74th OREGON LEGISLATIVE ASSEMBLY--2007 Regular Session
NOTE: Matter within { + braces and plus signs + } in an
amended section is new. Matter within { - braces and minus
signs - } is existing law to be omitted. New sections are within
{ + braces and plus signs + } .
LC 3196
Senate Bill 583
Sponsored by Senator PROZANSKI (at the request of Governor
Theodore R. Kulongoski)
SUMMARY
The following summary is not prepared by the sponsors of the
measure and is not a part of the body thereof subject to
consideration by the Legislative Assembly. It is an editor's
brief statement of the essential features of the measure as
introduced.
Requires person that owns, maintains or possesses data that
includes individual personal information and is used in person's
business, vocation, occupation or volunteer activities to notify
individual following discovery of breach of security if personal
information is included in data for which security was breached.
Specifies notification methods and lists exemptions from
notification requirements.
Permits consumer to place security freeze on consumer report if
consumer provides certain information and pays any required fee.
Specifies time in which consumer reporting agency must place
freeze and send confirmation of freeze to consumer. Permits
consumer to temporarily lift or permanently remove security
freeze by complying with certain procedures. Specifies conditions
in which consumer reporting agency may lift or remove freeze.
Specifies exemptions from requirement to place freeze. Requires
consumer reporting agency to notify consumer of any change in
consumer report that has freeze in place.
Prohibits person from printing consumer's Social Security
number on materials not requested by consumer or part of
transaction unless Social Security number is redacted, except in
specified circumstances.
Requires person that owns, maintains or possesses data that
includes individual personal information to implement security
program for data. Specifies requirements for security program.
Permits Department of Consumer and Business Services to
investigate violations of Act, require filing of statements,
administer oaths and affirmations, issue subpoenas and otherwise
take evidence for investigation. Permits department to issue
cease and desist orders, require payment of restitution or
compensation and assess penalty of not more than $1,000 for each
violation.
Permits Department of Consumer and Business Services to adopt
rules to implement and enforce Act.
Declares emergency, effective October 1, 2007.
A BILL FOR AN ACT
Relating to the Oregon Consumer Theft Protection Act; and
declaring an emergency.
Be It Enacted by the People of the State of Oregon:
SECTION 1. { + This 2007 Act shall be known as the Oregon
Consumer Identity Theft Protection Act. + }
SECTION 2. { + As used in this 2007 Act:
(1)(a) 'Breach of security' means unauthorized access and
acquisition of computerized data that materially compromises the
security, confidentiality or integrity of personal information
maintained by the person.
(b) 'Breach of security' does not include good-faith
acquisition of personal information by a person or that person's
employee or agent for a legitimate purpose of that person if the
personal information is not used in violation of applicable law
or in a manner that harms or poses an actual threat to the
security, confidentiality or integrity of the personal
information.
(2) 'Consumer' means an individual who is also a resident of
this state.
(3) 'Consumer report' means a consumer report as described in
section 603(d) of the federal Fair Credit Reporting Act (15
U.S.C. 1681a(d)) as it existed on January 1, 2007, that is
compiled and maintained by a consumer reporting agency.
(4) 'Consumer reporting agency' means a consumer reporting
agency as described in section 603(p) of the federal Fair Credit
Reporting Act (15 U.S.C. 1681a(p)) as it existed on January 1,
2007.
(5) 'Encryption' means the use of an algorithmic process to
transform data into a form in which the data is rendered
unreadable or unusable without the use of a confidential process
or key.
(6) 'Identity theft' has the meaning set forth in ORS 165.800.
(7) 'Identity theft declaration' means a completed and signed
statement documenting alleged identity theft, using the form
available from the Federal Trade Commission, or another
substantially similar form.
(8) 'Person' means any individual, private or public
corporation, partnership, cooperative, association, estate,
limited liability company, organization or other entity, whether
or not organized to operate at a profit, or a public body as
defined in ORS 174.109.
