer's
credit report pursuant to this subsection, the consumer reporting
agency shall notify the consumer in writing at least five
business days prior to removing the freeze placed on the consumer
report. + }
SECTION 8. { + The provisions of sections 4 to 6 of this 2007
Act do not apply to the use of a consumer report by or for any of
the following:
(1) A person, or the person's subsidiary, affiliate, agent or
assignee with which the consumer has or, prior to assignment, had
an account, contract or debtor-creditor relationship for the
purposes of reviewing the account or collecting the financial
obligation owing for the account, contract or debtor-creditor
relationship. For purposes of this subsection, 'reviewing the
account' includes activities related to account maintenance,
monitoring, credit line increases and account upgrades and
enhancements;
(2) Any person acting pursuant to a judgment, court order,
warrant or subpoena;
(3) A federal, state or local governmental entity, including a
law enforcement agency or court, or their agents or assignees,
acting to investigate fraud or acting to investigate or collect
delinquent taxes or unpaid judgments or court orders or to
fulfill their statutory or regulatory duties provided such
responsibilities are consistent with a permissible purpose under
section 604 of the federal Fair Credit Reporting Act (15 U.S.C.
1681b) as that Act existed on the effective date of this 2007
Act;
(4) The use of credit information for the purposes of
prescreening as provided by the federal Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.) as that Act existed on the effective
date of this 2007 Act;
(5) Any person for the sole purpose of providing a credit file
monitoring subscription service, or similar service to which the
consumer has subscribed;
(6) A consumer reporting agency for the sole purpose of
providing a consumer with a copy of the consumer's consumer
report upon the consumer's request;
(7) Any person or entity for the use of setting or adjusting
rates, for claims handling or underwriting for insurance
purposes, to the extent permitted by law;
(8) A subsidiary, affiliate, agent, assignee or prospective
assignee of a person to whom access has been granted under
section 5 (3) of this 2007 Act for purposes of facilitating the
extension of credit or other permissible use;
(9) A child support agency acting pursuant to Title IV-D of the
Social Security Act (42 U.S.C. 651 et seq.) as that Act existed
on the effective date of this 2007 Act; and
(10) A person for the sole purpose of screening an applicant
for a residential dwelling unit as described in ORS 90.295
(1). + }
Enrolled Senate Bill 583 (SB 583-B) Page 6
SECTION 9. { + If a third party requests access to a consumer
report on which a security freeze is in effect, the request is in
connection with an application for credit or any other use, the
consumer does not allow the consumer's consumer report to be
accessed for that period of time, and the third party cannot
obtain the consumer report through section 8 of this 2007 Act,
the third party may treat the application as incomplete. + }
SECTION 10. { + (1) If a security freeze is in place, a
consumer reporting agency shall not change any of the following
official information in a consumer credit report without sending
a written confirmation of the change to the consumer within 30
days of the change being posted to the consumer's report: name,
date of birth, Social Security number and address. Written
confirmation is not required for technical modifications of a
consumer's official information, including name and street
abbreviations, complete spellings or transposition of numbers or
letters. In the case of an address change, the written
confirmation shall be sent to both the new address and to the
former address.
(2) The following entities are not required to place a security
freeze on a credit report:
(a) A consumer reporting agency that acts only as a reseller of
credit information by assembling and merging information
contained in the database of another consumer reporting agency or
multiple consumer reporting agencies, and does not maintain a
database of credit information from which new consumer credit
reports are produced. However, a consumer reporting agency acting
as a reseller shall honor any security freeze placed on a
consumer report by another consumer reporting agency.
(b) A check services or fraud prevention services company that
issues reports on incidents of fraud or authorizations for the
purpose of approving or processing negotiable instruments,
electronic funds transfers or similar methods of payments.
(c) A deposit account information service company that issues
reports regarding account closures due to fraud, substantial
overdrafts, ATM abuse or similar negative information regarding a
consumer, to inquiring banks or other financial institutions for
use only in reviewing a consumer request for a deposit account at
the inquiring bank or financial institution. + }
SECTION 11. { + (1) Except as otherwise specifically provided
by law a person shall not:
(a) Print a consumer's Social Security number on any materials
not requested by the consumer or part of the documentation of a
transaction or service requested by the consumer that are mailed
to the consumer unless redacted;
(b) Print a consumer's Social Security number on any card
required for the consumer to access products or services provided
by the person; or
(c) Publicly post or publicly display a consumer's Social
Security number unless redacted. As used in this paragraph, '
publicly post or publicly display' means to communicate or
otherwise make available to the public.
