Oregon State Victim Resources:
Agencies that offer assistance to IDT victims:
Legal Aid Services of Oregon
Security Freeze Law:
All Oregon consumers are allowed to place security freezes on their consumer credit reports to prevent others from opening new accounts in their names. Such a freeze enables the consumer to prevent anyone from looking at his/her credit file for the purpose of granting credit unless the consumer chooses to allow a particular business look at the information. To request a freeze, an identity theft victim must request one in writing to a consumer reporting agency at an address designated by the agency to receive such requests, or through a secure electronic request at a website designated by the agency to receive such requests if such method is made available by the consumer reporting agency at the agency's discretion.
Credit reporting agencies may charge up to $10 to place, remove, or temporarily lift a freeze. However, victims of identity theft with a valid police report may not be charged. The reporting agency must place the freeze within five business days after receiving the request, and within ten business days must send a written confirmation of the freeze and provide the consumer with a unique personal identification number or password to be used when providing authorization for the release of his credit for a specific party or period of time. Requests for a temporary unlocking of the freeze must be completed within three business days.
Statute: §646A.606 through 618.
Mandatory Police Report Law for Identity Theft Victims:
No State law at this time.
Identity Theft Passport Law:
No State law at this time.
Identity Theft Laws:
A person commits the crime of identity theft if the person, with the intent to deceive or to defraud, obtains, possesses, transfers, creates, utters or converts to the person's own use the personal identification of another person. "Another person" means a person, living or deceased, or an imaginary person.
"Personal identification" includes but is not limited to any written document or electronic data that provides information concerning a person's: name, date of birth, address, telephone number, maiden name or mother's maiden name; e-mail address; driver's license or number; Social Security number or tax identification number; account number at a financial institution, or credit card account number of PIN; citizenship status or alien identification number; employment status, employer or place of employment; or signature. Identity theft is a Class C felony, punishable by a maximum of five years in prison and up to a $100,000 fine. The presumptive sentence for a first conviction of identity theft is an 18-month probation sentence, which usually includes a short jail sentence, work release, and an order to pay restitution. In addition, identity theft is subject to the Repeat Property Offender statute (§137.717). If a person is convicted of misusing several people's identities in one indictment, each subsequent count after the first is considered to have occurred after that first conviction.
Consequently, an identity thief may be considered a repeat property offender for stealing several people's identity during one criminal episode. The presumptive sentence for a conviction of identity theft as a repeat property offender is 13 months.
A person commits the crime of aggravated identity theft if he:
- Commits ten or more separate identity theft incidents within a 180-day period;
- Has a previous conviction for identity theft;
- Causes more than $10,000 or more or losses in a single or aggregate transaction within a180-day period; or
- Has in his personal custody, possession, or control ten or more pieces of personal identification from ten or more different people.
Violations are a Class B felony, with a presumptive sentence of 19 months in prison.
In addition, identity theft crimes can be prosecuted under the state's anti-racketeering law. This gives prosecutors more flexibility when determining the sentence for the crime, and allows for the aggregation of separate instances of identity theft committed by separate individuals participating in the same enterprise. If the crime is prosecuted as a racketeering felony, a criminal could face up to 20 years in prison with a possible $300,000 fine. These provisions do not apply to a person who obtains another person's driver's license or other form of identification solely for the purpose of misrepresenting his age solely for the purpose of purchasing alcohol or tobacco, or to enter a place access to which is restricted based on age.
Identity theft cases that consist of an aggregate transaction involving more than one county may be held in any county in which one of the acts was committed.
Other Related Laws:
It is a Class C felony to unlawfully possess a personal identification device with the intent to use the device to commit a crime. A personal identification device is defined as a device used to manufacture or print a driver's license or identification card issued by the state or federal government, an employee identification card, or a credit or debit card.
It is a Class C felony to unlawfully possess fictitious identification with the intent to use the personal identification card to commit a crime. These provisions do not apply to a person who obtains another person's driver's license or other form of identification solely for the purpose of misrepresenting his age solely for the purpose of purchasing alcohol or tobacco, or to enter a place access to which is restricted based on age.
The unlawful production of identification cards or licenses is a Class C felony.
Payment Cards: A person commits the crime of fraudulent use of a credit card if, with intent to injure or defraud, the person uses a credit card for the purpose of obtaining property or services with knowledge that:
- The card is stolen or forged;
- The card has been revoked or canceled; or
- For any other reason the use of the card is unauthorized by either the issuer or the person to whom the credit card is issued.
Fraudulent use of a credit card is a Class A misdemeanor if the aggregate total amount of property or services the person obtains or attempts to obtain is under $750, and a Class C felony if $750 or more. The value of single credit card transactions may be added together if the transactions were committed against multiple victims within a 30-day period or against the same victim within a 180-day period.
State law prohibits the use of a scanning device or re-encoder to obtain or record information encoded on a payment card without permission of the cardholder to defraud another person. Scanning devices are defined as an electronic device that is used to access, read, scan, obtain, memorize, or store, temporarily or permanently, information encoded on a payment card. A re-encoder is an electronic device that places encoded information from one payment card onto another payment card. Violators are a Class C felony, and second or subsequent offenses are a Class B felony.
Social Security Numbers
State law makes it unlawful for any business, organization, individual, or state or local government agency to:
- Publicly post or display an individual's Social Security number (SSN) unless it is redacted;
- Print a SSN on any materials not requested by the consumer or part of the documentation of a transaction or service requested by the consumer that are mailed to the consumer unless redacted; or
- Print a SSN on any card required for the consumer to access products or services.
- The law does not prevent the collection, use, or release of a SSN as required by state or federal law. It does not apply to records maintained or possessed by a court or the Secretary of State.
Disposal of Records
Any business, government agency, or person that owns, maintains or otherwise possesses data that includes a consumer's personal information must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data. Physical records that contain personal information that are to be disposed must be burned, pulverized, shredded, or modified, while electronic records must be destroyed or erased so that the information cannot be read or reconstructed.
State law requires people, businesses operating in the state, associations, and state and local government agencies that own, maintain, or otherwise possess data that includes a consumer's personal information to notify consumers when their personal information is compromised during a security breach, putting them at risk of identity theft. A security breach occurs upon "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity" of personal identifying information. The notification must be made in the most expeditious time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data.
Personal information means a consumer's first name or first initial and last name, in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired: Social Security number; driver license number or state identification card number; passport number or other U.S.-issued identification number; financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; federal or state government-issued ID card, or tribal identification card.
Publicly available information is not included. It also includes any of the data elements when not combined with the consumer's first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
Notification can be provided to the affected persons by mail, e-mail, or telephone. If the cost of providing regular notice would exceed $250,000 the amount of people to be notified exceeds 300,000, or the business or agency does not have sufficient contact information, substitute notice may be provided. When substitute notice is used, it must consist of all of the following, as applicable: conspicuous posting on the business's or agency's web site and notification to major statewide media. In addition, if the breach has affected 1000 or more people, consumer reporting agencies must also be notified without unreasonable delay.
The notice provided must include at a minimum: a description of the incident in general terms; the approximate date of the breach of security; the type of personal information obtained as a result of the breach of security; contact information of the notifying business or agency; contact information for national consumer reporting agencies; and advice to the consumer to report suspected identity theft to law enforcement, including the Federal Trade Commission.
Notification is not required if, after an appropriate investigation or after consultation with relevant federal, state, or local agencies responsible for law enforcement, the business or agency determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.