Oregon Consumer Information Protection Act (OR Rev Stat § 646A.600 - § 646A.628)

Oregon Consumer Information Protection Act

OR Rev Stat § 646A.600 - § 646A.628

 

Oregon Revised Statutes

Volume: 16 - Trade Practices, Labor and Employment

Chapter 646A - Trade Regulation

IDENTITY THEFT PREVENTION

Section 646A.600 - Short title.

Section 646A.602 - Definitions for ORS 646A.600 to 646A.628.

Section 646A.604 - Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement.

Section 646A.606 - Security freeze; requirements; proof of authority; effect.

Section 646A.608 - Deadline for placing security freeze; protective record creation; use and release of information; confirmation; personal identification number; exception; lifting and removal.

Section 646A.610 - Fees not permitted.

Section 646A.612 - Conditions for lifting or removing security freeze.

Section 646A.614 - Effect of security freeze on use of consumer reports or protective records.

Section 646A.616 - Effect of request for consumer report subject to security freeze.

Section 646A.618 - Prohibition on changes to consumer report subject to security freeze; entities subject to requirement to place security freeze.

Section 646A.620 - Prohibition on printing, displaying or posting Social Security numbers; exemptions.

Section 646A.622 - Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses.

Section 646A.624 - Powers of director; penalties.

Section 646A.626 - Rules.

Section 646A.628 - Allocation of moneys.

 

§ 646A.600 - Short title.

ORS 646A.600 to 646A.628 shall be known as the Oregon Consumer Information Protection Act. [2007 c.759 §1; 2019 c.180 §1]

 

§ 646A.602 - Definitions for ORS 646A.600 to 646A.628.

As used in ORS 646A.600 to 646A.628:

(1)(a) "Breach of security" means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.

(b) "Breach of security" does not include an inadvertent acquisition of personal information by a person or the person’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

(2) "Consumer" means an individual resident of this state.

(3) "Consumer report" means a consumer report as described in section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)), as that Act existed on January 1, 2020, that a consumer reporting agency compiles and maintains.

(4) "Consumer reporting agency" means a consumer reporting agency as described in section 603(p) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on January 1, 2020.

(5)(a) "Covered entity" means a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.

(b) "Covered entity" does not include a person described in paragraph (a) of this subsection to the extent that the person acts solely as a vendor.

(6) "Debt" means any obligation or alleged obligation arising out of a consumer transaction.

(7) "Encryption" means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.

(8) "Extension of credit" means a right to defer paying debt or a right to incur debt and defer paying the debt, that is offered or granted primarily for personal, family or household purposes.

(9) "Identity theft" has the meaning set forth in ORS 165.800.

(10) "Identity theft declaration" means a completed and signed statement that documents alleged identity theft, using a form available from the Federal Trade Commission, or another substantially similar form.

(11) "Person" means an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.

(12)(a) "Personal information" means:

(A) A consumer’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired:

(i) A consumer’s Social Security number;

(ii) A consumer’s driver license number or state identification card number issued by the Department of Transportation;

(iii) A consumer’s passport number or other identification number issued by the United States;

(iv) A consumer’s financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account;

(v) Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;

(vi) A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

(vii) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

(B) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

(C) Any of the data elements or any combination of the data elements described in subparagraph (A) or (B) of this paragraph without the consumer’s user name, or the consumer’s first name or first initial and last name, if:

(i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and

(ii) The data element or combination of data elements would enable a person to commit identity theft against a consumer.

(b) "Personal information" does not include information in a federal, state or local government record, other than a Social Security number, that is lawfully made available to the public.

(13) "Proper identification" means written information or documentation that a consumer or representative can present to another person as evidence of the consumer’s or representative’s identity, examples of which include:

(a) A valid Social Security number or a copy of a valid Social Security card;

(b) A certified or otherwise official copy of a birth certificate that a governmental body issued; and

(c) A copy of a driver license or other government-issued identification.

(14) "Protected consumer" means an individual who is:

(a) Not older than 16 years old at the time a representative requests a security freeze on the individual’s behalf; or

(b) Incapacitated or for whom a court or other authority has appointed a guardian or conservator.

(15) "Protective record" means information that a consumer reporting agency compiles to identify a protected consumer for whom the consumer reporting agency has not prepared a consumer report.

(16) "Redacted" means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, passport number or other number issued by the United States, financial account number, credit card number or debit card number is visible or accessible.

(17) "Representative" means a consumer who provides a consumer reporting agency with sufficient proof of the consumer’s authority to act on a protected consumer’s behalf.

(18) "Security freeze" means a notice placed in a consumer report at a consumer’s request or a representative’s request or in a protective record at a representative’s request that, subject to certain exemptions, prohibits a consumer reporting agency from releasing information in the consumer report or the protective record for an extension of credit, unless the consumer temporarily lifts the security freeze on the consumer’s consumer report or a protected consumer or representative removes the security freeze on or deletes the protective record.

