BishopAccountability.org
 
 

Oregon Investigating Complaints about the Archdiocese of Portland's Handling of ID Theft

By Brent Hunsberge
The Oregonian
May 3, 2014

http://www.oregonlive.com/finance/index.ssf/2014/05/oregon_investigating_complaint.html

Time to follow up on recent columns:

Oregon regulators are investigating whether the Archdiocese of Portland violated state law by failing to properly notify employees and volunteers that they could be victims of tax-return fraud.

The Oregon Division of Finance and Corporate Securities has received two complaints from consumers about the Archdiocese, which oversees schools and parishes serving 418,000 Catholics in western Oregon. The complaints allege the Archdiocese failed to properly alert past and present employees and volunteers that their Social Security numbers

might be compromised.

Hundreds have reported being victims of tax-return fraud, Archdiocese spokesman Bud Bunce said. All submitted those numbers as part of background checks before they begin working with youth in parishes and schools.

They learned of the crime when they filed their federal tax return, only to have the Internal Revenue Service reject it because one already had been filed using their Social Security number. Beaverton police took 39 reports of identity theft from Jesuit High School alone, department spokesman Mike Rowe said.

In early March, the Archdiocese of Seattle notified 90,000 past and present employees and volunteers of the potential problem in its district, said archdiocese spokesman Greg Mangioni. But consumers in Oregon said the Archdiocese of Portland did not take the same precaution.

Amy McLaughlin said she and her sister-in-law, both volunteers at St. Joseph School in Salem, had their returns rejected. They read about the issue in The Oregonian before calling the Archdiocese.

"I want them to correctly notify the potentially affected volunteers and employees," she wrote in her complaint. "Their response is, as far as I'm concerned, inadequate."

McLaughlin should know. As the former information technology security manager at the Oregon Department of Revenue, she sat in on stakeholders groups that helped shape the state’s ID theft law, she said.

“I guess I was expecting a response because that’s what the law says you’re supposed to do,” she said in an interview, adding, “I spent 5 years volunteering extensively in support of the school. I feel very put out by that -- not even getting an email.”

Robert Dillard also complained after discovering he was a victim when filing his return April 15. His first refund in 30 years will likely be delayed six months, he said.

"I trusted them with my data, and it's their responsibility to safeguard it," said Dillard, who volunteers at St. John the Baptist Catholic School in Milwaukie.

Oregon's Consumer Identity Theft Protection Act applies to any organization that "owns, maintains or otherwise possesses data" involved in a security breach. The law requires anyone whose data was breached to be notified "without unreasonable delay" in writing, electronically or by phone.

However, it's not clear Social Security numbers leaked directly from the Archdiocese. Initial news reports in Seattle indicated the breach might have happened at a company that does background checks on parish and school volunteers and workers. Officials have since publicly backed off that allegation on the recommendation of federal authorities. But it raises questions about who's responsible for notifying Oregon consumers under the law.

"The law is very general about who would do the notification," said Diane Childs, public outreach coordinator with the regulatory division. "Generally it would be the entity that owns the information."

The Archdiocese first alerted its pastors and school principals on March 19, two days after receiving its first call from a victim, Bunce said in an interview. Another message went out March 28, he said. McLaughlin and Dillard said they were not aware of those messages.

There are other notification exceptions. Law enforcement can ask in writing that the organization withhold notice to avoid impeding a criminal investigation. In addition, an organization that expects to spend more than $250,000 notifying consumers directly can instead rely on news reports or a posting on its website to get the word out.

McLaughlin noted in her complaint that she has never visited the Archdiocese's website. "There is very little reason for any volunteer to check (it) ... so it doesn't seem like a reasonable avenue for notification," she wrote.

Oregon regulators can fine organizations that violate the law $1,000 per violation up to $500,000. Still, consumer attorneys consider the law weak because private individuals have no right to sue to enforce it.

"When the Legislature passes a law with no right of private action, it just adds insult to injury," said Salem consumer attorney John Gear.

Any delay in notifying victims could result in them falling victim to other types of fraud before they get a chance to freeze their credit files or notify their bank.

Childs said the state is awaiting more information from the IRS and FBI.

Dillard, a Farmer's Insurance agent, says the Archdiocese should've have had access to data-breach liability coverage in its business insurance policy to pay for an aggressive notification effort.

"It's an optional endorsement that I don't even make optional," Dillard said. "If the Archdiocese's insurance agent has done their job properly, it should be covered under (its) policy."

If you're a business owner, you should be asking: Do you possess a volunteer, employee or consumer's name linked in any way to the corresponding Social Security, driver's license, Passport or financial-account number? If so, you'd better know your responsibilities under Oregon's ID theft protection law. You might also make sure you're insured for such a breach.

Beyond the church

Tax-return fraud didn't just emanate from the Archdiocese. Physicians nationwide also have fallen victim to an unusual number of incidences. Medical associations in several states report multiple victims among members, though Oregon Medical Association spokeswoman Susan Callahan said it hasn't received any reports.

Portland doctor Kris Alman discovered March 27 that someone had already filed a tax return using her husband's name and Social Security number. She said an IRS agent told her that someone tried March 6 to electronically file returns using both his number and hers. But the agency's computer screens rejected them. Someone tried using their information again March 12. This time, the agency accepted one of the false returns.

"I said 'Whoah, sounds like your algorithms aren't working very well.'" Alman recalled. "He said, 'Yep.'"

There's one thing you can do about that: Call your U.S. Senator or Representative. Tell them to give the IRS more resources to fight such fraud.

More charity auction tips

A few weeks ago, I wrote about my experience overbidding at my daughters' school auction. I lamented the auctioneer's spotter egging me on. A number of you offered up stories of similar experiences.

My favorite piece of advice came from Jesse Reding of Gresham. Reding says she's helped organize dozens of fundraising auctions, including the annual Classic Wines Auction, which this year raised $3.4 million for charities.

"As a huge advocate for volunteering - and knowing what these spotters do because I've been one - the soundest advice I can give is: help out by volunteering," Reding said. "It allows you to be there, be part of the action, have fun and to engage with your friends. It's a lot harder to spend money."

 

 

 

 

 




.

 
 

Any original material on these pages is copyright © BishopAccountability.org 2004. Reproduce freely with attribution.