(9) 'Personal information':
(a) Means a consumer's first name or first initial and last
name in combination with any one or more of the following data
elements, when either the name or the data elements are not
rendered unusable through encryption, redaction or other methods,
or when the data elements are encrypted and the encryption key
has also been acquired:
(A) Social Security number;
(B) Driver license number or state identification card number
issued by the Department of Transportation;
(C) Identification number issued by foreign nation;
(D) Passport number or other United States issued
identification number; or
(E) Financial account number, credit or debit card number, in
combination with any required security code, access code or
password that would permit access to a consumer's financial
account.
(b) Means any personal information data element or any
combination of the personal information data elements if the
information would be sufficient to permit an individual to
fraudulently assume the identity of the consumer whose
information was compromised.
(c) Does not include publicly available information, other than
a Social Security number, that is lawfully made available to the
general public from federal, state or local government records.
(10) 'Redacted' means altered or truncated so that no more than
the last four digits of a Social Security number, driver license
number, state identification card number, account number or
credit or debit card number is accessible as part of the data.
(11) 'Security freeze' means a notice placed in a consumer
report, at the request of a consumer and subject to certain
exemptions, that prohibits the consumer reporting agency from
releasing the consumer report for the extension of credit unless
the consumer has temporarily lifted or removed the freeze. + }
SECTION 3. { + (1) Any person that owns, maintains or
otherwise possesses data that includes an individual's personal
information that is used in the course of the person's business,
vocation, occupation or volunteer activities and was subject to
the breach of security shall give notice of the breach of
security following discovery of such breach of security, or
receipt of notification under subsection (2) of this section, to
any individual whose personal information was included in the
information that was breached. The disclosure notification shall
be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement as provided in subsection (3) of this section, and
consistent with any measures necessary to determine sufficient
contact information for the individuals, determine the scope of
the breach and restore the reasonable integrity, security and
confidentiality of the data.
(2) Any person that maintains or otherwise possesses personal
information through a licensing agreement with another person
shall notify the owner or licensee of the information of any
breach of security immediately following discovery of such breach
of security if an individual's personal information was included
in the information that was breached.
(3) The notification to the individual required by this section
may be delayed if a law enforcement agency determines that the
notification will impede a criminal investigation and that agency
has made a written request that the notification be delayed. The
notification required by this section shall be made after that
law enforcement agency determines that its disclosure will not
compromise the investigation and notifies the person in writing.
(4) For purposes of this section, notification to the
individual may be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice if the person's primary method of
communication with the individual is by electronic means or is
consistent with the provisions regarding electronic records and
signatures set forth in the Electronic Signatures in Global and
National Commerce Act (15 U.S.C. 7001).
(c) Telephone notice, provided that contact is made directly
with the affected individual.
(d) Substitute notice, if the person demonstrates that the cost
of providing notice would exceed $250,000, that the affected
class of individuals to be notified exceeds 350,000, or if the
person does not have sufficient contact information to provide
notice. Substitute notice consists of the following:
(A) Conspicuous posting of the notice or a link to the notice
on the Internet home page of the person if the person maintains
one; and
(B) Notification to major statewide television and newspaper
media.
(5) Notice under this section shall include at a minimum:
(a) A description of the incident in general terms;
(b) The approximate date of the breach of security;
(c) The type of personal information obtained as a result of
the breach of security;
(d) Contact information of the person subject to this section;
(e) Contact information for national consumer reporting
agencies; and
(f) Advice to the individual to report suspected identity theft
to law enforcement.
(6) If a person discovers a breach of security affecting more
than 1,000 individuals that requires disclosure under this
section, the person shall notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain reports on
individuals on a nationwide basis of the timing, distribution and
content of the notification given by the person to the
individuals. In no case shall a person that is required to make a
notification required by this section delay any notification in
order to make the notification to the consumer reporting
agencies. The person shall include the police report number, if
available, in its notification to the consumer reporting
agencies.