(19) "Vendor" means a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity. [2007 c.759 §2; 2013 c.415 §1; 2015 c.357 §1; 2018 c.10 §1; 2019 c.180 §2]

 

§ 646A.604 - Notice of breach of security; delay; methods of notification; contents of notice; application of notice requirement.

(1) If a covered entity is subject to a breach of security or receives notice of a breach of security from a vendor, the covered entity shall give notice of the breach of security to:

(a) The consumer to whom the personal information pertains.

(b) The Attorney General, either in writing or electronically, if the number of consumers to whom the covered entity must send the notice described in paragraph (a) of this subsection exceeds 250.

(2)(a) A vendor that discovers a breach of security or has reason to believe that a breach of security has occurred shall notify a covered entity with which the vendor has a contract as soon as is practicable but not later than 10 days after discovering the breach of security or having a reason to believe that the breach of security occurred.

(b) If a vendor has a contract with another vendor that, in turn, has a contract with a covered entity, the vendor shall notify the other vendor of a breach of security as provided in paragraph (a) of this subsection.

(c) A vendor shall notify the Attorney General in writing or electronically if the vendor was subject to a breach of security that involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine. This paragraph does not apply to the vendor if the covered entity described in paragraph (a) or (b) of this subsection has notified the Attorney General in accordance with the requirements of this section.

(3)(a) A covered entity shall give notice of a breach of security in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security.

(b) Before providing the notice described in paragraph (a) of this subsection, a covered entity shall undertake reasonable measures that are necessary to:

(A) Determine sufficient contact information for the intended recipient of the notice;

(B) Determine the scope of the breach of security; and

(C) Restore the reasonable integrity, security and confidentiality of the personal information.

(c) A covered entity may delay giving the notice described in paragraph (a) of this subsection only if a law enforcement agency determines that a notification will impede a criminal investigation and if the law enforcement agency requests in writing that the covered entity delay the notification.

(4) A covered entity may notify a consumer of a breach of security:

(a) In writing;

(b) Electronically, if the covered entity customarily communicates with the consumer electronically or if the notice is consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) as that Act existed on January 1, 2020;

(c) By telephone, if the covered entity contacts the affected consumer directly; or

(d) With substitute notice, if the covered entity demonstrates that the cost of notification otherwise would exceed $250,000 or that the affected class of consumers exceeds 350,000, or if the covered entity does not have sufficient contact information to notify affected consumers. For the purposes of this paragraph, "substitute notice" means:

(A) Posting the notice or a link to the notice conspicuously on the covered entity’s website if the covered entity maintains a website; and

(B) Notifying major statewide television and newspaper media.

(5) Notice under this section must include, at a minimum:

(a) A description of the breach of security in general terms;

(b) The approximate date of the breach of security;

(c) The type of personal information that was subject to the breach of security;

(d) Contact information for the covered entity;

(e) Contact information for national consumer reporting agencies; and

(f) Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.

(6) If a covered entity discovers or receives notice of a breach of security that affects more than 1,000 consumers, the covered entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notice the covered entity gave to affected consumers and shall include in the notice any police report number assigned to the breach of security. A covered entity may not delay notifying affected consumers of a breach of security in order to notify consumer reporting agencies.

(7)(a) If a covered entity must notify a consumer of a breach of security under this section, and in connection with the notification the covered entity or an agent or affiliate of the covered entity offers to provide credit monitoring services or identity theft prevention and mitigation services without charge to the consumer, the covered entity, the agent or the affiliate may not condition the provision of the services on the consumer’s providing the covered entity, the agent or the affiliate with a credit or debit card number or on the consumer’s acceptance of any other service the covered entity offers to provide for a fee.

(b) If a covered entity or an agent or affiliate of the covered entity offers additional credit monitoring services or identity theft prevention and mitigation services for a fee to a consumer under the circumstances described in paragraph (a) of this subsection, the covered entity, the agent or the affiliate must separately, distinctly, clearly and conspicuously disclose in the offer for the additional credit monitoring services or identity theft prevention and mitigation services that the covered entity, the agent or the affiliate will charge the consumer a fee.

(c) The terms and conditions of any contract under which one person offers or provides credit monitoring services or identity theft prevention and mitigation services on behalf of another person under the circumstances described in paragraph (a) of this subsection must require compliance with the requirements of paragraphs (a) and (b) of this subsection.

(8) Notwithstanding subsection (1) of this section, a covered entity does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the covered entity reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The covered entity must document the determination in writing and maintain the documentation for at least five years.

(9) This section does not apply to:

(a) Personal information that is subject to, and a person that complies with, notification requirements or procedures for a breach of security that the person’s primary or functional federal regulator adopts, promulgates or issues in rules, regulations, procedures, guidelines or guidance, if the personal information and the person would otherwise be subject to ORS 646A.600 to 646A.628.

(b) Personal information that is subject to, and a person that complies with, a state or federal law that provides greater protection to personal information and disclosure requirements at least as thorough as the protections and disclosure requirements provided under this section.

