SMHLLAW

 by Martin F. Medeiros

The Oregon Legislature has recognized the need to protect the personal information of customers and employees.  Senate Bill 583 sets forth a new standard for protecting personal information in Oregon.  If you are the victim of an intentional or negligent data security breach, either electronic or otherwise, you must notify those affected as soon as possible. The new privacy law is complex, and there are many compliance issues to consider.  It will take a while for the ambiguities in the statute to be clarified in the courts.  The following presents an overview of the new law.  This overview by no means constitutes, nor should it be construed as, legal advice.  Rather, it is an opinion of what you should be doing generally to comply with the law that went fully into effect January 1, 2008.  But organizations should consult individuals who can inform them of the law and establish business processes and training to ensure any potential loss is eliminated or minimized.

1.0              Social Security Numbers

Those who hold social security numbers may not disclose them on mailings, identification cards, or documents unless certain circumstances exist where the customer requests that the number be displayed.  There are other exceptions for administrative, judicial, and public record use of the social security number.  If you identify your customer records or accounts by social security number, you should change this process immediately to eliminate the risk of improper disclosure.

2.0              Protecting “Personal Information”

The new law defines “Personal Information” as an individual’s name in combination with one of the following: a social security number; an Oregon driver’s license or Oregon ID card number; or a payment card or account with a security code or password that allows access to funds.  If any Personal Information is compromised, the new law requires you to notify the affected customer or employee of the breach.

3.0              Notice of Breach

If you maintain or possess Personal Information that has been compromised by a data security breach, you must notify the affected person as soon as possible by one of three methods.  The first method is by written notification, such as a letter. The second method is by electronic notification; this method may be used if electronic communication is how you customarily communicate with your employees or customers.  The third method is by telephone contact, provided that you can validate that you contacted the affected person directly.

If you outsource the provision of certain services to a third party, and the third party experiences a data security breach, the service provider must notify you of the breach so that you may fulfill your notice obligations under the new law.

Prompt notice of a data security breach is almost always required.  However, there are a few exceptions.

First, notice may be delayed if in interferes with law enforcement activities, such as if the notice would interfere with an ongoing investigation where a perpetrator was about to be apprehended.

Second, if you can demonstrate some type of hardship, you may be permitted to give “substitute” notice by posting the notice or an informative link on your Web site and notifying major, statewide television and newspaper media of the data security breach.  Qualifying hardships are: (1) the cost of providing individual notice to all affected individuals will be greater than $250,000; (2) more than 350,000 individuals are affected by the data security breach; and (3) there is no other method of sufficiently contacting the affected individuals.

Third, notice may not be required at all in certain circumstances.  For example, if the Personal Information that was compromised was encrypted or otherwise made unreadable, the breach may be harmless.  You must document this determination.  Similarly, if the Oregon Department of Consumer and Business Services (a division of Finance and Corporate Securities) conducts an investigation and determines that there is no reasonable likelihood of harm, notice to the affected persons is not required.

If you are required to comply with Gramm-Leach Bliley or HIPAA, you are already required to give notice of a data security breach to consumers.  However, those laws do not contain the same notice requirement for employees, a group that is covered by the new Oregon law. 

4.0              Data Protection Planning

The new law imposes affirmative duties on those who handle Personal Information.  You must develop, implement, and maintain “reasonable safeguards” to ensure the security, confidentiality, and integrity of Personal Information in your possession.  These reasonable safeguards may include having and complying with a document destruction policy that comports with the records retention laws of the various federal, state, and local governments and agencies.

4.1              Investigate and Inventory

If you hold Personal Information, you should map how information flows into and out of your organization, which includes physical and electronic documentation and devices as well as policies.  You should inventory and document your locks, laptops, storage devices, disaster recovery sites, backup storage, and network security, and have policies regarding passwords, taking work home, telecommuting, and contractor access to Personal Information.

