DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Oregon investigating complaints about the Archdiocese of Portland’s handling of ID theft

Posted on May 3, 2014May 3, 2014 by Dissent

Brent Hunsberger reports:

Oregon regulators are investigating whether the Archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.

The Oregon Division of Finance and Corporate Securities has received two complaints from consumers about the Archdiocese, which oversees schools and parishes serving 418,000 Catholics in western Oregon. The complaints allege the Archdiocese failed to properly alert past and present employees and volunteers that their Social Security numbers might be compromised.

Read more on Oregon Live.

One of the interesting issues here is the confusion as to who’s responsible for notifying people. Oregon’s breach notification law contains language similar to other states in that it applies to any organization that “owns, maintains or otherwise possesses data” involved in a security breach. But whose breach was this? Who owns or maintains the SSN involved in the breach? It’s still not clear who had the breach, so who’s responsible for notifying Oregon residents who were affected by it?

This same issue of who’s responsible also came up recently in the Experian/Court Ventures and U.S. Info Search mess, where Experian claims it’s U.S. Info Search’s responsibility to notify consumers as they owned the database from which the records were acquired via Court Ventures. U.S. Info Search maintains that it’s Experian’s responsibility to notify consumers.  We’ll have to wait to see how that one is resolved, although looking at the plain language of state statutes, I suspect Experian may be right on that one.

In any event, these incidents should have legislators and consumer advocates taking a long hard look at the language of state laws and proposed federal laws to see if they need revision to clarify who’s responsible for notifying consumers if the original point of compromise may not be known or may involve multiple parties’ responsibility.

Related Posts:

  • Update: Archdiocese of Seattle data breach appears…
  • Four months later, Archdiocese of Portland breach…
  • Denver Archdiocese payroll system breached, 18,000 at risk
  • Seattle, Portland Archdiocese Login Credentials…
  • Archdiocese of St. Louis websites down after…

Post navigation

← In The Data Breach Regulatory Derby – Kentucky Loses Out to Iowa
FL: High school student confesses to hacking school’s database to change grades →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • AlphV claims they have started contacting some of Tipalti’s clients (1)
  • Research: Privacy as Pretense: Empirically Mapping the Gap Between Legislative & Judicial Protections of Privacy
  • What it means — CitrixBleed ransomware group woes grow as over 60 credit unions, hospitals, financial services and more breached in US.
  • On September 2nd, the U.S. branch of Great Star Industrial Co. disbursed a ransom of 1 million dollars to a ransomware group
  • Former Public School Information Technology Manager Charged with Damaging School’s Computer Network
  • Sellafield nuclear site hacked by groups linked to Russia and China
  • Hackers steal IDF patient records from cyberattack on Israeli hospital (corrected)
  • AlphV claims an attack before even alerting the victim. How will that work out for them? (1)

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net