Chapter 0759

Chapter 759 Oregon Laws 2007

AN ACT

SB 583

Relating to the Oregon Consumer Theft Protection Act; limiting expenditures; and declaring an emergency.

Be It Enacted by the People of the State of Oregon:

SECTION 1. This 2007 Act shall be known as the Oregon Consumer Identity Theft Protection Act.

SECTION 2. As used in this 2007 Act:

(1)(a) “Breach of security” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person.

(b) “Breach of security” does not include good-faith acquisition of personal information by a person or that person’s employee or agent for a legitimate purpose of that person if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

(2) “Consumer” means an individual who is also a resident of this state.

(3) “Consumer report” means a consumer report as described in section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)), as that Act existed on the effective date of this 2007 Act, that is compiled and maintained by a consumer reporting agency.

(4) “Consumer reporting agency” means a consumer reporting agency as described in section 603(p) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on the effective date of this 2007 Act.

(5) “Debt” means any obligation or alleged obligation arising out of a consumer transaction, as defined in ORS 646.639.

(6) “Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.

(7) “Extension of credit” means the right to defer payment of debt or to incur debt and defer its payment offered or granted primarily for personal, family or household purposes.

(8) “Identity theft” has the meaning set forth in ORS 165.800.

(9) “Identity theft declaration” means a completed and signed statement documenting alleged identity theft, using the form available from the Federal Trade Commission, or another substantially similar form.

(10) “Person” means any individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.

(11) “Personal information”:

(a) Means a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:

(A) Social Security number;

(B) Driver license number or state identification card number issued by the Department of Transportation;

(C) Passport number or other United States issued identification number; or

(D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

(b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.

(c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.

(12) “Redacted” means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, account number or credit or debit card number is accessible as part of the data.

(13) “Security freeze” means a notice placed in a consumer report, at the request of a consumer and subject to certain exemptions, that prohibits the consumer reporting agency from releasing the consumer report for the extension of credit unless the consumer has temporarily lifted or removed the freeze.

SECTION 3. (1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities and was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection (2) of this section, to any consumer whose personal information was included in the information that was breached. The disclosure notification shall be made in the most expeditious time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (3) of this section, and consistent with any measures necessary to determine sufficient contact information for the consumers, determine the scope of the breach and restore the reasonable integrity, security and confidentiality of the data.

(2) Any person that maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer’s personal information was included in the information that was breached.

(3) The notification to the consumer required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and that agency has made a written request that the notification be delayed. The notification required by this section shall be made after that law enforcement agency determines that its disclosure will not compromise the investigation and notifies the person in writing.

(4) For purposes of this section, notification to the consumer may be provided by one of the following methods:

(a) Written notice.

(b) Electronic notice if the person’s customary method of communication with the consumer is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as that Act existed on the effective date of this 2007 Act.

(c) Telephone notice, provided that contact is made directly with the affected consumer.

(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $250,000, that the affected class of consumers to be notified exceeds 350,000, or if the person does not have sufficient contact information to provide notice. Substitute notice consists of the following:

(A) Conspicuous posting of the notice or a link to the notice on the Internet home page of the person if the person maintains one; and

(B) Notification to major statewide television and newspaper media.

(5) Notice under this section shall include at a minimum:

(a) A description of the incident in general terms;

(b) The approximate date of the breach of security;

(c) The type of personal information obtained as a result of the breach of security;

(d) Contact information of the person subject to this section;

(e) Contact information for national consumer reporting agencies; and

(f) Advice to the consumer to report suspected identity theft to law enforcement, including the Federal Trade Commission.

(6) If a person discovers a breach of security affecting more than 1,000 consumers that requires disclosure under this section, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notification given by the person to the consumers. In no case shall a person that is required to make a notification required by this section delay any notification in order to make the notification to the consumer reporting agencies. The person shall include the police report number, if available, in its notification to the consumer reporting agencies.

(7) Notwithstanding subsection (1) of this section, notification is not required if, after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.

(8) This section does not apply to:

(a) A person that complies with the notification requirements or breach of security procedures that provide greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by the person’s primary or functional federal regulator.

(b) A person that complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security of personal information than that provided by this section.

(c) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.

