Section 646A.602 - Definitions for ORS 646A.600 to 646A.628.

OR Rev Stat § 646A.602 (2019) (N/A)
Copy with citation
Copy as parenthetical citation

(1)(a) "Breach of security" means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.

(b) "Breach of security" does not include an inadvertent acquisition of personal information by a person or the person’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

(2) "Consumer" means an individual resident of this state.

(3) "Consumer report" means a consumer report as described in section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)), as that Act existed on January 1, 2020, that a consumer reporting agency compiles and maintains.

(4) "Consumer reporting agency" means a consumer reporting agency as described in section 603(p) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on January 1, 2020.

(5)(a) "Covered entity" means a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.

(b) "Covered entity" does not include a person described in paragraph (a) of this subsection to the extent that the person acts solely as a vendor.

(6) "Debt" means any obligation or alleged obligation arising out of a consumer transaction.

(7) "Encryption" means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.

(8) "Extension of credit" means a right to defer paying debt or a right to incur debt and defer paying the debt, that is offered or granted primarily for personal, family or household purposes.

(9) "Identity theft" has the meaning set forth in ORS 165.800.

(10) "Identity theft declaration" means a completed and signed statement that documents alleged identity theft, using a form available from the Federal Trade Commission, or another substantially similar form.

(11) "Person" means an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.

(12)(a) "Personal information" means:

(A) A consumer’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired:

(i) A consumer’s Social Security number;

(ii) A consumer’s driver license number or state identification card number issued by the Department of Transportation;

(iii) A consumer’s passport number or other identification number issued by the United States;

(iv) A consumer’s financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account;

(v) Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;

(vi) A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

(vii) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

(B) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.

(C) Any of the data elements or any combination of the data elements described in subparagraph (A) or (B) of this paragraph without the consumer’s user name, or the consumer’s first name or first initial and last name, if:

(i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and

(ii) The data element or combination of data elements would enable a person to commit identity theft against a consumer.

(b) "Personal information" does not include information in a federal, state or local government record, other than a Social Security number, that is lawfully made available to the public.

(13) "Proper identification" means written information or documentation that a consumer or representative can present to another person as evidence of the consumer’s or representative’s identity, examples of which include:

(a) A valid Social Security number or a copy of a valid Social Security card;

(b) A certified or otherwise official copy of a birth certificate that a governmental body issued; and

(c) A copy of a driver license or other government-issued identification.

(14) "Protected consumer" means an individual who is:

(a) Not older than 16 years old at the time a representative requests a security freeze on the individual’s behalf; or

(b) Incapacitated or for whom a court or other authority has appointed a guardian or conservator.

(15) "Protective record" means information that a consumer reporting agency compiles to identify a protected consumer for whom the consumer reporting agency has not prepared a consumer report.

(16) "Redacted" means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, passport number or other number issued by the United States, financial account number, credit card number or debit card number is visible or accessible.

(17) "Representative" means a consumer who provides a consumer reporting agency with sufficient proof of the consumer’s authority to act on a protected consumer’s behalf.

(18) "Security freeze" means a notice placed in a consumer report at a consumer’s request or a representative’s request or in a protective record at a representative’s request that, subject to certain exemptions, prohibits a consumer reporting agency from releasing information in the consumer report or the protective record for an extension of credit, unless the consumer temporarily lifts the security freeze on the consumer’s consumer report or a protected consumer or representative removes the security freeze on or deletes the protective record.

(19) "Vendor" means a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity. [2007 c.759 §2; 2013 c.415 §1; 2015 c.357 §1; 2018 c.10 §1; 2019 c.180 §2]