(2) This section does not prevent the collection, use, or
release of a Social Security number as required by state or
federal law, including statute, Oregon Rules of Civil Procedure
or rule adopted by the Chief Justice of the Supreme Court, the
Chief Judge of the Court of Appeals or the judge of the Oregon
Tax Court, or the use or printing of a Social Security number for
internal verification or administrative purposes or for
enforcement of a judgment or court order.
Enrolled Senate Bill 583 (SB 583-B) Page 7
(3) This section does not apply to records that are required by
state or federal law, including statute, Oregon Rules of Civil
Procedure or rule adopted by the Chief Justice of the Supreme
Court, the Chief Judge of the Court of Appeals or the judge of
the Oregon Tax Court, to be made available to the public.
(4) This section does not apply to a Social Security number in
any of the following records or copies of records in any form or
storage medium maintained or otherwise possessed by a court, the
State Court Administrator or the Secretary of State:
(a) A record received on or before the effective date of this
2007 Act;
(b) A record received after the effective date of this 2007 Act
if, by state or federal statute or rule, the person that
submitted the record could have caused the record to be filed or
maintained in a manner that protected the Social Security number
from public disclosure; or
(c) A record, regardless of the date created or received, that
is:
(A) An accusatory instrument charging a violation or crime;
(B) A record of oral proceedings in a court;
(C) An exhibit offered as evidence in a proceeding; or
(D) A judgment or court order. + }
SECTION 12. { + (1) Any person that owns, maintains or
otherwise possesses data that includes a consumer's personal
information that is used in the course of the person's business,
vocation, occupation or volunteer activities must develop,
implement and maintain reasonable safeguards to protect the
security, confidentiality and integrity of the personal
information, including disposal of the data.
(2) The following shall be deemed in compliance with subsection
(1) of this section:
(a) A person that complies with a state or federal law
providing greater protection to personal information than that
provided by this section.
(b) A person that is subject to and complies with regulations
promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of
1999 (15 U.S.C. 6801 to 6809) as that Act existed on the
effective date of this 2007 Act.
(c) A person that is subject to and complies with regulations
implementing the Health Insurance Portability and Accountability
Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on
the effective date of this 2007 Act.
(d) A person that implements an information security program
that includes the following:
(A) Administrative safeguards such as the following, in which
the person:
(i) Designates one or more employees to coordinate the security
program;
(ii) Identifies reasonably foreseeable internal and external
risks;
(iii) Assesses the sufficiency of safeguards in place to
control the identified risks;
(iv) Trains and manages employees in the security program
practices and procedures;
(v) Selects service providers capable of maintaining
appropriate safeguards, and requires those safeguards by
contract; and
(vi) Adjusts the security program in light of business changes
or new circumstances;
Enrolled Senate Bill 583 (SB 583-B) Page 8
(B) Technical safeguards such as the following, in which the
person:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission and
storage;
(iii) Detects, prevents and responds to attacks or system
failures; and
(iv) Regularly tests and monitors the effectiveness of key
controls, systems and procedures; and
(C) Physical safeguards such as the following, in which the
person:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents and responds to intrusions;
(iii) Protects against unauthorized access to or use of
personal information during or after the collection,
transportation and destruction or disposal of the information;
and
(iv) Disposes of personal information after it is no longer
needed for business purposes or as required by local, state or
federal law by burning, pulverizing, shredding or modifying a
physical record and by destroying or erasing electronic media so
that the information cannot be read or reconstructed.
(3) A person complies with subsection (2)(d)(C)(iv) of this
section if the person contracts with another person engaged in
the business of record destruction to dispose of personal
information in a manner consistent with subsection (2)(d)(C)(iv)
of this section.
