[Owasp-portland] ORS 646A

James C. Bohem james at holycow.portland.or.us
Sat Feb 5 17:11:41 EST 2011


On Jan 21, 10:33am, Timothy D. Morgan wrote:
} Subject: [Owasp-portland] ORS 646A
} Hi Everyone,
} 
} I thought I'd break the silence and see if anyone has any experience
} with this trade regulation.  For "fun" I was just reading through the
} Oregon statutes related to information disclosure and was surprised to
} find some relatively strong language around information security
} programs.  I'm looking here:
} 
}   http://www.leg.state.or.us/ors/646a.html
} 
} The 646A.600 section is relevant, and in particular, I find 646A.622
} intriguing, since it applies to just about any organization.  Does
} anyone have experience with how this section is interpreted for various
} sizes of businesses?
} 
} tim
} 

Not expereince with interpretation, since the law isn't that old, but I went
to a discussion of this statute soon after it became law. It is basically
Oregon's state privacy law, loosely modeled after California's SB1386, and others.

Somewhere around here, I have some guidance from the state on how they intended
to apply this roughly 2 years ago. I'll dig it up. 

The intent is that it does apply to just about everyone, and like most of the
first generation state privacy laws, isn't very prescriptive about how you
comply. For more granular, second generation state laws, look at what has been
passed in MA, MN, and NV in the last year or so; there's lots more detail 
about safeguards and requirements; NV's goes as far as to mandate an approach
modeled on PCI-DSS for personal information. 

My expectation is that the safeguards listed in section 622 are going to
get argued in court as due care issues; you should be able to demonstrate 
that with evidence of comliance to GLBA or HIPAA, as stated. Any of PCI-DSS,
ISO, NIST, COBIT, ITIL... or a solid InfoSec program or your own creation
could also suffice. It will be a up to lawyers and expert witnesses
to argue whether 622 is met or not when this gets applied to a breach.

Here's one example where the statute was used to coerce a settlement:

http://clientdatasecurity.com/Oregon-Spruill-Order.pdf

I'm not aware of much else generating press on this statute.

James


More information about the Owasp-portland mailing list