2018 Regular Session
|At the request of:|
|Bill Title:||Relating to data security; prescribing an effective date.|
Requires person that owns, licenses, has control over or has access to personal information and was subject to breach of security to notify consumer to whom personal information pertains and, if number of consumers to whom person must send notice exceeds 250, to Attorney General.
Prohibits consumer reporting agencies from charging certain fees related to security freezes on consumer reports or protective records.] Requires certain persons who own, license, possess or have access to personal consumer information to give notice of breach of data security to certain financial institutions and merchant services providers. Requires financial institutions and merchant services providers that discover or receive notice of data breach of another person to notify other person.] Requires notice of data breach to be given within 45 days of discovery of breach, unless such notice will impede criminal investigation.] Prohibits person providing free credit monitoring in connection with data breach from offering additional services, unless such services are free, or from conditioning free credit monitoring on acceptance of other services.] Modifies standards for safeguarding of personal information.] Permits person to initiate civil action on behalf of state for violations of Oregon Consumer Identity Theft Protection Act. Provides that person may receive award of no greater than 25 percent of monetary recovery. Provides that state may intervene and proceed with such action. Provides that when person or state prevails in such action, court shall award reasonable attorney fees and costs.] Requires person to give notice in most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notice of breach of security. Requires person, in providing notice, to determine sufficient contact information for notice recipients, to determine scope of breach of security and to restore integrity, security and confidentiality of personal information. Provides that if person must notify consumer of breach of security and with notice person offers credit monitoring services or identity theft prevention and mitigation services without charge to consumer, person may not condition provision of services on consumer's providing person with credit card or debit card number or consumer's acceptance of any other service person offers for fee. Requires person to separately, distinctly, clearly and conspicuously disclose to consumer in any offer for additional credit monitoring services or identity theft prevention and mitigation services that person offers for fee that person will charge consumer fee. Prohibits consumer reporting agency from charging consumer fee or collecting from consumer money or item of value for placing, temporarily lifting or removing security freeze on consumer's consumer report, creating or deleting protective record, placing or removing security freeze on protective record or replacing lost personal identification number or password. Modifies standards for safeguarding personal information. Punishes violation of Act under Unlawful Trade Practices Act. Takes effect on 91st day following adjournment sine die.
|Fiscal Impact:||Has Minimal Fiscal Impact|
|Revenue Impact:||No Revenue Impact|
|Measure Analysis:||Staff Measure Summary / Impact Statements|
|Current Location:||In House Committee|
|Current Committee:||House Committee On Rules|
|Potential Conflicts of Interest/Vote Explanations:||Potential Conflicts of Interest/Vote Explanation Documents|