(4) Notwithstanding subsection (2) of this section, a person
that is an owner of a small business as defined in ORS 285B.123
(3) complies with subsection (1) of this section if the person's
information security and disposal program contains
administrative, technical and physical safeguards and disposal
measures appropriate to the size and complexity of the small
business, the nature and scope of its activities, and the
sensitivity of the personal information collected from or about
consumers. + }
SECTION 13. { + (1) The Director of the Department of Consumer
and Business Services may:
(a) Make such public or private investigations within or
outside this state as the director deems necessary to determine
whether a person has violated any provision of this 2007 Act, or
to aid in the enforcement of this 2007 Act.
(b) Require or permit a person to file a statement in writing,
under oath or otherwise as the director determines, as to all the
facts and circumstances concerning the matter to be investigated.
(c) Administer oaths and affirmations, subpoena witnesses,
compel attendance, take evidence and require the production of
books, papers, correspondence, memoranda, agreements or other
documents or records that the director deems relevant or material
to the inquiry. Each witness who appears before the director
under a subpoena shall receive the fees and mileage provided for
witnesses in ORS 44.415 (2).
(2) If a person fails to comply with a subpoena so issued or a
party or witness refuses to testify on any matters, the judge of
the circuit court or of any county, on the application of the
director, shall compel obedience by proceedings for contempt as
in the case of disobedience of the requirements of a subpoena
issued from such court or a refusal to testify therein.
(3) If the director has reason to believe that any person has
engaged or is engaging in any violation of this 2007 Act, the
Enrolled Senate Bill 583 (SB 583-B) Page 9
director may issue an order, subject to ORS chapter 183, directed
to the person to cease and desist from the violation, or require
the person to pay compensation to consumers injured by the
violation. The director may order compensation to consumers only
upon a finding that enforcement of the rights of the consumers by
private civil action would be so burdensome or expensive as to be
impractical.
(4)(a) In addition to all other penalties and enforcement
provisions provided by law, any person who violates or who
procures, aids or abets in the violation of this 2007 Act shall
be subject to a penalty of not more than $1,000 for every
violation, which shall be paid to the General Fund of the State
Treasury.
(b) Every violation is a separate offense and, in the case of a
continuing violation, each day's continuance is a separate
violation, but the maximum penalty for any occurrence shall not
exceed $500,000.
(c) Civil penalties under this section shall be imposed as
provided in ORS 183.745. + }
SECTION 14. { + In accordance with ORS chapter 183, the
Director of the Department of Consumer and Business Services may
adopt rules for the purpose of carrying out the provisions of
this 2007 Act. + }
SECTION 15. { + Notwithstanding ORS 705.145 (2), (3) and (5),
the Director of the Department of Consumer and Business Services
can allocate as deemed appropriate the moneys derived pursuant to
ORS 646.382 to 646.398, 650.005 to 650.100, 697.005 to 697.095,
697.602 to 697.842, 705.350 and 717.200 to 717.320 and 731.804
and ORS chapters 59, 645, 706 to 716, 722, 723, 725 and 726 to
implement this 2007 Act. + }
SECTION 16. { + Section 12 of this 2007 Act becomes operative
on January 1, 2008. + }
SECTION 17. { + Notwithstanding any other law limiting
expenditures, the limitation on expenditures established by
section 1, chapter 215, Oregon Laws 2007 (Enrolled House Bill
5014), for the biennium beginning July 1, 2007, as the maximum
limit for payment of expenses from fees, money or other revenues,
including Miscellaneous Receipts, but excluding lottery funds and
federal funds, collected or received by the Department of
Consumer and Business Services, is increased by $202,017 for the
purpose of carrying out the provisions of this 2007 Act. + }
SECTION 18. { + This 2007 Act being necessary for the
immediate preservation of the public peace, health and safety, an
emergency is declared to exist, and this 2007 Act takes effect
October 1, 2007. + }
----------
Enrolled Senate Bill 583 (SB 583-B) Page 10
Passed by Senate June 22, 2007
...........................................................
Secretary of Senate
...........................................................
President of Senate
Passed by House June 26, 2007
...........................................................
Speaker of House
Enrolled Senate Bill 583 (SB 583-B) Page 11
Received by Governor:
......M.,............., 2007
Approved:
......M.,............., 2007
...........................................................
Governor
Filed in Office of Secretary of State:
......M.,............., 2007
...........................................................
Secretary of State
Enrolled Senate Bill 583 (SB 583-B) Page 12