DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oregon investigating complaints about the Archdiocese of Portland’s handling of ID theft

Posted on May 3, 2014 by Dissent

Brent Hunsberger reports:

Oregon regulators are investigating whether the Archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.

The Oregon Division of Finance and Corporate Securities has received two complaints from consumers about the Archdiocese, which oversees schools and parishes serving 418,000 Catholics in western Oregon. The complaints allege the Archdiocese failed to properly alert past and present employees and volunteers that their Social Security numbers might be compromised.

Read more on Oregon Live.

One of the interesting issues here is the confusion as to who’s responsible for notifying people. Oregon’s breach notification law contains language similar to other states in that it applies to any organization that “owns, maintains or otherwise possesses data” involved in a security breach. But whose breach was this? Who owns or maintains the SSN involved in the breach? It’s still not clear who had the breach, so who’s responsible for notifying Oregon residents who were affected by it?

This same issue of who’s responsible also came up recently in the Experian/Court Ventures and U.S. Info Search mess, where Experian claims it’s U.S. Info Search’s responsibility to notify consumers as they owned the database from which the records were acquired via Court Ventures. U.S. Info Search maintains that it’s Experian’s responsibility to notify consumers.  We’ll have to wait to see how that one is resolved, although looking at the plain language of state statutes, I suspect Experian may be right on that one.

In any event, these incidents should have legislators and consumer advocates taking a long hard look at the language of state laws and proposed federal laws to see if they need revision to clarify who’s responsible for notifying consumers if the original point of compromise may not be known or may involve multiple parties’ responsibility.

Related posts:

  • 700 sites hacked by Indian hackers as a revenge attack
  • EXCLUSIVE: U.S. Info Search is responsible for notifying victims of breach, not us – Experian
  • The Asian Banker & 48 Other sites hacked, data leaked
  • Pointing fingers, Thursday edition – U.S. Info Search tells its side
Category: Breach IncidentsID TheftU.S.

Post navigation

← In The Data Breach Regulatory Derby – Kentucky Loses Out to Iowa
FL: High school student confesses to hacking school’s database to change grades →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.