DATE: November 18, 2020

Secretary of State Bev Clarno Releases Audit of Statewide Data Privacy and Incident Response

SALEM, OR — Oregon lacks a senior official responsible for managing data privacy, which increases the risk that private, personally identifiable information is not appropriately safeguarded, according to an audit released today by the Secretary of State. The findings are outlined in the report entitled: “The State Does Not Have A Privacy Program to Manage Enterprise Privacy Risk.”

State agencies collect and store personally identifiable information from virtually all Oregonians. This data includes health information, driving records, education data, and more. However, auditors found there is no statewide official charged with assessing the risks associated with processing that information and ensuring appropriate response strategies are in place.

As a result, the state has not established a privacy program to assess and respond to risk. The state has also not established guidance on incident response roles when security incidents arise that involve personally identifiable information.  

“Oregon has an ethical responsibility to safeguard the privacy of its citizens’ data,” said Secretary of State Bev Clarno. “It is important that a senior official is charged with ensuring risks to data privacy are understood and addressed throughout the state.”

Read the full audit on the Secretary of State website.

# # #