Oregon Consumer Identity Theft Protection Act
ORS646A.600 - The Oregon Consumer Identity Theft Protection Act
For Oregon ORS646A.600 compliance, you can purchase a professionally developed Written Information Security Program (WISP) for your business and have it ready to implement the next business day. You will receive the WISP in Microsoft Word format (via email delivery), as well as helpful guidance on how to properly implement the WISP and what controls in the WISP map to the Oregon Consumer Identity Theft Protection Act (OCITPA) requirements.
For a reason to buy a Written Information Security Program (WISP), it is hard to beat an excerpt directly from the Oregon law itself since there is a legal requirement have written information security policies, procedures and standards in place:
Oregon ORS646A.600: “Any person that owns, maintains or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.”
Oregon Consumer ID Theft Protection Act Compliant Written Information Security Program (WISP)
The State of Oregon adopted a strict Information Security law, which became effective on January 1, 2008. The law is broken up into four sections (please read the requirements of those two sections below). The Written Information Security Program (WISP) meets ALL of the requirements of Oregon ORS 646A.600 so any business that maintains PCI DSS-related data on an Oregon resident could purchase and implement a WISP to become compliant with this new law.
As an Oregon business ourselves, BlackHat Consultants is an expert in the Oregon Consumer Identity Theft Protection Act (OCITPA). We can work with your business to become compliant and stay compliant with this law! ✓ Easy to implement & tailored to your company
✓ Policies are based on NIST 800-series and ISO 27000-series standards
✓ Dozens of policies and standards specifically tailored for small to medium businesses
✓ Covers the PCI DSS, GLBA, SOX, HIPAA, FACTA and more!
- Identifies administrative, technical and physical controls
- Provides standards for both assessing risk and hardening of networks and systems
- Ongoing user education and security awareness training
- Incident response procedures
- Procedures to audit user accounts and deal with terminated employees
✓ Includes many helpful forms to implement the WISP;
- Employee acknowledgement forms
- Appointment orders for an employee to be in charge of IT Security
- Incident Response Plan (IRP) forms
- Any more!! (see the example for more)
Requirements of the Oregon Consumer Identity Theft Protection Act
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion.
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.
The law prohibits anyone from printing Social Security Numbers (SSNs) on cards or documents or publicly displaying or posting a SSN. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.
If you collect personal information from an individual, such as driver's license numbers or SSNs, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.
The following shall be deemed in compliance:
- A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
- A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.
- A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.
- A person that implements an information security program that includes the following administrative safeguards such as the following, in which the person:
- Designates one or more employees to coordinate the security program;
- Identifies reasonably foreseeable internal and external risks;
- Assesses the sufficiency of safeguards in place to control the identified risks;
- Trains and manages employees in the security program practices and procedures;
- Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- Adjusts the security program in light of business changes or new circumstances;
Technical safeguards such as the following, in which the person:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission and storage;
(iii) Detects, prevents and responds to attacks or system failures; and
(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
Physical safeguards such as the following, in which the person:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents and responds to intrusions;
(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or
modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.