DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oregon investigating complaints about the Archdiocese of Portland’s handling of ID theft

Posted on May 3, 2014 by Dissent

Brent Hunsberger reports:

Oregon regulators are investigating whether the Archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.

The Oregon Division of Finance and Corporate Securities has received two complaints from consumers about the Archdiocese, which oversees schools and parishes serving 418,000 Catholics in western Oregon. The complaints allege the Archdiocese failed to properly alert past and present employees and volunteers that their Social Security numbers might be compromised.

Read more on Oregon Live.

One of the interesting issues here is the confusion as to who’s responsible for notifying people. Oregon’s breach notification law contains language similar to other states in that it applies to any organization that “owns, maintains or otherwise possesses data” involved in a security breach. But whose breach was this? Who owns or maintains the SSN involved in the breach? It’s still not clear who had the breach, so who’s responsible for notifying Oregon residents who were affected by it?

This same issue of who’s responsible also came up recently in the Experian/Court Ventures and U.S. Info Search mess, where Experian claims it’s U.S. Info Search’s responsibility to notify consumers as they owned the database from which the records were acquired via Court Ventures. U.S. Info Search maintains that it’s Experian’s responsibility to notify consumers.  We’ll have to wait to see how that one is resolved, although looking at the plain language of state statutes, I suspect Experian may be right on that one.

In any event, these incidents should have legislators and consumer advocates taking a long hard look at the language of state laws and proposed federal laws to see if they need revision to clarify who’s responsible for notifying consumers if the original point of compromise may not be known or may involve multiple parties’ responsibility.

Category: Breach IncidentsID TheftU.S.

Post navigation

← In The Data Breach Regulatory Derby – Kentucky Loses Out to Iowa
FL: High school student confesses to hacking school’s database to change grades →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.