Skip to main content

Steps to protecting data

Assess and minimize risks to your business and to consumers by following requirements in the Oregon Consumer Identity Theft Protection Act. The law contains standards to safeguard personal information, shield Social Security numbers, and notify consumers in case of a data breach.


Take inventory of all information you have by type and location on computers and in files by. This includes how you receive personal information through websites, from contractors, and others. Be sure you know what sensitive information is stored on laptops, tablets, employees' home computers, flash drives, and cellphones. Look at the effectiveness of existing security safeguards to see if there are any foreseeable internal or external risks with your network or the software used.


Secure paper documents with personal information, as well as CDs, zip drives, tapes, and backups, by locking them in a file cabinet or placing them in a locked room with limited access. Develop a plan for your employees outlining procedures to securely store personal information, including if or how devices can be taken off the premises. Ensure that sensitive information stored on laptops is encrypted.


Do not collect sensitive consumer information, such as a Social Security number, if there is not a legitimate business need. If this information does serve a need, design a record retention plan that outlines what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely once you no longer need it.


Ensure employees know what personal identifying information is, how important it is to safeguard it, and your security program practices and procedures. Likewise, train your employees on notification procedures in the event of a security breach. To help spread the word, designate one or more employees to coordinate the training of the security program.

Creating your plan

A comprehensive data security plan includes administrative, technical, and physical safeguards. Please refer to this document for more information.


Regularly assess security risks by testing and monitoring key controls, systems, and procedures. In addition, look at any risk to your information storage, whether it is a locking file cabinet or electronic system. This will help in quickly responding to any attacks or intrusions. When selecting outside service providers, know their capabilities in maintaining appropriate safeguards and require these safeguards in your contract with them.


Protect against any unauthorized access or use of the personal identifying information you maintain and no longer need by properly destroying it. Hard-copy records with sensitive information should be shred, burned, or pulverized. Any electronic records should be erased in such a way that they cannot be read or reconstructed.

Recycling electronic equipment

You can recycle your old computers and monitors at certain collection and service sites near you by contacting the Oregon E-cycle Program at 1-888-532-9253 (toll-free). Remember, you are responsible for safeguarding any personal identifying information that may be on a computer so before you recycle, make sure you properly erase or destroy any electronic records or the hard drive with personal information.


Any individual, business, government agency, or organization that is subject to and complies with data safeguard regulations or guidance adopted under the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA) does not need to develop additional processes. However, you must follow Oregon’s requirements to protect your employee’s personal information, such as Social Security numbers or financial data as HIPAA does not cover this information.

Your browser is out-of-date! It has known security flaws and may not display all features of this and other websites. Learn how