SECTION 4. (1) A consumer may elect to place a security freeze on the consumer’s consumer report by sending a written request to a consumer reporting agency at an address designated by the agency to receive such requests, or a secure electronic request at a website designated by the agency to receive such requests if such method is made available by the consumer reporting agency at the agency’s discretion.

(2) If the consumer is the victim of identity theft or has reported to a law enforcement agency the theft of personal information, the consumer may include a copy of the police report, incident report or identity theft declaration.

(3) The consumer must provide proper identification and any fee authorized by section 6 of this 2007 Act.

(4) Except as provided in section 8 of this 2007 Act, if a security freeze is in place, information from a consumer report may not be released without prior express authorization from the consumer.

(5) This section does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report.

SECTION 5. (1) A consumer reporting agency shall place a security freeze on a consumer report no later than five business days after receiving from the consumer:

(a) The request described in section 4 (1) of this 2007 Act;

(b) Proper identification; and

(c) A fee, if applicable.

(2) The consumer reporting agency shall send a written confirmation of the security freeze to the consumer, to the last known address for the consumer as contained in the consumer report maintained by the consumer reporting agency, within ten business days after placing the freeze and, with the confirmation, shall provide the consumer with a unique personal identification number or password or similar device to be used by the consumer when providing authorization for release of the consumer’s consumer report for a specific period of time or for permanently removing the security freeze. The consumer reporting agency shall also include with such written confirmation information regarding the process of lifting a freeze, and the process of temporarily lifting a freeze for allowing access to information from the consumer’s credit report for a period of time while the freeze is in place.

(3) If a consumer wishes to allow the consumer’s consumer report to be accessed for a specific period of time while a freeze is in effect, the consumer shall contact the consumer reporting agency using a point of contact designated by the consumer reporting agency, request that the freeze be temporarily lifted and provide the following:

(a) Proper identification;

(b) The unique personal identification number or password or similar device provided by the consumer reporting agency pursuant to subsection (2) of this section;

(c) The information regarding the time period for which the consumer report shall be available to users of the credit report; and

(d) A fee, if applicable.

(4) A consumer reporting agency that receives a request from the consumer to temporarily lift a freeze on a credit report pursuant to subsection (3) of this section shall comply with the request no later than three business days after receiving from the consumer:

(a) Proper identification;

(b) The unique personal identification number or password or similar device provided by the consumer reporting agency pursuant to subsection (2) of this section;

(c) The information regarding the time period for which the consumer report shall be available; and

(d) A fee, if applicable.

(5) A security freeze shall remain in place until the consumer requests, using a point of contact designated by the consumer reporting agency, that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides:

(a) Proper identification;

(b) The unique personal identification number or password or similar device provided by the consumer reporting agency pursuant to subsection (2) of this section; and

(c) A fee, if applicable.

(6) No later than December 31, 2008, the Director of the Department of Consumer and Business Services shall report to the chairs of the legislative committees that considered this 2007 Act concerning the minimum amount of time necessary, using current technology, to place, temporarily lift or remove a freeze on a consumer report, and to verify a consumer’s identity. If the chair of any legislative committee is vacant at the time of making the report, the report shall also be made to the President of the Senate and the Speaker of the House of Representatives.

SECTION 6. (1) A consumer reporting agency may not charge a fee to a consumer who is the victim of identity theft or who has reported to a law enforcement agency the theft of personal information, provided the consumer has submitted to the consumer reporting agency a copy of a valid police report, incident report or identity theft declaration.

(2) A consumer reporting agency may charge a reasonable fee of no more than $10 to a consumer, other than a consumer described in subsection (1) of this section, for each freeze, temporary lift of the freeze, removal of the freeze or replacing a lost personal identification number or password previously provided to the consumer, regarding access to a consumer credit report.

SECTION 7. A consumer reporting agency shall temporarily lift or remove a freeze placed on a consumer’s credit report only in the following cases:

(1) Upon the consumer’s request, pursuant to section 5 (3) or (5) of this 2007 Act.

(2) If the consumer’s credit report was frozen due to a material misrepresentation of fact by the consumer, the consumer reporting agency may remove the security freeze. If a consumer reporting agency intends to remove a freeze upon a consumer’s credit report pursuant to this subsection, the consumer reporting agency shall notify the consumer in writing at least five business days prior to removing the freeze placed on the consumer report.

