Compass Newsletter - Articles

Oregon Consumer Identity Theft Protection Act: Is Your Business in Compliance?

by Tricia M. Olson
(Winter 2008-2009)

The Oregon Consumer Identity Theft Protection Act was enacted in 2007 and became fully effective January 1, 2008. Organizations that have not yet taken steps to comply with this new law should do so immediately. Organizations that have already implemented safeguards required by the law should monitor those safeguards for continued compliance. This article provides a summary overview of the Oregon Consumer Identity Theft Protection Act and lists additional resources for organizations desiring further information.

Almost all organizations collect and maintain personal data about their customers, clients or other constituents. To protect against the harm that can occur when personal data falls into the hands of identity thieves, Oregon recently enacted a Consumer Identity Theft Protection Act (“OCITPA”).1 It is applicable to any individual, business, organization, or government entity that maintains consumers’ “personal information,” and uses such data in the course of its business or activities. OCITPA applies to these entities regardless of their size and whether or not they are organized to operate at a profit. “Personal information” includes a person’s first name or first initial and last name in connection with any of the following:

  • Social Security number;
  • Oregon driver’s license number or Oregon identification card number;
  • Passport number or United States identification card number; or
  • Financial account, credit or debit card number, in combination with any required security code.

OCITPA has three main components that businesses and organizations must comply with:

(1) Protection of Social Security Numbers;
(2) Notification of a Security Breach; and
(3) Safeguarding Data

The major requirements of these three components are summarized below. An organization that fails to comply with these requirements may be subject to a penalty of up to $1,000 for every violation.2 In the case of a continuing violation, each day’s continuance is a separate violation. The maximum penalty for any occurrence is $500,000. In addition, organizations should consider the damage to their own reputation that can occur after an incidence of identity theft.

(1) Protection of Social Security Numbers. Organizations may not print Social Security numbers on cards nor otherwise publicly display or post Social Security numbers unless the number is redacted. To redact, no more than the last four digits of the Social Security number may be visible. Further, organizations may not include nonredacted Social Security numbers in documents placed in outgoing mail unless required by state or federal law or specifically requested by a consumer. If there is a legitimate purpose, an organization may use Social Security numbers for internal verification or administrative purposes.3

(2) Notification of a Security Breach. If there is unauthorized access of an organization’s computer files that materially compromises consumers’ personal information, the organization must give notice to affected consumers as quickly as possible. Notification of a security breach should generally be in writing. Notice may be given through electronic means, if that is the organization’s customary method of communication with the consumer, or by telephone, provided that contact is made directly with the consumer. At a minimum, the notification should contain:

  • A description of the incident in general terms;
  • The approximate date of the security breach;
  • The type of personal information obtained as a result of the security breach;
    The organization’s contact information;
  • Contact information for national consumer reporting agencies; and
    Advice to the consumer to report suspected identity theft to law enforcement.

For any security breach affecting more than 1,000 consumers, the organization must report to all nationwide consumer reporting agencies. If the cost of notification would exceed $250,000, or if the number of those who need to be contacted is over 350,000, an organization may use substitute notice, which includes conspicuous posting on the organization’s website and notification to major statewide television and newspaper media.

(3) Safeguarding Data. Organizations must develop, implement and maintain reasonable safeguards to protect personal information. To comply with this aspect of OCITPA, organizations must assess the personal information they have and develop an information security plan to protect that information. According to OCITPA, an information security plan must contain administrative, technical, and physical safeguards:

Administrative Safeguards

  • Designate one or more employees to coordinate the security program;
  • Identify reasonably foreseeable internal and external risks;
  • Assess the sufficiency of safeguards in place to control identified risks;
  • Train and manage employees in the security program practices and procedures;
  • Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
  • Adjust the security program in light of business changes or new circumstances.

Technical Safeguards

  • Assess risks in network and software design;
  • Assess risks in information processing, transmission and storage;4
  • Detect, prevent and respond to attacks or system failures; and
  • Regularly test and monitor the effectiveness of key controls, systems and procedures.

Physical Safeguards

  • Assess risks of information storage and disposal;
  • Detect, prevent and respond to intrusions;
  • Protect against unauthorized access to or use of personal information; and
  • Dispose of personal information after it is no longer needed for business purposes or as required by law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media.

The necessary scope and extent of an information security plan is dependent on an organization’s size. For small businesses (100 or fewer employees), the plan need only be commensurate to the nature and scope of the business’ activities and the sensitivity of personal information it collects.

Helpful resources for complying with OCITPA include the Oregon Department of Consumer & Business Services website5 and a comprehensive “Best Practices” safeguard checklist published by the State of Oregon Enterprise Security Office.6

If you would like more information about anything discussed in this article, or would like to assess whether your organization is in compliance with OCITPA, please contact Tricia Olson at 503-585-4422 or tolson@heltzel.com


  1. The new law is found at ORS 646A.600 to ORS 646A.628.

  2. Organizations that already comply with state or federal laws providing greater protection to personal information are generally deemed in compliance with the safeguards required by OCITPA.

  3. The Department of Consumer and Business Services has proposed additional administrative rules regarding use of Social Security numbers. These proposed rules are available at http://dfcs.oregon.gov/rules_statutes/rulemaking/441-646-0010.pdf. The proposed rules strongly encourage organizations to use numbers other then Social Security numbers for internal verification purposes. If Social Security numbers are used for such purposes, the organization must have procedures in place that prevent unauthorized access and provide for secure transmission of Social Security numbers to persons outside the organization.

  4. In addition to computers, an organization should consider personal information stored on flash drives, cell phones, and personal digital assistants (PDAs).

  5. http://www.cbs.state.or.us/dfcs/id_theft.html

  6. http://www.oregon.gov/DAS/EISPD/ESO/IDTheft/Safeguard_bestpractices.pdf