Identity theft has increasingly become a popular topic on the evening news and in print media. A recent story involved the loss of thousands of private patient records by a large healthcare provider. Most commonly, identity theft stories involve the misuse of information collected from recycling or garbage containers outside businesses and private residences. As a result of these high profile stories, consumers have become more sensitive to privacy issues, and businesses have been strongly encouraged to better protect information under their control. However, up until recently, many businesses, including real estate brokerages, were not held to strict standards when it came to managing private information.
In 2007, the Oregon Legislature passed Senate Bill 583, aptly titled the “Oregon Consumer Identity Theft Protection Act.” Oregon did not previously have a law that both protected consumers and set in place standards to which Oregon businesses and public bodies must adhere, despite being ranked 13th nationally by the Federal Trade Commission in identity theft crimes. The Oregon Legislature opted to pass this Act due to the increasing number of identity theft crimes, and heightened concern on the part of consumers, in line with a national trend.
The Act is important for real estate brokerages, mortgage brokerages, Realtor® associations and other real-estate related businesses to be aware of, as they are required to comply with the Act in protecting consumer information. Information such as driver’s license numbers, social security numbers, bank account numbers and credit card numbers are all considered private information under the Act, and must be protected by businesses. Although real estate brokerages may not necessarily have social security numbers or credit card numbers, they will undoubtedly have copies of earnest money checks in their paper files or scanned electronically into their computer systems. Realtor® associations may be in possession of their members’ credit card information, particularly if they allow members to pay dues with credit cards. Undoubtedly, mortgage brokerages will collect and retain the greatest amount of private information on their clients, including social security numbers, bank account numbers, driver’s license numbers and the like.
Generally, the Act places greater responsibility on businesses to protect personal information under their control. Businesses are now required to safeguard private information received from consumers by implementing appropriate information security procedures and methods by which information is destroyed. Such procedures may include formulation of an office policy regarding use, retention and destruction of personal information. Businesses may also want to consider appointing an individual within each company or branch office to be in charge of the office policy and its implementation. Small measures, such as locking file cabinets or restricting public access to areas in which such information is contained, are practical and relatively inexpensive to implement. For larger businesses, or those with highly confidential information, measures taken to protect information must be more significant.
In addition to requiring businesses to protect information, the Act also prohibits businesses from printing social security numbers on documents that may be transmitted through the mail or published, unless the consumer specifically assents to enclosure of his or her social security number in such a document. However, certain documents are exempted from this requirement, including those required by law to include social security numbers, such as judgments or court orders.
In the event of a security breach, such as a server containing personal information being stolen from a business, the business is required to notify all individuals who are impacted by the breach. Such notification must be given immediately in writing, via email if email contact is customary with those individuals, or by telephone, provided that the business actually makes contact with the individual impacted. However, security breaches that do not concern electronic information are not subject to the same notice requirement. For example, if paper files are stolen or lost by a business, they will not necessarily be required to notify individuals who are impacted by the breach.
The Act contains provisions which grant consumers certain rights in the event their personal information is disclosed by a business. For instance, consumers have the right to request that credit reporting agencies freeze their credit for no more than $10 per reporting agency. If consumers have filed police reports or identity theft reports with governmental agencies, they do not have to pay for each credit freeze. Such freezes will allow consumers to reduce the damage done as a result of potential identity theft.
Should businesses fail to properly safeguard information, or fail to comply with the notice requirements discussed above, the Act grants the Oregon Department of Consumer and Business Services enforcement rights and the ability to impose a fine of up to $1,000 per violation.
Although many businesses already have procedures in place for protecting personal information of their customers or clients, it is important that businesses are aware of the Act and its new requirements. Unquestionably, businesses do not want to be placed in the awkward position of having to notify their customers or clients that there has been a security breach, thereby creating distrust of the businesses. In addition, businesses do not want to incur the trouble and great expense associated with violating the Act.
We would advise real estate brokerages, mortgage brokerages, Realtor® associations and other real-estate related businesses to learn more about what is required of them under the Act by visiting the Oregon Department of Consumer and Business Services website at www.dfcs.oregon.gov. Furthermore, should businesses have specific questions about their business practices and methods by which they may protect personal information, they may call the Oregon Department of Consumer and Business Services at (503) 378-4140. Putting the time and energy into complying with the Act now may help prevent problems later.
This column contains general information only and must not be construed as legal advice.
Questions may be submitted directly to Maylie & Grayson by fax at (503) 775-1765,
by email at or by mail at 7959 SE Foster Road, Portland, Oregon 97206.