SECTION 8. The provisions of sections 4 to 6 of this 2007 Act do not apply to the use of a consumer report by or for any of the following:

(1) A person, or the person’s subsidiary, affiliate, agent or assignee with which the consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or debtor-creditor relationship. For purposes of this subsection, “reviewing the account” includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements;

(2) Any person acting pursuant to a judgment, court order, warrant or subpoena;

(3) A federal, state or local governmental entity, including a law enforcement agency or court, or their agents or assignees, acting to investigate fraud or acting to investigate or collect delinquent taxes or unpaid judgments or court orders or to fulfill their statutory or regulatory duties provided such responsibilities are consistent with a permissible purpose under section 604 of the federal Fair Credit Reporting Act (15 U.S.C. 1681b) as that Act existed on the effective date of this 2007 Act;

(4) The use of credit information for the purposes of prescreening as provided by the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) as that Act existed on the effective date of this 2007 Act;

(5) Any person for the sole purpose of providing a credit file monitoring subscription service, or similar service to which the consumer has subscribed;

(6) A consumer reporting agency for the sole purpose of providing a consumer with a copy of the consumer’s consumer report upon the consumer’s request;

(7) Any person or entity for the use of setting or adjusting rates, for claims handling or underwriting for insurance purposes, to the extent permitted by law;

(8) A subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under section 5 (3) of this 2007 Act for purposes of facilitating the extension of credit or other permissible use;

(9) A child support agency acting pursuant to Title IV-D of the Social Security Act (42 U.S.C. 651 et seq.) as that Act existed on the effective date of this 2007 Act; and

(10) A person for the sole purpose of screening an applicant for a residential dwelling unit as described in ORS 90.295 (1).

SECTION 9. If a third party requests access to a consumer report on which a security freeze is in effect, the request is in connection with an application for credit or any other use, the consumer does not allow the consumer’s consumer report to be accessed for that period of time, and the third party cannot obtain the consumer report through section 8 of this 2007 Act, the third party may treat the application as incomplete.

SECTION 10. (1) If a security freeze is in place, a consumer reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer’s report: name, date of birth, Social Security number and address. Written confirmation is not required for technical modifications of a consumer’s official information, including name and street abbreviations, complete spellings or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

(2) The following entities are not required to place a security freeze on a credit report:

(a) A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a database of credit information from which new consumer credit reports are produced. However, a consumer reporting agency acting as a reseller shall honor any security freeze placed on a consumer report by another consumer reporting agency.

(b) A check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers or similar methods of payments.

(c) A deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.

SECTION 11. (1) Except as otherwise specifically provided by law a person shall not:

(a) Print a consumer’s Social Security number on any materials not requested by the consumer or part of the documentation of a transaction or service requested by the consumer that are mailed to the consumer unless redacted;

(b) Print a consumer’s Social Security number on any card required for the consumer to access products or services provided by the person; or

(c) Publicly post or publicly display a consumer’s Social Security number unless redacted. As used in this paragraph, “publicly post or publicly display” means to communicate or otherwise make available to the public.

(2) This section does not prevent the collection, use, or release of a Social Security number as required by state or federal law, including statute, Oregon Rules of Civil Procedure or rule adopted by the Chief Justice of the Supreme Court, the Chief Judge of the Court of Appeals or the judge of the Oregon Tax Court, or the use or printing of a Social Security number for internal verification or administrative purposes or for enforcement of a judgment or court order.

(3) This section does not apply to records that are required by state or federal law, including statute, Oregon Rules of Civil Procedure or rule adopted by the Chief Justice of the Supreme Court, the Chief Judge of the Court of Appeals or the judge of the Oregon Tax Court, to be made available to the public.

(4) This section does not apply to a Social Security number in any of the following records or copies of records in any form or storage medium maintained or otherwise possessed by a court, the State Court Administrator or the Secretary of State:

(a) A record received on or before the effective date of this 2007 Act;

(b) A record received after the effective date of this 2007 Act if, by state or federal statute or rule, the person that submitted the record could have caused the record to be filed or maintained in a manner that protected the Social Security number from public disclosure; or

(c) A record, regardless of the date created or received, that is:

(A) An accusatory instrument charging a violation or crime;

(B) A record of oral proceedings in a court;

(C) An exhibit offered as evidence in a proceeding; or

(D) A judgment or court order.