(c) A covered entity or vendor that complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to that Act.

(d) A covered entity or vendor that complies with regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, 110 Stat. 1936) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts existed on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to those Acts.

(10) Notwithstanding the exemptions set forth in subsection (9) of this section, a person, a covered entity or a vendor shall provide to the Attorney General within a reasonable time at least one copy of any notice the person, the covered entity or the vendor sends to consumers or to the person’s, the covered entity’s or the vendor’s primary or functional regulator in compliance with this section or with other state or federal laws or regulations that apply to the person, the covered entity or the vendor as a consequence of a breach of security, if the breach of security affects more than 250 consumers.

(11)(a) A person’s violation of a provision of ORS 646A.600 to 646A.628 is an unlawful practice under ORS 646.607.

(b) A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not developed, implemented and maintained reasonable safeguards to protect the security, confidentiality and integrity of personal information that is subject to ORS 646A.600 to 646A.628 but is not subject to an Act described in subsection (9)(c) or (d) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 to 646A.628, the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.

(c) The rights and remedies available under this section are cumulative and are in addition to any other rights or remedies that are available under law. [2007 c.759 §3; 2015 c.357 §2; 2018 c.10 §2; 2019 c.180 §3]

 

§ 646A.606 - Security freeze; requirements; proof of authority; effect.

(1) A consumer may elect to place a security freeze on the consumer’s consumer report or, if the consumer is a representative, on a protected consumer’s consumer report or protective record by sending a written request to a consumer reporting agency at an address the agency designates to receive such requests, or a secure electronic request at a website the agency designates to receive such requests if the consumer reporting agency, at the agency’s discretion, makes a secure electronic method available.

(2) If the consumer or protected consumer is the victim of identity theft or has reported a theft of personal information to a law enforcement agency, the consumer or representative may include a copy of the police report, incident report or identity theft declaration.

(3)(a) The consumer or representative must provide proper identification.

(b)(A) In addition to the information described in paragraph (a) of this subsection, a representative who seeks to place a security freeze on a protected consumer’s consumer report or protective record shall provide sufficient proof of the representative’s authority to act on the protected consumer’s behalf.

(B) For purposes of subparagraph (A) of this paragraph, sufficient proof of authority consists of:

(i) A court order that identifies or describes the relationship between the representative and the protected consumer;

(ii) A valid and lawfully executed power of attorney that permits the representative to act on the protected consumer’s behalf; or

(iii) A written affidavit that the representative signs and has notarized in which the representative expressly describes the relationship between the representative and the protected consumer and the representative’s authority to act on the protected consumer’s behalf.

(4)(a) Except as provided in ORS 646A.614, if a security freeze is in place for a consumer report, information from the consumer report may not be released without prior express authorization from the consumer.

(b) Information from a protective record may not be released until the protected consumer for whom the consumer reporting agency created the protective record, or a representative of the protected consumer, removes the security freeze.

(5) This section does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer report or protective record. [2007 c.759 §4; 2013 c.415 §2; 2018 c.10 §3]

 

§ 646A.608 - Deadline for placing security freeze; protective record creation; use and release of information; confirmation; personal identification number; exception; lifting and removal.

(1)(a) A consumer reporting agency shall place a security freeze on a consumer report not later than five business days after receiving from a consumer:

(A) The request described in ORS 646A.606 (1); and

(B) Proper identification.

(b) If a consumer report does not exist for a protected consumer on behalf of whom a representative seeks to place a security freeze, a consumer reporting agency shall create a protective record after receiving from the representative the request described in ORS 646A.606 (1), proper identification for both the representative and the protected consumer and sufficient proof of authority, as described in ORS 646A.606 (3)(b). After creating a protective record for a protected consumer under this paragraph, the consumer reporting agency shall place the security freeze that the representative requested on the protected consumer’s protective record.

(c) The protective record that the consumer reporting agency creates under paragraph (b) of this subsection does not need to contain any information other than the protected consumer’s personal information, if other information for the protected consumer is not available. Except as provided in ORS 646A.614, a consumer reporting agency may not use or release to another person the information in a protective record for the purpose of assessing a protected consumer’s eligibility or capacity for an extension of credit, as a basis for evaluating a protected consumer’s character, reputation or personal characteristics or for other purposes that are not related to protecting the protected consumer from identity theft.

(2)(a) A consumer reporting agency shall send a written confirmation of a security freeze on a consumer’s consumer report to the consumer at the last known address for the consumer shown in the consumer report that the consumer reporting agency maintains, within 10 business days after placing the security freeze and, with the confirmation, shall provide the consumer with a unique personal identification number or password or similar device the consumer must use to authorize the consumer reporting agency to release the consumer’s consumer report for a specific period of time or to permanently remove the security freeze. The consumer reporting agency shall include with the written confirmation information that describes how to remove a security freeze and how to temporarily lift a security freeze on a consumer report, other than a consumer report for a protected consumer, in order to allow access to information from the consumer’s consumer report for a period of time while the security freeze is in place.

