Oregon investigating complaints about the Archdiocese of Portland’s handling …

 Time to follow up on
recent columns:

Oregon regulators are
investigating whether the Archdiocese of Portland violated state law by failing
to properly notify employees and volunteers that they could be victims of
tax-return fraud.

The Oregon Division of
Finance and Corporate Securities
has received two complaints from consumers
about the Archdiocese, which oversees schools and parishes serving 418,000
Catholics in western Oregon. The complaints allege the Archdiocese failed to properly
alert past and present employees and volunteers that their Social Security
numbers might be compromised.

Hundreds have reported
being victims of tax-return fraud, Archdiocese spokesman Bud Bunce said. All
submitted those numbers as part of background checks before they begin working
with youth in parishes and schools.

They learned of the crime
when they filed their federal tax return, only to have the Internal Revenue
Service reject it because one already had been filed using their Social
Security number.  Beaverton police took
39 reports of identity theft from Jesuit High School alone, department spokesman
Mike Rowe said.

In early March, the
Archdiocese of Seattle notified 90,000 past and present employees and
volunteers of the potential problem in its district, said archdiocese spokesman
Greg Mangioni. But consumers in Oregon said the Archdiocese of Portland did not
take the same precaution.

Amy McLaughlin said she and her sister-in-law, both volunteers at St. Joseph School in Salem, had their returns rejected. They read about the issue in The Oregonian before calling the Archdiocese.

“I want them to correctly
notify the potentially affected volunteers and employees,” she wrote in her
complaint. “Their response is, as far as I’m concerned, inadequate.”

McLaughlin should know. As the former information technology security manager at the Oregon Department of Revenue, she sat in on stakeholders groups that helped shape the state’s ID theft law, she said.

“I guess I was expecting a response because that’s what the law says you’re supposed to do,” she said in an interview, adding, “I spent 5 years volunteering extensively in support of the school. I feel very put out by that — not even getting an email.”

Robert Dillard also
complained after discovering he was a victim when filing his return April 15.
His first refund in 30 years will likely be delayed six months, he said.

“I trusted them with my
data, and it’s their responsibility to safeguard it,” said Dillard, who volunteers
at St. John the Baptist Catholic School in Milwaukie.

Oregon’s Consumer Identity
Theft Protection Act
applies to any organization that “owns, maintains or otherwise possesses
data” involved in a security breach. The law requires anyone whose data was
breached to be notified “without unreasonable delay” in writing, electronically
or by phone.

However,
it’s not clear Social Security numbers leaked directly from the Archdiocese.
Initial news reports in Seattle indicated the breach might have happened at a
company that does background checks on parish and school volunteers and
workers. Officials have since publicly backed off that allegation on the
recommendation of federal authorities. But it raises questions about who’s
responsible for notifying Oregon consumers under the law.

“The law is very general
about who would do the notification,” said Diane Childs, public outreach
coordinator with the regulatory division. “Generally it would be the entity
that owns the information.”

The Archdiocese first alerted its pastors and school principals on March 19, two days after receiving its first call from a victim, Bunce said in an interview. Another message went out March 28, he said. McLaughlin and Dillard said they were not aware of those messages. 

There are other notification exceptions. Law enforcement can ask in writing that the organization withhold
notice to avoid impeding a criminal investigation. In addition, an organization
that expects to spend more than $250,000 notifying consumers directly can instead
rely on news reports or a posting on its website to get the word out.

McLaughlin
noted in her complaint that she has never visited the Archdiocese’s website.
“There is very little reason for any volunteer to check (it) … so it doesn’t
seem like a reasonable avenue for notification,” she wrote.

Oregon
regulators can fine organizations that violate the law $1,000 per violation up
to $500,000. Still, consumer attorneys consider the law weak because private individuals
have no right to sue to enforce it.

“When the
Legislature passes a law with no right of private action, it just adds insult
to injury,” said Salem consumer attorney John Gear.

Any delay
in notifying victims could result in them falling victim to other types of
fraud before they get a chance to freeze their credit files or notify their
bank.

Childs
said the state is awaiting more information from the IRS and FBI.  

Dillard, a Farmer’s
Insurance agent, says the Archdiocese should’ve have had access to data-breach
liability coverage in its business insurance policy to pay for an aggressive
notification effort.

“It’s an optional
endorsement that I don’t even make optional,” Dillard said. “If the
Archdiocese’s insurance agent has done their job properly, it should be covered
under (its) policy.”

If you’re
a business owner, you should be asking: Do you possess a volunteer, employee or
consumer’s name linked in any way to the corresponding Social Security,
driver’s license, Passport or financial-account number? If so, you’d better
know your responsibilities under Oregon’s ID theft protection law. You might also
make sure you’re insured for such a breach.

Beyond the church

Tax-return fraud didn’t
just emanate from the Archdiocese. Physicians nationwide also have fallen
victim to an unusual number of incidences. Medical associations in several
states report multiple victims among members, though Oregon Medical Association
spokeswoman Susan Callahan said it hasn’t received any reports.

Portland doctor Kris Alman
discovered March 27 that someone had already filed a tax return using her
husband’s name and Social Security number. She said an IRS agent told her that
someone tried March 6 to electronically file returns using both his number and
hers. But the agency’s computer screens rejected them. Someone tried using
their information again March 12. This time, the agency accepted one of the
false returns.

“I said ‘Whoah, sounds
like your algorithms aren’t working very well.'” Alman recalled. “He said,
‘Yep.'”

There’s one thing you can
do about that: Call your U.S. