Brent Hunsberger reports:

Oregon regulators are investigating whether the Archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.

The Oregon Division of Finance and Corporate Securities has received two complaints from consumers about the Archdiocese, which oversees schools and parishes serving 418,000 Catholics in western Oregon. The complaints allege the Archdiocese failed to properly alert past and present employees and volunteers that their Social Security numbers might be compromised.

Read more on Oregon Live.

One of the interesting issues here is the confusion as to who’s responsible for notifying people. Oregon’s breach notification law contains language similar to other states in that it applies to any organization that “owns, maintains or otherwise possesses data” involved in a security breach. But whose breach was this? Who owns or maintains the SSN involved in the breach? It’s still not clear who had the breach, so who’s responsible for notifying Oregon residents who were affected by it?

This same issue of who’s responsible also came up recently in the Experian/Court Ventures and U.S. Info Search mess, where Experian claims it’s U.S. Info Search’s responsibility to notify consumers as they owned the database from which the records were acquired via Court Ventures. U.S. Info Search maintains that it’s Experian’s responsibility to notify consumers.  We’ll have to wait to see how that one is resolved, although looking at the plain language of state statutes, I suspect Experian may be right on that one.

In any event, these incidents should have legislators and consumer advocates taking a long hard look at the language of state laws and proposed federal laws to see if they need revision to clarify who’s responsible for notifying consumers if the original point of compromise may not be known or may involve multiple parties’ responsibility.