Safeguarding personal information
Your Responsibility. . .
The Oregon Identity Theft Protection Act requires you to develop,
implement, and maintain reasonable safeguards to ensure the security,
confidentiality, and integrity of the information. Safeguarding
also means properly disposing of information.
The following steps will help you implement an
information security program that will help minimize breach risks.
Know what information you have on computers and
in files by taking inventory of all information you have by type
and location. This also includes how you receive personal information
through websites, from contractors, and others. Be sure you know
what sensitive information is stored on laptops, tablets, employees'
home computers, flash drives, and cell phones.
As part of the assessment, take a look at the
effectiveness of existing security safeguards to see if there
are any foreseeable internal or external risks with your network
or the software used.
Lost or stolen paper documents containing personal
identifying information makes you vulnerable to a security breach.
The best defense in securing paper documents, as well as CDs,
zip drives, tapes, and backups, is locking them in a file cabinet
or placing them in a locked room with limited access. Develop
a plan for your employees outlining procedures to securely store
sensitive information, including if or how devices can be taken
off the premises. Ensure that sensitive information stored on
laptops is encrypted.
If you do not need certain personal identifying
information, don't keep it. Do not collect sensitive consumer
information, such as a Social Security number, if there is not
a legitimate business need. If this information does serve a need,
design a record retention plan that outlines what information
must be kept, how to secure it, how long to keep it, and how to
dispose of it securely once you no longer need it.
Make sure employees know what personal identifying
information is, how important it is to safeguard it, and your
security program practices and procedures. Personal identifying
information includes a person's name in combination with a Social
Security number, Oregon driver license number or Oregon identification
card number, or a financial account or credit or debit card number
along with security or access codes or passwords that allow someone
to access your financial accounts. Likewise, train your employees
on notification procedures in the event of a security breach.
To help spread the word, designate one or more
employees to coordinate the training of the security program.
Regularly assess security risks by testing and
monitoring key controls, systems, and procedures. In addition,
look at any risk to your information storage, whether it is a
locking file cabinet or electronic system. This will help in quickly
responding to any attacks or intrusions.
When selecting outside service providers, know
their capabilities in maintaining appropriate safeguards and require
these safeguards in your contract with them.
Protect against any unauthorized access or use
of the personal identifying information you maintain and no longer
need by properly destroying it. Hard-copy records with sensitive
information should be shredded, burned, or pulverized. Any electronic
records should be erased in such a way that they cannot be read
Recycling electronic equipment
You can recycle your old computers and monitors
at certain collection and service sites near you by contacting
the Oregon E-cycle Program at 1-888-532-9253 or by going to their
Just remember, you are responsible for safeguarding any personal
identifying information that may be on a computer so before you
recycle, make sure you properly erase or destroy any electronic
records or the hard drive with personal information.
Note: Any individual, business, government agency,
or organization that is subject to and complies with data safeguard
regulations or guidance adopted under the Gramm-Leach-Bliley
Act or the Health
Insurance Portability and Accountability Act (HIPAA) does not
need to develop additional processes. However, you must follow Oregons
requirements to protect your employees personal information,
such as Social Security numbers or financial data as HIPAA does
not cover this information.
Requirements for safeguarding data
According to the Oregon Identity Theft Protection Act, a security
program includes the following and will be considered in compliance
with the requirements to maintain reasonable safeguards to protect
- Administrative safeguards
- Designate one or more employees to coordinate
the security program.
- Identify reasonably foreseeable internal
and external risks.
- Assess the sufficiency of safeguards in
place to control the identified risks.
- Train and manage employees in the security
program practices and procedures.
- Select service providers capable of maintaining
appropriate safeguards, and require those safeguards by contract.
- Adjust the security program in light of
business changes or new circumstances.
- Technical safeguards
- Assess risks in network and software design.
- Assess risks in information processing,
transmission and storage.
- Detect, prevent, and respond to attacks
or system failures.
- Regularly test and monitor the effectiveness
of key controls, systems, and procedures.
- Physical safeguards
- Assess risks of information storage and
- Detect, prevent, and respond to intrusions.
- Protect against unauthorized access to or
use of personal information during or after the collection,
transportation, and destruction or disposal of the information.
- Dispose of personal information after it
is no longer needed for business purposes or as required by
local, state, or federal law by burning, pulverizing, shredding,
or modifying a physical record and by destroying electronic
media so that the information cannot be read or reconstructed.
Owners of a small business, defined as 200 or fewer
employees in manufacturing business or 50 or fewer employees in
other types of business, comply with the safeguard requirements
if its information security and disposal program contains the administrative,
technical, and physical safeguards and disposal measures appropriate
to the size and complexity of the business as well as the nature,
scope of its activities, and the sensitively of the personal information
it collects including personnel records.
The Federal Trade Commission has more information
in assessing risk and safeguarding sensitive data:
Check: Reducing Risks to your Computer System
Compromise and the Risk of Identity Theft
Institutions and Customer Information: Complying with the Safeguards
Personal Information - A Guide for Business