(7) Notwithstanding subsection (1) of this section,
notification is not required if, after an appropriate
investigation or after consultation with relevant federal, state
or local agencies responsible for law enforcement, the person
reasonably determines that the breach has not and will not likely
result in harm to the individuals whose personal information has
been acquired and accessed. Such a determination must be
documented in writing and the documentation must be maintained
for five years.
(8) This section does not apply to:
(a) A person that complies with the notification requirements
or breach of security procedures that provide greater protection
to personal information and at least as thorough disclosure
requirements pursuant to the rules, regulations, procedures,
guidance or guidelines established by the person's primary or
functional federal regulator.
(b) A person that complies with a state or federal law that
provides greater protection to personal information and at least
as thorough disclosure requirements for breach of security of
personal information than that provided by this section.
(c) A person that complies with regulations regarding
notification requirements or breach of security procedures that
provide greater protection to personal information and at least
as thorough disclosure requirements promulgated pursuant to title
V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to
6809). + }
SECTION 4. { + (1) A consumer may elect to place a security
freeze on the consumer's consumer report by sending a written
request to a consumer reporting agency at an address designated
by the agency to receive such requests, or a secure electronic
request at a website designated by the agency to receive such
requests if such method is made available by the consumer
reporting agency at the agency's discretion.
(2) If the consumer is the victim of identity theft or has
reported to a law enforcement agency the theft of personal
information, the consumer may include a copy of the police
report, incident report or identity theft declaration.
(3) The consumer must provide proper identification and any fee
authorized by section 6 of this 2007 Act.
(4) Except as provided in section 8 of this 2007 Act, if a
security freeze is in place, information from a consumer report
may not be released without prior express authorization from the
consumer.
(5) This section does not prevent a consumer reporting agency
from advising a third party that a security freeze is in effect
with respect to the consumer report. + }
SECTION 5. { + (1) A consumer reporting agency shall place a
security freeze on a consumer report no later than five business
days after receiving from the consumer:
(a) The request described in section 4 (1) of this 2007 Act;
(b) Proper identification; and
(c) A fee, if applicable.
(2) The consumer reporting agency shall send a written
confirmation of the security freeze to the consumer, to the last
known address for the consumer as contained in the consumer
report maintained by the consumer reporting agency, within ten
business days after placing the freeze and, with the
confirmation, shall provide the consumer with a unique personal
identification number or password or similar device to be used by
the consumer when providing authorization for release of the
consumer's consumer report for a specific period of time or for
permanently removing the security freeze. The consumer reporting
agency shall also include with such written confirmation
information regarding the process of lifting a freeze, and the
process of temporarily lifting a freeze for allowing access to
information from the consumer's credit report for a period of
time while the freeze is in place.
(3) If a consumer wishes to allow the consumer's consumer
report to be accessed for a specific period of time while a
freeze is in effect, the consumer shall contact the consumer
reporting agency using a point of contact designated by the
consumer reporting agency, request that the freeze be temporarily
lifted and provide the following:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section;
(c) The information regarding the time period for which the
consumer report shall be available to users of the credit report;
and
(d) A fee, if applicable.
(4) A consumer reporting agency that receives a request from
the consumer to temporarily lift a freeze on a credit report
pursuant to subsection (3) of this section shall comply with the
request no later than three business days after receiving from
the consumer:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section;
(c) The information regarding the time period for which the
consumer report shall be available; and
(d) A fee, if applicable.
(5) A security freeze shall remain in place until the consumer
requests, using a point of contact designated by the consumer
reporting agency, that the security freeze be removed. A consumer
reporting agency shall remove a security freeze within three
business days of receiving a request for removal from the
consumer, who provides:
(a) Proper identification;
(b) The unique personal identification number or password or
similar device provided by the consumer reporting agency pursuant
to subsection (2) of this section; and
(c) A fee, if applicable.
(6) No later than December 31, 2008, the Director of the
Department of Consumer and Business Services shall report to the
chairs of the legislative committees that considered this 2007
Act concerning the minimum amount of time necessary, using
current technology, to place, temporarily lift or remove a freeze
on a consumer report, and to verify a consumer's identity. If the
chair of any legislative committee is vacant at the time of
making the report, the report shall also be made to the President
of the Senate and the Speaker of the House of
Representatives. + }
SECTION 6. { + (1) A consumer reporting agency may not charge
a fee to a consumer who is the victim of identity theft or who
has reported to a law enforcement agency the theft of personal
information, provided the consumer has submitted to the consumer
reporting agency a copy of a valid police report, incident report
or identity theft declaration.
(2) A consumer reporting agency may charge a reasonable fee of
no more than $10 to a consumer, other than a consumer described
in subsection (1) of this section, for each freeze, temporary
lift of the freeze removal of the freeze or replacing a lost
personal identification number or password previously provided to
the consumer, regarding access to a consumer credit report. + }
SECTION 7. { + A consumer reporting agency shall temporarily
lift or remove a freeze placed on a consumer's credit report only
in the following cases:
(1) Upon the consumer's request, pursuant to section 5 (3) or
(5) of this 2007 Act.
(2) If the consumer's credit report was frozen due to a
material misrepresentation of fact by the consumer, the consumer
reporting agency may remove the security freeze. If a consumer
reporting agency intends to remove a freeze upon a consumer's
credit report pursuant to this subsection, the consumer reporting
agency shall notify the consumer in writing at least five
business days prior to removing the freeze placed on the consumer
report. + }
SECTION 8. { + The provisions of sections 4 to 6 of this 2007
Act do not apply to the use of a consumer report by or for any of
the following:
(1) A person, or the person's subsidiary, affiliate, agent or
assignee with which the consumer has or, prior to assignment, had
an account, contract or debtor-creditor relationship for the
purposes of reviewing the account or collecting the financial
obligation owing for the account, contract or debtor-creditor
relationship. For purposes of this subsection, 'reviewing the
account' includes activities related to account maintenance,
monitoring, credit line increases and account upgrades and
enhancements;
(2) Any person acting pursuant to a court order, warrant, or
subpoena;
(3) A federal, state or local governmental entity, including a
law enforcement agency or court, or their agents or assignees,
acting to investigate fraud or acting to investigate or collect
delinquent taxes or unpaid court orders or to fulfill their
statutory or regulatory duties provided such responsibilities are
consistent with a permissible purpose under section 604 of the
federal Fair Credit Reporting Act (15 U.S.C. 1681b) as it existed
on January 1, 2007;
(4) The use of credit information for the purposes of
prescreening as provided by the federal Fair Credit Reporting Act
(15 U.S.C. 1681 et seq.);
(5) Any person for the sole purpose of providing a credit file
monitoring subscription service, or similar service to which the
consumer has subscribed;
(6) A consumer reporting agency for the sole purpose of
providing a consumer with a copy of the consumer's consumer
report upon the consumer's request;
(7) Any person or entity for the use of setting or adjusting
rates, for claims handling or underwriting for insurance
purposes, to the extent permitted by law;
(8) A subsidiary, affiliate, agent, assignee or prospective
assignee of a person to whom access has been granted under
section 5 (3) of this 2007 Act for purposes of facilitating the
extension of credit or other permissible use;
(9) A child support agency acting pursuant to Title IV-D of the
Social Security Act (42 U.S.C. 651 et seq.); and
(10) A person for the sole purpose of screening an applicant
for a residential dwelling unit as described in ORS 90.295
(1). + }
SECTION 9. { + If a third party requests access to a consumer
report on which a security freeze is in effect, this request is
in connection with an application for credit or any other use,
the consumer does not allow the consumer's consumer report to be
accessed for that period of time, and the third party cannot
obtain the consumer report through section 8 of this 2007 Act,
the third party may treat the application as incomplete. + }
SECTION 10. { + (1) If a security freeze is in place, a
consumer reporting agency shall not change any of the following
official information in a consumer credit report without sending
a written confirmation of the change to the consumer within 30
days of the change being posted to the consumer's report: name,
date of birth, Social Security number and address. Written
confirmation is not required for technical modifications of a
consumer's official information, including name and street
abbreviations, complete spellings or transposition of numbers or
letters. In the case of an address change, the written
confirmation shall be sent to both the new address and to the
former address.