(b) This subsection does not require a consumer reporting agency to provide a consumer or representative with a personal identification number or password for the consumer or representative to use to authorize the consumer reporting agency to release information from a protective record.

(3)(a) If a consumer wishes to allow the consumer’s consumer report to be accessed for a specific period of time while a security freeze is in effect, the consumer shall contact the consumer reporting agency using a point of contact the consumer reporting agency designates, request that the security freeze be temporarily lifted and provide the following:

(A) Proper identification;

(B) The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section; and

(C) An indication of the period of time during which the consumer report must be available to users of the consumer report.

(b) A protective record is not subject to a temporary lift of a security freeze.

(c) Except as provided in ORS 646A.612 (2)(a), a consumer report for a protected consumer is not subject to a temporary lift of a security freeze.

(4) A consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a consumer report, other than a consumer report for a protected consumer, under subsection (3) of this section shall comply with the request not later than three business days after receiving from the consumer:

(a) Proper identification;

(b) The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section; and

(c) An indication of the period of time during which the consumer report must be available to users of the consumer report.

(5)(a) A security freeze for a consumer report must remain in place until the consumer requests, using a point of contact the consumer reporting agency designates, that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days after receiving a request for removal from the consumer, who provides:

(A) Proper identification; and

(B) The unique personal identification number or password or similar device the consumer reporting agency provided under subsection (2) of this section.

(b) A security freeze for a protective record must remain in place until the protected consumer or a representative requests, using a point of contact the consumer reporting agency designates, that the security freeze be removed or that the protective record be deleted. The consumer reporting agency does not have an affirmative duty to notify the protected consumer or the representative that a security freeze is in place or to remove the security freeze or delete the protective record once the protected consumer is no longer a protected consumer. A protected consumer or a representative has the affirmative duty to request that the consumer reporting agency remove the security freeze or delete the protective record. A consumer reporting agency shall remove a security freeze or delete a protective record within 30 business days after receiving a request for removal or deletion from the protected consumer or a representative, who provides:

(A) Proper identification;

(B) Sufficient proof of authority, as described in ORS 646A.606 (3)(b), if the representative seeks to remove the security freeze or delete the protective record; and

(C) Proof that the representative’s authority to act on the protected consumer’s behalf is no longer valid or applicable, if the protected consumer seeks to remove the security freeze or delete the protective record. [2007 c.759 §5; 2013 c.415 §3; 2018 c.10 §4]

 

§ 646A.610 - Fees not permitted.

A consumer reporting agency may not charge a consumer a fee or collect from a consumer any money or item of value for:

(1) Placing, temporarily lifting or removing a security freeze on the consumer’s consumer report.

(2) Creating or deleting a protective record.

(3) Placing or removing a security freeze on a protective record for a protected consumer.

(4) Replacing a lost personal identification number, password or similar device the consumer reporting agency previously provided to the consumer. [2007 c.759 §6; 2013 c.415 §4; 2018 c.10 §5]

 

§ 646A.612 - Conditions for lifting or removing security freeze.

(1)(a) A consumer reporting agency shall temporarily lift or remove a security freeze placed on a consumer report only if a consumer requests that the consumer reporting agency lift or remove the security freeze for the consumer report in accordance with ORS 646A.608.

(b) A consumer reporting agency shall remove a security freeze from a protected consumer’s consumer report or protective record or delete a protective record only if the protected consumer or a representative requests that the consumer reporting agency remove the security freeze from the consumer report or protective record or delete the protective record in accordance with ORS 646A.608.

(2)(a) A consumer reporting agency may temporarily lift or remove a security freeze placed on a consumer report if the security freeze was placed because of a consumer’s, a protected consumer’s or a representative’s material misrepresentation of fact.

(b) A consumer reporting agency may remove a security freeze from or delete a protective record if the consumer reporting agency placed the security freeze or created the protective record as a result of the protected consumer’s or the representative’s material misrepresentation of fact.

(c) If a consumer reporting agency intends to remove a security freeze or delete a protective record under this subsection, the consumer reporting agency shall notify the consumer, protected consumer or representative, as appropriate, in writing at least five business days before removing the security freeze or deleting the protective record. [2007 c.759 §7; 2013 c.415 §5]

 

§ 646A.614 - Effect of security freeze on use of consumer reports or protective records.

(1) The provisions of ORS 646A.606 to 646A.610 do not apply to the use of a consumer report or a protective record by or for any of the following:

(a) A person, or the person’s subsidiary, affiliate, agent or assignee with which the consumer or protected consumer has or, prior to assignment, had an account, contract or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract or debtor-creditor relationship. For purposes of this subsection, "reviewing the account" includes activities related to account maintenance, monitoring, credit line increases and account upgrades and enhancements.

(b) Any person acting pursuant to a judgment, court order, warrant or subpoena.