4.2              Assess and Protect

You must then assess the effectiveness of your safeguards in minimizing both internal and external risks.  In order to adequately protect Personal Information, your safeguards may need to be contractually guaranteed with vendors, employees, and others.  The new law requires that you employ reasonable safeguards.  It does not define specifically what those are, so you need to do what is appropriate for your industry and risk level.  If there is ever an enforcement issue, having good documentation of your efforts to protect Personal Information will go a long way to showing that you used appropriate diligence.

4.3              Records Retention

You should have a records retention policy.  Perhaps as important, you must follow your security policy.  For Personal Information, the policy should state that such information will only be retained for as long as necessary to fulfill a “legitimate business need” or as required by federal, state, and local records retention laws.

Tangible documents must be physically destroyed by shredding, burning, or pulverizing. Electronic records must be erased and overwritten with blank or other data.  There must be no possible way of reconstituting the data.  All drives must be erased and overwritten prior to recycling.  It is the data owner’s responsibility to destroy the data, not the recycler’s.

You should follow your records retention policy consistently.  It is inappropriate, and often illegal, to begin following a neglected records retention policy when a data security breach occurs.  Destruction of evidence in the face of an investigation can be a serious crime.

4.4              Training, Testing, and Monitoring

The new law imposes an ongoing obligation to train employees on aspects of the law such as what constitutes Personal Information and the notification procedures to use in the event of a data security breach.  Without knowledge of this law and its requirements, any employee could potentially create huge liabilities for an organization.  In addition, evidence of compliance necessarily requires documenting regular testing and monitoring of security processes, systems, and controls, including both physical and electronic safeguards.

4.5              Action Item: Create a Security Program

Organizations of all stripes must create a security program as primary evidence of compliance with the new law.  Appoint a competent and high-ranking individual to be the security program coordinator.  The security program should implement the elements described above: identifying risks, developing reasonable safeguards (administrative, technical, and physical), training, testing, and vigilantly monitoring for new threats.  You should consider hiring a network security professional and/or private investigator to periodically test the effectiveness of your security system.

5.0              Small Businesses

A small business is defined as a manufacturing business with 200 or fewer employees or a non-manufacturing business with 50 or fewer employees.  Small businesses typically do not have the capital resources that large businesses have.  The new law recognizes this fact by allowing small businesses to do less than is expected of large businesses.  In order to comply with the new law, a small business must implement administrative, technical, and physical safeguards that are appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the Personal Information it collects or holds.

6.0              Enforcement and Penalties

The Oregon Department of Consumer and Business Services, a division of Finance and Securities, is the state agency tasked with enforcing the new law.  This agency has broad investigative authority and can require those involved in a data security breach to submit sworn evidence in judicial proceedings.

Failure to comply with the various provisions of the new law can lead to severe penalties.  The agency can order you to pay compensation to consumers if private civil action would be burdensome to them.  In addition, the agency can impose fines of $1,000 per violation per day.  These fines add up very quickly, since each violation is considered a separate offense.  The maximum penalty for any “occurrence” is $500,000.  It is easy to see how multiple occurrences could ruin an organization, beyond any actual economic losses suffered by the affected.

7.0              Consumer Protections

The new law contains a number of options and a process for placing a security “freeze” on your credit report with the three major credit reporting agencies: Equifax, Experian, and TransUnion.  A security freeze can be useful in preventing identify theft in the event your Personal Information is compromised because of a data security breach.  To place or remove a security freeze on your credit report, you have to make your request in writing and pay a fee.  No one, including you, will be able to establish new credit in your name while the security freeze is in effect.  Though frozen, your credit report can still be accessed by the government and some private companies, generally those you do business with.

You should seek competent legal counsel if you have questions regarding this new Oregon law, require security consulting for process design or have jurisdiction-specific issues with the applicability of other state, national or international privacy laws to your situation.

Resources:

http://www.leg.state.or.us/07reg/measures/sb0500.dir/sb0583.en.html

www.dfcs.oregon.gov

www.ftc.gov/infosecurity

www.dhs.gov/xlibrary/assets/National_cyberspace_Strategy.pdf