(2) The following entities are not required to place a security
freeze on a credit report:
(a) A consumer reporting agency that acts only as a reseller of
credit information by assembling and merging information
contained in the database of another consumer reporting agency or
multiple consumer reporting agencies, and does not maintain a
database of credit information from which new consumer credit
reports are produced. However, a consumer reporting agency acting
as a reseller shall honor any security freeze placed on a
consumer report by another consumer reporting agency.
(b) A check services or fraud prevention services company that
issues reports on incidents of fraud or authorizations for the
purpose of approving or processing negotiable instruments,
electronic funds transfers or similar methods of payments.
(c) A deposit account information service company that issues
reports regarding account closures due to fraud, substantial
overdrafts, ATM abuse or similar negative information regarding a
consumer, to inquiring banks or other financial institutions for
use only in reviewing a consumer request for a deposit account at
the inquiring bank or financial institution. + }
SECTION 11. { + (1) Except as otherwise specifically provided
by law a person shall not:
(a) Print a consumer's Social Security number on any materials
not requested by the consumer or part of the documentation of a
transaction or service requested by the consumer that are mailed
to the consumer unless redacted;
(b) Print a consumer's Social Security number on any card
required for the consumer to access products or services provided
by the person; or
(c) Publicly post or publicly display a consumer's Social
Security number unless redacted. As used in this paragraph, '
publicly post or publicly display' means to communicate or
otherwise make available to the general public.
(2) This section does not prevent the collection, use, or
release of a Social Security number as required by state or
federal law or the use of a Social Security number for internal
verification or administrative purposes.
(3) This section does not apply to records that are required by
law to be made available to the public.
(4) This section does not apply to Social Security numbers in
records maintained or otherwise possessed by a court or the State
Court Administrator on or before the effective date of this 2007
Act. + }
SECTION 12. { + (1) Any person that owns, maintains or
otherwise possesses data that includes a consumer's personal
information that is used in the course of the person's business,
vocation, occupation or volunteer activities must develop,
implement and maintain reasonable safeguards to protect the
security, confidentiality and integrity of the personal
information, including disposal of the data.
(2) The following shall be deemed in compliance with subsection
(1) of this section:
(a) A person that complies with a state or federal law
providing greater protection to personal information than that
provided by this section.
(b) A person that is subject to and complies with regulations
promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of
1999 (15 U.S.C. 6801 to 6809).
(c) A person that is subject to and complies with regulations
implementing the Health Insurance Portability and Accountability
Act of 1996 (45 C.F.R. parts 160 and 164).
(d) A person that implements an information security program
that includes the following:
(A) Administrative safeguards such as the following, in which
the person:
(i) Designates one or more employees to coordinate the security
program;
(ii) Identifies reasonably foreseeable internal and external
risks;
(iii) Assesses the sufficiency of safeguards in place to
control the identified risks;
(iv) Trains and manages employees in the security program
practices and procedures;
(v) Selects service providers capable of maintaining
appropriate safeguards, and requires those safeguards by
contract; and
(vi) Adjusts the security program in light of business changes
or new circumstances;
(B) Technical safeguards such as the following, in which the
person:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission and
storage;
(iii) Detects, prevents and responds to attacks or system
failures; and
(iv) Regularly tests and monitors the effectiveness of key
controls, systems and procedures; and
(C) Physical safeguards such as the following, in which the
person:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents and responds to intrusions;
(iii) Protects against unauthorized access to or use of
personal information during or after the collection,
transportation and destruction of the information; and
(iv) Disposes of personal information after it is no longer
needed for business purposes or as required by local, state or
federal law by burning, pulverizing, shredding or modifying a
physical record and by destroying or erasing electronic media so
that the information cannot be read or reconstructed.