(c) A federal, state or local governmental entity, a law enforcement agency or court, or an agent or assignee of the federal, state or local governmental entity, law enforcement agency or court, for the purpose of investigating fraud or investigating or collecting delinquent taxes, unpaid judgments or court orders or acting otherwise to fulfill statutory or regulatory duties, if the activities or statutory or regulatory duties are consistent with a permissible purpose under section 604 of the federal Fair Credit Reporting Act (15 U.S.C. 1681b) as that Act existed on October 1, 2007.

(d) The use of credit information for the purposes of prescreening in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) as that Act existed on October 1, 2007.

(e) Any person for the sole purpose of providing a credit file monitoring subscription service, or similar service to which the consumer or protected consumer has subscribed or to which a representative has subscribed on behalf of the protected consumer.

(f) A consumer reporting agency for the sole purpose of providing a consumer, a protected consumer or a representative with a copy of the consumer’s or protected consumer’s consumer report upon the consumer’s, protected consumer’s or representative’s request.

(g) Any person or entity for the purpose of setting or adjusting rates, for handling claims or underwriting for insurance purposes, to the extent permitted by law.

(h) A subsidiary, affiliate, agent, assignee or prospective assignee of a person to whom access has been granted under ORS 646A.608 (3) for purposes of facilitating the extension of credit or other permissible use.

(i) A child support agency acting pursuant to Title IV-D of the Social Security Act (42 U.S.C. 651 et seq.) as that Act existed on October 1, 2007.

(j) A person for the sole purpose of screening an applicant for a residential dwelling unit as described in ORS 90.295 (1).

(2) The provisions of ORS 646A.606 to 646A.610 do not apply to a protective record used:

(a) By an entity listed in ORS 646A.618 (2); or

(b) For purposes other than an extension of credit, including:

(A) Compiling a criminal record;

(B) Detecting or preventing fraud;

(C) Compiling a personal loss history; or

(D) Screening an applicant for employment, tenancy or other background checking purposes. [2007 c.759 §8; 2013 c.415 §6]

 

§ 646A.616 - Effect of request for consumer report subject to security freeze.

If a third party requests access to a consumer report on which a security freeze is in effect, the request is in connection with an application for credit or any other use, the consumer does not allow the consumer’s consumer report to be accessed for that period of time, and the third party cannot obtain the consumer report through ORS 646A.614, the third party may treat the application as incomplete. [2007 c.759 §9]

 

§ 646A.618 - Prohibition on changes to consumer report subject to security freeze; entities subject to requirement to place security freeze.

(1) If a security freeze is in place, a consumer reporting agency shall not change any of the following official information in a consumer credit report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer’s report: name, date of birth, Social Security number and address. Written confirmation is not required for technical modifications of a consumer’s official information, including name and street abbreviations, complete spellings or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

(2) The following entities are not required to place a security freeze on a credit report:

(a) A consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a database of credit information from which new consumer credit reports are produced. However, a consumer reporting agency acting as a reseller shall honor any security freeze placed on a consumer report by another consumer reporting agency.

(b) A check services or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers or similar methods of payments.

(c) A deposit account information service company that issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution. [2007 c.759 §10]

 

§ 646A.620 - Prohibition on printing, displaying or posting Social Security numbers; exemptions.

(1) Except as otherwise specifically provided by law, a person may not:

(a) Print a consumer’s Social Security number on mail to the consumer that is:

(A) Material the consumer did not request; or

(B) Part of any documentation the consumer requested for a transaction or service, unless the Social Security number is redacted.

(b) Print a consumer’s Social Security number on any card required for the consumer to access products or services provided by the person.

(c) Publicly post or publicly display a consumer’s Social Security number unless the Social Security number is redacted. As used in this paragraph, "publicly post or publicly display" means to communicate or otherwise make available to the public.

(d) Dispose of, or transfer to another person for disposal, material or media that display a consumer’s Social Security number unless the person makes the Social Security number unreadable or unrecoverable or ensures that any person that ultimately disposes of the material or media makes the Social Security number unreadable or unrecoverable.

(2) This section does not prevent the collection, use or release of a Social Security number as required by state or federal law or rule adopted by the Chief Justice of the Supreme Court, the Chief Judge of the Court of Appeals or the judge of the Oregon Tax Court and does not prevent the use or printing of a Social Security number for internal verification or administrative purposes or to enforce a judgment or court order.

(3) This section does not apply to records that must be made available to the public under state or federal law or rule adopted by the Chief Justice of the Supreme Court, the Chief Judge of the Court of Appeals or the judge of the Oregon Tax Court.

(4) This section does not apply to a Social Security number in any of the following records or copies of records in any form or storage medium maintained or otherwise possessed by a court, the State Court Administrator or the Secretary of State:

(a) A record received on or before October 1, 2007;

(b) A record received after October 1, 2007, if, by state or federal statute or rule, the person that submitted the record could have caused the record to be filed or maintained in a manner that protected the Social Security number from public disclosure; or

(c) A record, regardless of the date created or received, that is:

(A) An accusatory instrument charging a violation or crime;

(B) A record of oral proceedings in a court;

(C) An exhibit offered as evidence in a proceeding; or

(D) A judgment or court order. [2007 c.759 §11; 2017 c.254 §1]

 

§ 646A.622 - Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses.

