Assess and minimize risks to your business and to consumers by following requirements
in the Oregon Consumer Identity Theft Protection Act. The law contains standards to
safeguard personal information, shield Social Security numbers, and notify consumers
in case of a data breach.
Take inventory of all information you have by type and location on computers and in files by.
This includes how you receive personal information through websites, from contractors, and others.
Be sure you know what sensitive information is stored on laptops, tablets, employees'
home computers, flash drives, and cellphones. Look at the effectiveness of existing security
safeguards to see if there are any foreseeable internal or external risks with your network or the
Secure paper documents with personal information, as well as CDs, zip drives, tapes, and backups,
by locking them in a file cabinet or placing them in a locked room with limited access. Develop a
plan for your employees outlining procedures to securely store personal information, including if
or how devices can be taken off the premises. Ensure that sensitive information stored on laptops
Do not collect sensitive consumer information, such as a Social Security number, if there is not
a legitimate business need. If this information does serve a need, design a record retention plan
that outlines what information must be kept, how to secure it, how long to keep it, and how to dispose
of it securely once you no longer need it.
Ensure employees know what personal identifying information is, how important it is to safeguard it,
and your security program practices and procedures. Likewise, train your employees on notification
procedures in the event of a security breach. To help spread the word, designate one or more employees
to coordinate the training of the security program.
Creating your plan
A comprehensive data security plan includes administrative, technical, and physical
safeguards. Please refer to this document for more information.
Regularly assess security risks by testing and monitoring key controls, systems, and procedures.
In addition, look at any risk to your information storage, whether it is a locking file cabinet
or electronic system. This will help in quickly responding to any attacks or intrusions. When
selecting outside service providers, know their capabilities in maintaining appropriate safeguards
and require these safeguards in your contract with them.
Protect against any unauthorized access or use of the personal identifying information you maintain
and no longer need by properly destroying it. Hard-copy records with sensitive information should be shred,
burned, or pulverized. Any electronic records should be erased in such a way that they cannot be read or
Recycling electronic equipment
You can recycle your old computers and monitors at certain collection and service sites near you
by contacting the Oregon E-cycle Program
at 1-888-532-9253 (toll-free). Remember, you are responsible for safeguarding any personal identifying
information that may be on a computer so before you recycle, make sure you properly erase or destroy any
electronic records or the hard drive with personal information.
Any individual, business, government agency, or organization that is subject to and
complies with data safeguard regulations or guidance adopted under the
Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act
(HIPAA) does not need to develop additional processes. However, you must follow Oregon’s requirements to protect your employee’s personal information, such as Social Security numbers or financial data as HIPAA does not cover this information.