Take Stock of Security Policies: 2016 Changes to Oregon's Data Breach

March 2016

Kristen G. Hilton, CIPP/US

On January 1, 2016, an updated data breach law took effect. The amendments to Oregon's Consumer Identity Theft Protection Act (the "Act") expand the definition of "personal information," mandate notification to the Attorney General, and make violation of the Act an unlawful practice under Oregon's Unlawful Trade Practices Act.

Under the Act, a person who owns, maintains, or otherwise possesses data that includes a consumer's "personal information" used in the course of the person's business, vocation, occupation, or volunteer activities must implement reasonable safeguards to protect the security, confidentiality, and integrity of the personal information, including disposal of the data. "Consumer" means an individual resident of Oregon.

The prior version of the law limited "personal information" to a consumer's Social Security number, driver's license number or state identification card number, U.S. issued identification number, financial account number, and credit or debit card number, in combination with any required security code, access code, or password that permits access to the financial account. However, as of January 1, 2016, personal Information now also includes biometric, health insurance, and medical information.

In the event of a breach of security, the Act requires that the impacted business notify every affected consumer. Under the Act, a "breach of security" is "an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains." For breaches that occur on or after January 1, 2016, notice must also be sent to Oregon's Attorney General, either in writing or electronically, if the number of Oregon residents to whom notice must be sent exceeds 250. All notices must be given in the most expeditious manner possible, without unreasonable delay, unless law enforcement requests a delay.

The amendments do not impact pre-existing statutory exemptions. However, the amendments add a new provision that makes a violation of the Act an unlawful practice under Oregon's Unlawful Trade Practices Act. This means that businesses could be subject to civil actions by either the Attorney General or local district attorneys for violations of Oregon's data breach laws. Private individuals do not have a right to sue for a violation of the Act, but they could seek recovery based on other legal theories (such as breach of contract).

All businesses operating in Oregon or that have customers located in the state should be ready to comply with all provisions of the Act, including the new notification requirements. While there is no shortage of news stories about large U.S. companies impacted by data breaches – Target, Home Depot, and Anthem Blue Cross to name a few – smaller businesses are at risk too. Small businesses have more digital assets to target than an individual consumer, but less security than a larger company, which make them especially vulnerable. According to the Verizon 2014 Data Breach Investigation Report, 44 percent of small businesses have been a victim of cybercrime at least once, and more than half of U.S. small businesses have experienced at least one data breach. That number may be rising.

Such cybercrime incidents are also quite costly. Small businesses shell out an average of $38,000 to recover from a single data breach, including costs to investigate and comply with notification requirements like those in Oregon. See 2015 Kapersky Lab Survey (media.kapersky.com/pdf/it-risks-surve-report-cost-of-security-breaches.pdf). And that number does not take into account indirect expenses such as employee training and infrastructure upgrades, or damages to reputation. 

In order for businesses to minimize the risk of a data breach and ensure they are able to comply with Oregon's laws if a breach occurs, it is helpful to consider where and how vulnerabilities can originate. 49 percent of data breaches stem from malicious or criminal attacks, 19 percent involve employee negligence, and 32 percent are caused by system glitches. See Ponemon Institute 2015 Cost of Data Breach Study United States.
The following tips, taken from the FTC document, Protecting Personal Information: A Guide for Business, should help protect your business on each of those fronts.
Take Account
Identify what information you have, who sends it to you, how you receive it, and who has access to it. Pay particular attention to how you keep personal information, and consider different levels of data privacy for different records.

Scale Down
Collect and keep only the information you need for your business. Use Social Security numbers only for required and lawful purposes – like reporting employee taxes. Check the default settings on credit-card processing software to make sure that entire card numbers are not retained post-transaction. Develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely.

Lock Data
The most effective policies address four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers. Encrypt digital files, and keep physical media in a secure place. Limit employee access to those records so that only people who need them can see them. Regularly check security systems and run antivirus programs. Create a "culture of security" by implementing a regular schedule of employee training. Teach staff to spot vulnerabilities, and update them on security protocols as you find out about new risks. Use firewalls, and restrict the use of laptops to those employees who need them to perform their jobs. Investigate the data security practices of your vendors, and compare their standards to yours.

Pitch It - Discard Unused Information
Dispose of data that you no longer need in a secure manner, and train employees on these procedures. For instance, use data-wiping software on old computers, and follow the FTC rules for disposing of credit reports. Make sure employees who work from home follow the same procedures for disposing of sensitive documents, old computers, and portable storage devices.

Plan Ahead
Regularly test and monitor all security systems. Investigate security incidents immediately, and take steps to close off existing vulnerabilities or threats to personal information. Educate employees about what personal information is and how to safeguard it under the applicable state and federal laws. Have a plan for notifying consumers, law enforcement and credit reporting agencies in the event of a data breach.

If you have any questions on how to minimize the risks to your business or about your business's notification obligations in the case of a breach, please contact Kristen G. Hilton at khilton@sussmanshank.com or 503-227-1111.

Related Practice Areas


Return to Articles