(1) A covered entity and a vendor shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.

(2) A covered entity or vendor complies with subsection (1) of this section if the covered entity or vendor:

(a) Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides.

(b) Complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to the Act.

(c) Complies with regulations that implement the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts were in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 to 646A.628 is also subject to those Acts.

(d) Implements an information security program that includes:

(A) Administrative safeguards such as:

(i) Designating one or more employees to coordinate the security program;

(ii) Identifying reasonably foreseeable internal and external risks with reasonable regularity;

(iii) Assessing whether existing safeguards adequately control the identified risks;

(iv) Training and managing employees in security program practices and procedures with reasonable regularity;

(v) Selecting service providers that are capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;

(vi) Adjusting the security program in light of business changes, potential threats or new circumstances; and

(vii) Reviewing user access privileges with reasonable regularity;

(B) Technical safeguards such as:

(i) Assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address the risks and vulnerabilities;

(ii) Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

(iii) Monitoring, detecting, preventing and responding to attacks or system failures; and

(iv) Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and

(C) Physical safeguards such as:

(i) Assessing, in light of current technology, risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;

(ii) Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;

(iii) Protecting against unauthorized access to or use of personal information during or after collecting, using, storing, transporting, retaining, destroying or disposing of the personal information; and

(iv) Disposing of personal information, whether the covered entity or vendor disposes of the personal information on or off the covered entity’s or vendor’s premises or property, after the covered entity or vendor no longer needs the personal information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(3) A covered entity or vendor complies with subsection (2)(d)(C)(iv) of this section if the covered entity or vendor contracts with another person engaged in the business of record destruction to dispose of personal information in a manner that is consistent with subsection (2)(d)(C)(iv) of this section.

(4) A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not complied with subsection (1) of this section with respect to personal information that is subject to ORS 646A.600 to 646A.628 but is not subject to an Act described in subsection (2)(b) or (c) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 to 646A.628, the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.

(5) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. [2007 c.759 §12; 2015 c.357 §3; 2018 c.10 §6; 2019 c.180 §4]

 

§ 646A.624 - Powers of director; penalties.

(1) The Director of the Department of Consumer and Business Services may:

(a) Make such public or private investigations within or outside this state as the director deems necessary to determine whether a person has violated any provision of ORS 646A.600 to 646A.628, or to aid in the enforcement of ORS 646A.600 to 646A.628.

(b) Require or permit a person to file a statement in writing, under oath or otherwise as the director determines, as to all the facts and circumstances concerning the matter to be investigated.

(c) Administer oaths and affirmations, subpoena witnesses, compel attendance, take evidence and require the production of books, papers, correspondence, memoranda, agreements or other documents or records that the director deems relevant or material to the inquiry. Each witness who appears before the director under a subpoena shall receive the fees and mileage provided for witnesses in ORS 44.415 (2).

(2) If a person fails to comply with a subpoena so issued or a party or witness refuses to testify on any matters, the judge of the circuit court or of any county, on the application of the director, shall compel obedience by proceedings for contempt as in the case of disobedience of the requirements of a subpoena issued from such court or a refusal to testify therein.

(3) If the director has reason to believe that any person has engaged or is engaging in any violation of ORS 646A.600 to 646A.628, the director may issue an order, subject to ORS chapter 183, directed to the person to cease and desist from the violation, or require the person to pay compensation to consumers injured by the violation. The director may order compensation to consumers only upon a finding that enforcement of the rights of the consumers by private civil action would be so burdensome or expensive as to be impractical.

(4)(a) In addition to all other penalties and enforcement provisions provided by law, any person who violates or who procures, aids or abets in the violation of ORS 646A.600 to 646A.628 shall be subject to a penalty of not more than $1,000 for every violation, which shall be paid to the General Fund of the State Treasury.

(b) Every violation is a separate offense and, in the case of a continuing violation, each day’s continuance is a separate violation, but the maximum penalty for any occurrence shall not exceed $500,000.

(c) Civil penalties under this section shall be imposed as provided in ORS 183.745. [2007 c.759 §13]

 

§ 646A.626 - Rules.

In accordance with ORS chapter 183, the Director of the Department of Consumer and Business Services may adopt rules for the purpose of carrying out the provisions of ORS 646A.600 to 646A.628. [2007 c.759 §14]

 

§ 646A.628 - Allocation of moneys.

