2017 ORS 646A.602¹
Definitions for ORS 646A.600 to 646A.628

This section is amended
Effective June 2, 2018
Relating to actions after a breach of security that involves personal information; creating new provisions; amending ORS 646A.602, 646A.604, 646A.606, 646A.608, 646A.610 and 646A.622; and prescribing an effective date.

As used in ORS 646A.600 (Short title) to 646A.628 (Allocation of moneys):

(1)(a) “Breach of security” means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.

(b) “Breach of security” does not include an inadvertent acquisition of personal information by a person or the person’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

(2) “Consumer” means an individual resident of this state.

(3) “Consumer report” means a consumer report as described in section 603(d) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)), as that Act existed on January 1, 2016, that a consumer reporting agency compiles and maintains.

(4) “Consumer reporting agency” means a consumer reporting agency as described in section 603(p) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(p)) as that Act existed on January 1, 2016.

(5) “Debt” means any obligation or alleged obligation arising out of a consumer transaction.

(6) “Encryption” means an algorithmic process that renders data unreadable or unusable without the use of a confidential process or key.

(7) “Extension of credit” means a right to defer paying debt or a right to incur debt and defer paying the debt, that is offered or granted primarily for personal, family or household purposes.

(8) “Identity theft” has the meaning set forth in ORS 165.800 (Identity theft).

(9) “Identity theft declaration” means a completed and signed statement that documents alleged identity theft, using the form available from the Federal Trade Commission, or another substantially similar form.

(10) “Person” means an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109 (“Public body” defined).

(11) “Personal information” means:

(a) A consumer’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired:

(A) A consumer’s Social Security number;

(B) A consumer’s driver license number or state identification card number issued by the Department of Transportation;

(C) A consumer’s passport number or other identification number issued by the United States;

(D) A consumer’s financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account;

(E) Data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;

(F) A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

(G) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

(b) Any of the data elements or any combination of the data elements described in paragraph (a) of this subsection without the consumer’s first name or first initial and last name if:

(A) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and

(B) The data element or combination of data elements would enable a person to commit identity theft against a consumer.

(c) “Personal information” does not include information in a federal, state or local government record, other than a Social Security number, that is lawfully made available to the public.

(12) “Proper identification” means written information or documentation that a consumer or representative can present to another person as evidence of the consumer’s or representative’s identity, examples of which include:

(a) A valid Social Security number or a copy of a valid Social Security card;

(b) A certified or otherwise official copy of a birth certificate that a governmental body issued; and

(c) A copy of a driver license or other government-issued identification.

(13) “Protected consumer” means an individual who is:

(a) Not older than 16 years old at the time a representative requests a security freeze on the individual’s behalf; or

(b) Incapacitated or for whom a court or other authority has appointed a guardian or conservator.

(14) “Protective record” means information that a consumer reporting agency compiles to identify a protected consumer for whom the consumer reporting agency has not prepared a consumer report.

(15) “Redacted” means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card number, passport number or other number issued by the United States, financial account number, credit card number or debit card number is visible or accessible.

(16) “Representative” means a consumer who provides a consumer reporting agency with sufficient proof of the consumer’s authority to act on a protected consumer’s behalf.

(17) “Security freeze” means a notice placed in a consumer report at a consumer’s request or a representative’s request or in a protective record at a representative’s request that, subject to certain exemptions, prohibits a consumer reporting agency from releasing information in the consumer report or the protective record for an extension of credit, unless the consumer temporarily lifts the security freeze on the consumer’s consumer report or a protected consumer or representative removes the security freeze on or deletes the protective record. [2007 c.759 §2; 2013 c.415 §1; 2015 c.357 §1]

Law Review Cita­tions

52 WLR 451 (2016)

(formerly 646.315 to 646.375)

Notes of Decisions

Where purchaser fails to provide notice of condi­tion requiring repair, presump­tion does not arise that repair time exceeding 30 business days demonstrates inability of manufacturer to conform vehicle. Pavel v. Winnebago Industries, Inc., 127 Or App 16, 870 P2d 856 (1994)

Repair time exceeding 30 business days as evidence of inability to conform vehicle applies only to presently existing defect. Pavel v. Winnebago Industries, Inc., 127 Or App 16, 870 P2d 856 (1994)

Law Review Cita­tions

19 WLR 329 (1983)

1 Legislative Counsel Committee, CHAPTER 646A—Trade Regulation, https://­www.­oregonlegislature.­gov/­bills_laws/­ors/­ors646A.­html (2017) (last ac­cessed Mar. 30, 2018).
2 Legislative Counsel Committee, Annotations to the Oregon Revised Stat­utes, Cumulative Supplement - 2017, Chapter 646A, https://­www.­oregonlegislature.­gov/­bills_laws/­ors/­ano646A.­html (2017) (last ac­cessed Mar. 30, 2018).
3 OregonLaws.org assembles these lists by analyzing references between Sections. Each listed item refers back to the current Section in its own text. The result reveals relationships in the code that may not have otherwise been apparent.