Your Responsibilities if a Breach Occurs
Craig Vattiat (00:00):
So what happens when a breach does occur? Again, this kind of goes back to Oregon law. If a breach does occur that you have a responsibility, you have a couple responsibilities as a business owner. Um, first identify the cause of that breach and, and stop the additional data loss. Again, that might not be something that you can do on your own, but there are service providers that can help you with that. The other responsibility is to notify, um, anyone who has been affected, but as soon as you can, the law requires that you do that at least within 45 days of discovering the breach. But again, doing that as soon as possible is in your best interest, you can notify the individuals in writing electronically or by phone. So there’s no kind of requirement of how that happens. Um, and we’ll take a look at kind of what needs to be in that notice in just a moment.
Craig Vattiat (00:57):
Yeah. Other options that you might take might include contacting, uh, legal counsel. There’s also forensic investigators who can kind of get to the bottom of how it happened. You might need to file a police report. Uh, you might also need to contact those if that’s necessary. If some of that financial data was, was exposed. If you have a breach that involves more than 250 consumers, Oregon law requires that you report that to the Oregon attorney general. Um, there is, um, a, a link at the Oregon department of justice that you can access to report and, uh, can make sure that that’s provided to Colin. Um, if you have a breach that involves more than a thousand customers, then you’re also required by Oregon law to report it to the three credit reporting agencies, experie, Experian, Equifax, and TransUnion. Um, and the penalties with, uh, with failing to comply can be pretty hefty. Um, you can see there that the failure to comply can result in penalties up to a thousand per violation. And then if that continues to occur up to $500,000, so very serious, um, penalties for failing to comply with law. Um, the Oregon DOJ has a document that kind of lays out the responsibilities business owners have, and you can see there’s a QR code to access it there.
Craig Vattiat (02:36):
So what needs to be re included if you do have to, uh, provide notice to your customers so that that notice should include what happened and when it happened, the type of information that was breached, what is it that you’re planning to do about it, or you are doing about it? Um, you need to include your contact information and contact information for the consumer reporting agencies. Um, and then you might also include advice to the consumer to report it to law enforcement, including the attorney general and the federal trade commission regarding protecting data Oregon’s, uh, DFR website has some, uh, additional resources there can also see that there’s, um, the Oregon DOJ site to report breaches. Uh, there’s a link available there. And again, the FTCs data breach guide for business is also a great resource. Um, and so might, uh, make sense to do a little bit of, of reading to see about how you, uh, the responsibilities you have and how you can protect your business better.
Craig Vattiat (03:48):
So in wrapping up couple of the really most important, um, items to consider here, um, is when you’re working with an insurance agent to make sure that that agent, as well as that company is licensed to sell insurance in Oregon. And that’s how DFR can really help you to make sure that you are, uh, knowing that you’re working with somebody’s licensed. Um, if any changes occur to your business, you know, update your insurance agent on changes to the type of business that you, that you engage in the property. So again, as call mentioned earlier, let’s say if you have, uh, an extension, uh, of your physical building, then that’s gonna be something your insurance company needs to know about. Um, and as you’re working to make sure that you ask questions that you don’t leave, or you don’t hang up the phone until you have a clear understanding, you know, of your rights, the responsibilities you have and the coverages that you have, uh, to make sure for you. And then if you have questions or complaints, again, remember that Oregon division of financial regulation has a team of consumer advocates that can help answer those questions and, uh, facilitate your filing a complaint against your insurance company.
Craig Vattiat (05:11):
Um, and so just to kind of leave you with, um, some contact information for Oregon DFR, we have our main website there, which is dfr.org.gov. We also have two email addresses to help consumers with those complaints. Uh, the first one there you can see is dfr.insurance help. So if you have a question about anything related to insurance, then that’s the email address that you’re gonna wanna use if it deals with a financial service product. So that would include, you know, anything from mortgages to student loan servicing, uh, to payday lending, um, pawn shops, those types of things we regulate as well. And you can get some support through that email address. And then lastly, the phone number there reaches our consumer advocacy line. They’re available again, eight to five, Monday through Friday to help Oregon consumers. And I think that, uh, ends the presentation and be happy to answer any questions that y’all might have.
Collin Gabriel (06:11):
All right. And Jon, did you have any Questions?
Joni McSpadden (06:13):
No, I don’t have any, any additional questions. I wanna thank Craig for coming and presenting this information to us and to our small businesses today. And, um, yeah, if you guys have questions you can get in touch with ONAC or, um, get, get in touch directly with DFR.
Craig Vattiat (06:33):
Yeah, please. Um, my email address is available there as well. You know, I’m part of a consumer, uh, education, financial education advisory team, and we are happy to help Oregon consumers, um, with all, all, most, all things financially related. So we’re happy to help.