Notwithstanding ORS 705.145 (2), (3) and (5), the Director of the Department of Consumer and Business Services can allocate as deemed appropriate the moneys derived pursuant to ORS 86A.095 to 86A.198, 86A.990, 86A.992, 650.005 to 650.100, 697.005 to 697.095, 697.602 to 697.842, 705.350 and 717.200 to 717.320 and 731.804 and ORS chapters 59, 645, 706 to 716, 723, 725 and 726 to implement ORS 646A.600 to 646A.628. [2007 c.759 §15; 2009 c.541 §23; 2009 c.604 §24]

 

Note: Sections 1, 4 and 5, chapter 305, Oregon Laws 2021, provide:

 

Sec. 1. (1) As used in this section:

(a)(A) "Affirmative express consent" means an affirmative act by a resident individual that clearly and conspicuously communicates the resident individual’s authorization for a covered organization to perform an act or practice.

(B) "Affirmative express consent" does not include a resident individual’s acceptance of a general or broad terms of use document, or similar document, that contains descriptions of personal health data collection along with other unrelated information.

(b)(A) "Covered organization" means a person that collects, uses or discloses personal health data or that develops or operates a website, web application, mobile application, mobile operating system feature or other electronic method by means of which the person may collect, use or disclose personal health data.

(B) "Covered organization" does not include:

(i) A member of the resident individual’s household;

(ii) An agency, employee, agent, designee, affiliate, associate or contractor of a federal, state, local or tribal governmental body that under legal authorization and for public health purposes, including preventing disease, injury or disability, may collect, receive, observe, discover or investigate personal health data;

(iii) A health care provider, as defined in ORS 433.443; or

(iv) A covered entity or business associate, both as defined in 45 C.F.R. 160.103, as in effect on the effective date of this 2021 Act [June 15, 2021], to the extent that the covered entity or business associate is engaged in activities that are subject to regulation under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, or regulations adopted under the Act and codified as 45 C.F.R. parts 160 and 164, as in effect on the effective date of this 2021 Act.

(c) "Disclose" means to release, transfer, sell, share, provide access to, license or otherwise divulge to another person.

(d) "Emergency period" means a period that begins on the date on which the Governor has declared an emergency related to the COVID-19 pandemic and ends on a date 180 days after the Governor terminates the declaration or the declaration expires.

(e)(A) "Geolocation data" means information generated by or derived from technology that directly identifies the location of a natural person within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, including but not limited to:

(i) Level latitude and longitude coordinates from a global positioning system;

(ii) Cell site-location information; and

(iii) Triangulation data derived from nearby wireless or radio frequency networks.

(B) "Geolocation data" does not include the content of communications.

(f)(A) "Personal health data" means information that is collected for the purpose of tracking, monitoring or tracing exposures to or infections by SARS-CoV-2 or development of disease conditions caused by or related to COVID-19 and that identifies or can reasonably be used to identify a resident individual and associate the resident individual’s personal identity with:

(i) Exposure to or infection by SARS-CoV-2 or development of symptoms of or a disease condition caused by or related to COVID-19;

(ii) Tests or examinations or requests for tests and examinations for exposure to SARS-CoV-2, including tests or examinations of body parts or bodily substances;

(iii) Receipt of medical care or medical services related to exposure to SARS-CoV-2 or symptoms or development of COVID-19;

(iv) Predisposition toward developing a disease condition that results from exposure to or infection by SARS-CoV-2;

(v) Whether the resident individual has received a vaccination against COVID-19; or

(vi) Other data, including geolocation data, that tracks, monitors or traces a resident individual’s exposure to or infection by SARS-CoV-2 or development of a disease condition caused by or related to COVID-19.

(B) "Personal health data" does not include information about a resident individual that:

(i) Is lawfully available to the public from federal, state or local government records or widely available to the public from sources such as telephone directories, the internet, news media or similar or related sources;

(ii) Was collected before the emergency period for purposes other than tracking, monitoring or tracing a resident individual’s exposure to or infection by SARS-CoV-2 or development of a disease condition caused by or related to COVID-19;

(iii) Has been deidentified in accordance with 45 C.F.R. 164.514(b), as in effect on the effective date of this 2021 Act;

(iv) Was collected in an employment context; or

(v) Is collected after the expiration or termination of the emergency period.

(g) "Resident individual" means a natural person who resides in this state.

(h) "Service provider" means a person that collects, uses or discloses personal health data solely for the purpose of providing business services to, on behalf of, or for the benefit of a covered organization in accordance with instructions or direction from, or under the terms and conditions of a contract with, the covered organization.

(2)(a) Except as provided in paragraph (b) of this subsection, a covered organization may not collect, use or disclose personal health data about a resident individual who has not given affirmative express consent to the covered organization’s collection, use or disclosure of the resident individual’s personal health data. In obtaining affirmative express consent from a resident individual, a covered organization may not:

(A) Use a method that is designed with the purpose of, or that has the substantial effect of, subverting or impairing a resident individual’s decision-making or choice; and

(B) Infer consent from a resident individual’s inaction.

(b) A covered organization may collect, use or disclose personal health data without a resident individual’s affirmative express consent if the collection, use or disclosure is necessary solely to comply with a legal obligation.