SECTION 12. (1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.

(2) The following shall be deemed in compliance with subsection (1) of this section:

(a) A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.

(b) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.

(c) A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.

(d) A person that implements an information security program that includes the following:

(A) Administrative safeguards such as the following, in which the person:

(i) Designates one or more employees to coordinate the security program;

(ii) Identifies reasonably foreseeable internal and external risks;

(iii) Assesses the sufficiency of safeguards in place to control the identified risks;

(iv) Trains and manages employees in the security program practices and procedures;

(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

(vi) Adjusts the security program in light of business changes or new circumstances;

(B) Technical safeguards such as the following, in which the person:

(i) Assesses risks in network and software design;

(ii) Assesses risks in information processing, transmission and storage;

(iii) Detects, prevents and responds to attacks or system failures; and

(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and

(C) Physical safeguards such as the following, in which the person:

(i) Assesses risks of information storage and disposal;

(ii) Detects, prevents and responds to intrusions;

(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and

(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(3) A person complies with subsection (2)(d)(C)(iv) of this section if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with subsection (2)(d)(C)(iv) of this section.

(4) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (3) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers.

SECTION 13. (1) The Director of the Department of Consumer and Business Services may:

(a) Make such public or private investigations within or outside this state as the director deems necessary to determine whether a person has violated any provision of this 2007 Act, or to aid in the enforcement of this 2007 Act.

(b) Require or permit a person to file a statement in writing, under oath or otherwise as the director determines, as to all the facts and circumstances concerning the matter to be investigated.

(c) Administer oaths and affirmations, subpoena witnesses, compel attendance, take evidence and require the production of books, papers, correspondence, memoranda, agreements or other documents or records that the director deems relevant or material to the inquiry. Each witness who appears before the director under a subpoena shall receive the fees and mileage provided for witnesses in ORS 44.415 (2).

(2) If a person fails to comply with a subpoena so issued or a party or witness refuses to testify on any matters, the judge of the circuit court or of any county, on the application of the director, shall compel obedience by proceedings for contempt as in the case of disobedience of the requirements of a subpoena issued from such court or a refusal to testify therein.

(3) If the director has reason to believe that any person has engaged or is engaging in any violation of this 2007 Act, the director may issue an order, subject to ORS chapter 183, directed to the person to cease and desist from the violation, or require the person to pay compensation to consumers injured by the violation. The director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.

(4)(a) In addition to all other penalties and enforcement provisions provided by law, any person who violates or who procures, aids or abets in the violation of this 2007 Act shall be subject to a penalty of not more than $1,000 for every violation, which shall be paid to the General Fund of the State Treasury.

(b) Every violation is a separate offense and, in the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

(c) Civil penalties under this section shall be imposed as provided in ORS 183.745.

SECTION 14. In accordance with ORS chapter 183, the Director of the Department of Consumer and Business Services may adopt rules for the purpose of carrying out the provisions of this 2007 Act.

SECTION 15. Notwithstanding ORS 705.145 (2), (3) and (5), the Director of the Department of Consumer and Business Services can allocate as deemed appropriate the moneys derived pursuant to ORS 646.382 to 646.398, 650.005 to 650.100, 697.005 to 697.095, 697.602 to 697.842, 705.350 and 717.200 to 717.320 and 731.804 and ORS chapters 59, 645, 706 to 716, 722, 723, 725 and 726 to implement this 2007 Act.

SECTION 16. Section 12 of this 2007 Act becomes operative on January 1, 2008.

SECTION 17. Notwithstanding any other law limiting expenditures, the limitation on expenditures established by section 1, chapter 215, Oregon Laws 2007 (Enrolled House Bill 5014), for the biennium beginning July 1, 2007, as the maximum limit for payment of expenses from fees, money or other revenues, including Miscellaneous Receipts, but excluding lottery funds and federal funds, collected or received by the Department of Consumer and Business Services, is increased by $202,017 for the purpose of carrying out the provisions of this 2007 Act.

SECTION 18. This 2007 Act being necessary for the immediate preservation of the public peace, health and safety, an emergency is declared to exist, and this 2007 Act takes effect October 1, 2007.

Approved by the Governor July 12, 2007

Filed in the office of Secretary of State July 16, 2007

Effective date October 1, 2007

__________