Identity protection is top of the mind. Collecting, sharing, and keeping personal data is essential to businesses, organizations, and government agencies. With cyber attacks becoming increasingly common and sophisticated, it’s not just essential to have a plan to protect your customers and employees – it’s the law.
Oregon’s Consumer Identity Theft Protection Act and related rules can give clear direction and expectations to ensure the
safety of sensitive data.
In Oregon, personal information includes a consumer’s first name – or first initial and last name – in combination with the consumer’s:
• Social Security number
• Driver license number or state ID card number issued by the Department of Transportation
• Passport number or other U.S.-issued identification number
• Financial account, credit, or debit card number, in combination with any required security or access code, or password that would allow access to the financial account
• Physical characteristics data used to authenticate identification during a financial transaction such as fingerprint, retina, or iris image
• Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier used by health insurers
• Medical history, mental or physical condition, or medical diagnosis or treatment by a health care professional
The Oregon Identity Theft and Protection Act guide is attached for you below. Similar to the Europe’s GDPR, Oregon has implemented an identity theft protection act. Portland became the first jurisdiction in the country to ban the private sector use of facial recognition technology in public places and will take effect on January 1, 2021. Private entities will be prohibited from using the technology within Portland except “to the extent necessary to comply with federal, state or local laws; for user verification purposes to access the user’s own personal or employer issued communication and electronic devices; or in automatic face detection services in social media applications. The Portland ordinance provides for a private right of action for damages sustained as a result of the private entity’s material violation of the ordinance or $1,000 per day for each day of the violation, whichever amount is greater as well as other remedies. A separate ordinance banning the use of facial recognition technology by the city government was also passed by the Portland City Council, like Boston and San Francisco, who have similar ordinances.