Requirement to develop safeguards for personal information
- conduct deemed to comply with requirement
(1)A covered entity and a vendor shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.
(2)A covered entity or vendor complies with subsection (1) of this section if the covered entity or vendor:
(a)Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides.
(b)Complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) is also subject to the Act.
(c)Complies with regulations that implement the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) and the Health Information Technology for Economic and Clinical Health Act of 2009 (P.L. 111-5, Title XIII, 123 Stat. 226), as those Acts were in effect on January 1, 2020, if personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) is also subject to those Acts.
(d)Implements an information security program that includes:
(A)Administrative safeguards such as:
(i)Designating one or more employees to coordinate the security program;
(ii)Identifying reasonably foreseeable internal and external risks with reasonable regularity;
(iii)Assessing whether existing safeguards adequately control the identified risks;
(iv)Training and managing employees in security program practices and procedures with reasonable regularity;
(v)Selecting service providers that are capable of maintaining appropriate safeguards and practices, and requiring the service providers by contract to maintain the safeguards and practices;
(vi)Adjusting the security program in light of business changes, potential threats or new circumstances; and
(vii)Reviewing user access privileges with reasonable regularity;
(B)Technical safeguards such as:
(i)Assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address the risks and vulnerabilities;
(ii)Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;
(iii)Monitoring, detecting, preventing and responding to attacks or system failures; and
(iv)Regularly testing, monitoring and taking action to address the effectiveness of key controls, systems and procedures; and
(C)Physical safeguards such as:
(i)Assessing, in light of current technology, risks of information collection, storage, usage, retention, access and disposal and implementing reasonable methods to remedy or mitigate identified risks;
(ii)Monitoring, detecting, preventing, isolating and responding to intrusions timely and with reasonable regularity;
(iii)Protecting against unauthorized access to or use of personal information during or after collecting, using, storing, transporting, retaining, destroying or disposing of the personal information; and
(iv)Disposing of personal information, whether the covered entity or vendor disposes of the personal information on or off the covered entity’s or vendor’s premises or property, after the covered entity or vendor no longer needs the personal information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
(3)A covered entity or vendor complies with subsection (2)(d)(C)(iv) of this section if the covered entity or vendor contracts with another person engaged in the business of record destruction to dispose of personal information in a manner that is consistent with subsection (2)(d)(C)(iv) of this section.
(4)A covered entity or vendor in an action or proceeding may affirmatively defend against an allegation that the covered entity or vendor has not complied with subsection (1) of this section with respect to personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys) but is not subject to an Act described in subsection (2)(b) or (c) of this section by showing that, with respect to the personal information that is subject to ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys), the covered entity or vendor developed, implemented and maintained reasonable security measures that would be required for personal information subject to the applicable Act.
(5)Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (Purpose) (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers. [2007 c.759 §12; 2015 c.357 §3; 2018 c.10 §6; 2019 c.180 §4]
Section 646A.622 — Requirement to develop safeguards for personal information; conduct deemed to comply with requirement; defenses,