(3) A person complies with subsection (2)(d)(C)(iv) of this
section if the person contracts with another person engaged in
the business of record destruction to dispose of personal
information in a manner consistent with subsection (2)(d)(C)(iv)
of this section.
(4) Notwithstanding subsection (2) of this section, a person
that is an owner of a small business as defined in ORS 285B.123
(3) complies with subsection (1) of this section if the person's
information security and disposal program, fully documented in
writing, contains administrative, technical and physical
safeguards and disposal measures appropriate to the size and
complexity of the small business, the nature and scope of its
activities, and the sensitivity of the personal information
collected from or about consumers. + }
SECTION 13. { + (1) The Director of the Department of Consumer
and Business Services may:
(a) Make such public or private investigations within or
outside this state as the director deems necessary to determine
whether a person has violated any provision of this 2007 Act, or
to aid in the enforcement of this 2007 Act.
(b) Require or permit a person to file a statement in writing,
under oath or otherwise as the director determines, as to all the
facts and circumstances concerning the matter to be investigated.
(c) Administer oaths and affirmations, subpoena witnesses,
compel attendance, take evidence and require the production of
books, papers, correspondence, memoranda, agreements or other
documents or records that the director deems relevant or material
to the inquiry. Each witness who appears before the director
under a subpoena shall receive the fees and mileage provided for
witnesses in ORS 44.415 (2).
(2) If a person fails to comply with a subpoena so issued or a
party or witness refuses to testify on any matters, the judge of
the circuit court or of any county, on the application of the
director, shall compel obedience by proceedings for contempt as
in the case of disobedience of the requirements of a subpoena
issued from such court or a refusal to testify therein.
(3) If the director has reason to believe that any person has
engaged or is engaging in any violation of this 2007 Act, the
director may issue an order, subject to ORS chapter 183, directed
to the person to cease and desist from the violation, or require
the person to pay to individuals injured by the violation amounts
that compensate the individual. The director may order
compensation to individuals only upon a finding that enforcement
of the rights of the individuals by private civil action would be
so burdensome or expensive as to be impractical.
(4)(a) In addition to all other penalties and enforcement
provisions provided by law, any person who violates or who
procures, aids or abets in the violation of this 2007 Act shall
be subject to a penalty of not more than $1,000 for every
violation, which shall be paid to the General Fund of the State
Treasury.
(b) Every violation is a separate offense and, in the case of a
continuing violation, each day's continuance is a separate
violation, but the maximum penalty for any continuing violation
shall not exceed $500,000.
(c) Civil penalties under this section shall be imposed as
provided in ORS 183.745. + }
SECTION 14. { + In accordance with ORS chapter 183, the
Director of the Department of Consumer and Business Services may
adopt rules for the purpose of carrying out the provisions of
this 2007 Act. + }
SECTION 15. { + Notwithstanding ORS 705.145 (2), (3) and (5),
the Director of the Department of Consumer and Business Services
can allocate as deemed appropriate the moneys derived pursuant to
ORS 646.382 to 646.398, 650.005 to 650.100, 697.005 to 697.095,
697.602 to 697.842, 705.350 and 717.200 to 717.320 and 731.804
and ORS chapters 59, 645, 706 to 716, 722, 723, 725 and 726 to
implement section 13 of this 2007 Act. + }
SECTION 16. { + Section 12 of this 2007 Act becomes operative
on January 1, 2008. + }
SECTION 17. { + This 2007 Act being necessary for the
immediate preservation of the public peace, health and safety, an
emergency is declared to exist, and this 2007 Act takes effect
October 1, 2007. + }
----------