Oregon's New Law (SB583) Mandates That Businesses

Must Protect Client Data With Information Security Policies

The Oregon Identity Theft Protection Act (OITPA) - passed by the 2007 legislature - means consumers will have more tools to protect themselves against identity theft, and Oregon businesses and government will have clear direction and expectations to ensure the safety of the personal identifying information they maintain.  Personal information includes a consumer's name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer's financial account.

The government of Oregon taking every effort to protect businesses and consumers from identity theft.  It is your responsibility as a business owner to enforce the law and protect your clients.  In the event an employee from your company does violates a statute of the OITPA, an Information Security Policy Manual (ISPM) will protect your company from civil penalties by demonstrating compliance with the law.  Additionally, you will have documentation in place to legitimately terminate employment for cause for any employee caught violating company policies, procedures, standards, or guidelines.

SecurityDocumentation
Are you liable according to the Oregon Identity Theft Protection Act (OITPA)? Having an Information Security Policy Manual (ISPM) demonstrates due care and due diligence on your behalf. This is crucial to reduce your liabilities from the actions your employees do, as well as what they fail to do:

Preventative steps: Due care is the care and forethought a reasonable individual would exercise under the circumstances. It is the standard for determining legal duty. Demonstrate your proactive approach to mitigate risk by implementing policies, procedures, standards, and guidelines.

Ongoing steps: Due diligence is the effort made by a reasonable individual to avoid harm to another party, where failure to make this effort may be considered negligence. Implementing and enforcing policies, procedures, standards, and guidelines demonstrates due diligence by your organization.
 

ProductOverview
The Information Security Policy Manual (ISPM) from www.iSecurityPolicy.com is a robust compilation of Information Security policies that are tailored specifically for the small and medium businesses (SMBs) that are generally overlooked when it comes to Information Security. Highlights include:

- Policies are based on International Standards Organization (ISO) 17799
- Authored by a Certified Information Systems Security Professional (CISSP)
- In-depth coverage of 31 topics, detailing policies, procedures, standards and guidelines
- Covers OITPA, GLBA, SOX, HIPAA and FACTA compliance concerns
- Includes employee acknowledgement form and information security officer appointment orders
- Free Information Security Training Video for your employees — http://video.iSecurityPolicy.com
- Customized and ready for download in minutes!
 

CostSavings
With Information Security (IS), an ounce of prevention is worth considerably more than a pound of cure. At $435, the Information Security Policy Manual is a mere fraction of the cost for a comparable product produced by an on-site security consultant. Why wait weeks and spend thousands of dollars when you can start protecting your organization today?
 

RegulatoryCompliance
The components of this law are equally applicable whether you have 5 employees or 500 employees.

Below are the specific protections of the law:
 

Security Freeze - Effective October 1, 2007
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion. A security freeze means that your file cannot be shared with potential creditors. Most businesses will not open credit accounts without first checking a consumer's credit history. There is no fee if you are a victim of identity theft or you have reported the theft of their personal information to a law enforcement agency. For other consumers, each credit reporting agency will charge a fee to freeze your files.

If you do place a security freeze on your report you can "thaw" their file to apply for new credit. Law enforcement agencies and government agencies including child support and businesses collecting existing debt still will be able to access your credit file.

Notification of a Breach - Effective October 1, 2007
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.

The notification must be done as soon as possible unless law enforcement believes the notification will impede a criminal investigation. In most cases you can notify in writing, but the law allows for electronic notice if this is the primary manner of communication between you and the consumer, or telephone notice if you contact the person directly. If you demonstrate the cost of notification is more than $250,000 or the number of individuals to be notified is more than 350,000, you may notify through major Oregon television and newspaper media.

If an investigation into the breach by a federal, state or local law enforcement agency determines there is no reasonable likelihood of harm to consumers, notification is not required. The same is true if the data involved in the breach was encrypted or made unreadable.

Note: A business or organization that is subject to and complies with the Gramm-Leach-Bliley Act's (GLBA) notification requirements do not need to develop a further process. However, if the breach involves your employees, you must follow Oregon's notification requirements.

Protection of Social Security numbers - Effective October 1, 2007
Consumers are especially vulnerable to identity theft if their Social Security number has fallen into the wrong hands. The law prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.

Safeguarding personal information - Effective January 1, 2008
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.
 

Any individual, business, government agency, or organization that is subject to and complies with the notification and data safeguard requirements or guidance adopted under the Gramm-Leach-Bliley Act (GLBA) already meets Oregon’s requirements for notification and data safeguarding. In addition, individuals, businesses, government agencies, or organizations that are subject to and comply with the data safeguard requirements or guidance adopted under the Health Insurance Portability and Accountability Act (HIPAA) do not need to develop additional data safeguards. However, none of these exceptions apply when there is a breach involving your employees’ information or you are developing safeguards to protect your employees’ information.
 

The Department of Consumer and Business Services is charged with enforcing these new laws. TeamLogic IT is a trusted IT provider, capable of supporting Oregon businesses with their information security and information technology consulting needs.

Purchase online at: www.iSecurityPolicy.com