Protection of Personal Information in the Workplace

October, 2007

The Oregon Consumer Identity Theft Protection Act - passed by the 2007 legislature - provides Oregon businesses and government with clear direction and expectations to ensure the safety of the personal identifying information they maintain both for consumers and for employees. Already in effect as of October 1, 2007, is a section of the law that prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This does not apply to the use of SSNs for internal verification purposes.

As of January 1, 2008, any organization who maintains personal information of Oregon consumers or employees will be required to develop, implement, and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.
All organizations will also be required to notify customers or employees if computer files containing personal information have been subject to a security breach. The notification must be done as soon as possible. Organizations are required to give notice through written notice, electronic notification (if the customary means of communication between organization and customer/employee), or telephone notice if it is given directly to the customer/employee.

"Personal information" includes a person's name in combination with a Social Security number, Oregon driver's license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer's financial account.

All organizations are subject to this act with respect to their employees. Even organizations that are subject to the Gramm-Leach-Bliley Act or HIPAA with respect to its customers, must comply with the new Oregon Consumer Identity Theft Protection Act in maintaining safeguards to protect employee information and in following Oregon's notification requirements in the event of a breach of employee information.

The Department of Consumer and Business Services will enforce these new laws.


View other Alerts & Reminders