Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.
The Oregon law requires employers who maintain personal information on Oregon residents to do the following:
- Designate a security officer
- Conduct a risk assessment
- Assess the safeguards in place to manage the risks
- Train employees in security policies and procedures
- Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
- Adjust the security program over time to meet changing circumstances
- Implement adequate physical and technical safeguards
- Properly dispose of personal information
While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.