(3) A resident individual may give affirmative express consent to a collection, use or disclosure of personal health data on behalf of another resident individual who is younger than 14 years of age if the resident individual is a parent or legal guardian of the other resident individual.

(4)(a) Except as provided in paragraph (b) of this subsection, a covered organization may not retain, store or use and shall destroy, delete or, if appropriate, render inaccessible to any person in any manner personal health data that the covered organization collects, stores, uses, possesses or controls not later than 65 days after the covered organization collected, received or otherwise obtained the personal health data.

(b) A covered organization may use and need not destroy, delete or render inaccessible personal health data if:

(A) The personal health data consists of aggregations, statistical analyses, compilations or interpretations; and

(B) The covered organization deidentifies the personal health data in accordance with 45 C.F.R. 164.514(b), as in effect on the effective date of this 2021 Act.

(5) A covered organization shall collect, use, receive, process, examine, disclose or collate only personal health data that is reasonably necessary to provide services to the resident individual to whom the personal health data applies, and shall:

(a) Take reasonable measures to ensure the accuracy of the personal health data and provide an accessible and effective method for a resident individual to correct any inaccuracies, as appropriate for the nature of the personal health data and the context in which the covered organization collected or received the personal health data;

(b) Establish and implement safeguards for personal health data that comply, at a minimum, with the requirements of ORS 646A.622 and require service providers by contract to comply with this section and the requirements of ORS 646A.622;

(c) Establish and implement policies and procedures that prevent the covered organization from using personal health data for any discriminatory purpose;

(d) Provide an easily accessible and effective method by which a resident individual may revoke any affirmative express consent the resident individual gave previously;

(e) Adopt, implement and provide to each resident individual from whom the covered organization collects, or about whom the covered organization receives, personal health data a clear, understandable and conspicuous disclosure of policies and procedures in compliance with which the covered organization collects, receives or otherwise obtains personal health data that, at a minimum, must include:

(A) The manner in which and the purposes for which the covered organization collects, receives, processes, examines, analyzes, collates, discloses, transfers, stores, retains or makes use of personal health data;

(B) Categories of persons to which the covered organization does or may disclose personal health data or from which the covered organization does or may receive or obtain personal health data; and

(C) A statement that informs the resident individual that and how the resident individual may provide, refuse to provide or revoke affirmative express consent;

(f) Cease the covered organization’s collection, receipt or use of a resident individual’s personal health data not later than 21 days after receiving from the resident individual a revocation of affirmative express consent; and

(g) Compile, not later than 30 days after the effective date of this 2021 Act and during each period of 60 days thereafter, and retain for a period of not less than five years after the expiration or termination of the emergency period, subject to an audit by the Oregon Health Authority, a series of reports that:

(A) States the number of resident individuals from or about whom the covered organization collected, received or otherwise obtained personal health data;

(B) Describes the categories of personal health data the covered organization collected, received or otherwise obtained and the specific purpose for which the covered organization collected, received or obtained the personal health data; and

(C) Lists the persons to which the covered organization disclosed, sold or otherwise transferred personal health data.

(6) A covered organization may not collect, use or disclose personal health data for a purpose that this section does not expressly authorize, including for:

(a) Commercial advertising;

(b) Recommendations or reviews related to electronic commerce; or

(c) Training machine learning algorithms related to or for subsequent use in commercial advertising or electronic commerce.

(7) This section does not limit or prohibit:

(a) A university or other institution of higher education or a nonprofit corporation, as defined in ORS 65.001, from conducting scientific research or a public health program or from developing vaccinations, medications or treatments related to COVID-19 that are otherwise authorized by law;

(b) A covered organization from complying with a federal or state law, a court order, subpoena or other legal process that requires the covered organization or a service provider to disclose personal health data; or

(c) A covered organization from maintaining, retaining or storing other information in compliance with federal or state law.

(8) This section does not modify or affect a covered organization’s obligation to comply with the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as in effect on the effective date of this 2021 Act, with regulations adopted under the Act or with ORS 192.553 to 192.581, if applicable.

(9) A covered organization’s violation of a provision of this section is an unlawful practice under ORS 646.607. [2021 c.305 §1]

 

Sec. 4. (1) Section 1 of this 2021 Act and the amendments to ORS 646.607 by section 2 of this 2021 Act apply to acts to collect, receive, process, examine, analyze, collate, disclose, store or retain personal health data, as defined in section 1 of this 2021 Act, that occur on or after the effective date of this 2021 Act [June 15, 2021].

(2) A covered organization that collected, used or disclosed personal health data before the effective date of this 2021 Act may not store, retain or make use of personal health data later than, and shall destroy or render the personal health data inaccessible not later than, 65 days after the effective date of this 2021 Act. [2021 c.305 §4]

 

Sec. 5. Section 1 of this 2021 Act is repealed 270 days after the end of the emergency period, as defined in section 1 of this 2021 Act. [2021 c.305 §5]

 

For more information, see here:  https://oregon.public.law/statutes/ors_chapter_646

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.