Safeguarding personal information
Responsibility. . .
The Oregon Identity Theft Protection Act requires you to develop, implement,
and maintain reasonable safeguards to ensure the security, confidentiality,
and integrity of the information. Safeguarding also means properly disposing
The following steps will assist you in implementing an information
security program that will help minimize breach risks.
Know what information you have on computers and in files
by taking inventory of all information you have by type and location. This
also includes how you receive personal information through Web sites, from
contractors, and others. Be sure you know what sensitive information is
stored on laptops, employees' home computers, flash drives, cell phones,
and personal digital assistants (PDAs).
As part of the assessment, take a look at the effectiveness
of existing security safeguards to see if there are any foreseeable internal
or external risks with your network or the software used.
Lost or stolen paper documents containing personal identifying
information makes you vulnerable to a security breach. The best defense
in securing paper documents, as well as CDs, floppy disks, zip drives, tapes,
and backups, is locking them in a file cabinet or placing them in a locked
room with limited access. Develop a plan for your employees outlining procedures
to securely store sensitive information, including if or how devices can
be taken off the premises. And ensure that sensitive information stored
on laptops is encrypted.
If you don't have a need for certain personal identifying
information, don't keep it. And don't collect sensitive consumer information,
such as a Social Security number, if there is not a legitimate business
need. If this information does serve a need, design a record retention plan
that outlines what information must be kept, how to secure it, how long
to keep it, and how to dispose of it securely once you no longer need it.
Make sure employees know what personal identifying information
is, know how important it is to safeguard it, and know your security program
practices and procedures. Personal identifying information includes a person's
name in combination with a Social Security number, Oregon driver's license
number or Oregon identification card number, or a financial, credit or debit
card number along with security or access codes or passwords that allow
someone to access your financial accounts. Likewise, train your employees
on notification procedures in the event of a security breach.
To help spread the word, designate one or more employees
to coordinate the training of the security program.
Regularly assess security risks by testing and monitoring
key controls, systems, and procedures. In addition, look at any risk to
your information storage whether it is a locking file cabinet or electronic
system. This will help in quickly responding to any attacks or intrusions.
When selecting outside service providers, know their capabilities
in maintaining appropriate safeguards and require these safeguards in your
contract with them.
Protect against any unauthorized access or use of the personal
identifying information you maintain and no longer need by properly destroying
it. Hard copy records with sensitive information should be shred, burned,
or pulverized. Any electronic records should be erased in such a way that
they cannot be read or reconstructed.
The Oregon Legislature recently passed a law to encourage
the recycling of electronic devices including desktop and laptop computers.
Because you are responsible for safeguarding any personal identifying information
that may be on a computer, if you choose to recycle you should first properly
dispose of any electronic records that contain personal identifying information
by erasing or destroying the hard drive or reach an agreement with the company
collecting the equipment that it will properly dispose of the information.
Any individual, business or organization that is subject
to and complies with data safeguard regulations or guidance adopted under
Act or the Health
Insurance Portability and Accountability Act (HIPAA), (click on the HIPAA
Law pdf) do not need to develop additional processes. However, if you are
developing safeguards to protect the personal information of your employees,
you must follow Oregon's data safeguard requirements.
Requirements for safeguarding data
According to the Oregon Identity Theft Protection Act, a security program
includes the following and will be considered in compliance with the requirements
to maintain reasonable safeguards to protect personal information:
- Administrative safeguards
- Designate one or more employees to coordinate the
- Identify reasonably foreseeable internal and external
- Assess the sufficiency of safeguards in place to control
the identified risks.
- Train and manage employees in the security program
practices and procedures.
- Select service providers capable of maintaining appropriate
safeguards, and requires those safeguards by contract.
- Adjust the security program in light of business changes
or new circumstances.
- Technical safeguards
- Assess risks in network and software design.
- Assess risks in information processing, transmission
- Detect, prevent and respond to attacks or system failures.
- Regularly test and monitor the effectiveness of key
controls, systems and procedures.
- Physical safeguards
- Assess risks of information storage and disposal.
- Detect, prevent and respond to intrusions.
- Protect against unauthorized access to or use of personal
information during or after the collection, transportation and destruction
or disposal of the information.
- Dispose of personal information after it is no longer
needed for business purposes or as required by local, state or federal
law by burning, pulverizing, shredding or modifying a physical record
and by destroying electronic media so that the information cannot be
read or reconstructed.
Owners of a small business, defined as 200 or less employees
in manufacturing business or 50 or less employees in other types of business,
comply with the safeguard requirements if its information security and disposal
program contains the administrative, technical and physical safeguards and
disposal measures appropriate to the business' size and complexity as well
as the nature, scope of its activities, and the sensitively of the personal
information it collects including personnel records.
The Federal Trade Commission has additional information in
assessing risk and safeguarding sensitive data:
Check: Reducing Risks to your Computer System
Compromise and the Risk of Identity Theft
Institutions and Customer Information: Complying with the Safeguards Rule
Personal Information - A Guide for Business