(1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.
(2) The following shall be deemed in compliance with subsection (1) of this section:
(a) A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
(b) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1, 2007.
(c) A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on October 1, 2007.
(d) A person that implements an information security program that includes the following:
(A) Administrative safeguards such as the following, in which the person:
(i) Designates one or more employees to coordinate the security program;
(ii) Identifies reasonably foreseeable internal and external risks;
(iii) Assesses the sufficiency of safeguards in place to control the identified risks;
(iv) Trains and manages employees in the security program practices and procedures;
(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(vi) Adjusts the security program in light of business changes or new circumstances;
(B) Technical safeguards such as the following, in which the person:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission and storage;
(iii) Detects, prevents and responds to attacks or system failures; and
(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) Physical safeguards such as the following, in which the person:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents and responds to intrusions;
(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
(3) A person complies with subsection (2)(d)(C)(iv) of this section if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with subsection (2)(d)(C)(iv) of this section.
(4) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers. [2007 c.759 §12]
Section: Previous 646A.600 646A.602 646A.604 646A.606 646A.608 646A.610 646A.612 646A.614 646A.616 646A.618 646A.620 646A.622 646A.624 646A.626 646A.628 NextLast modified: August 7, 2008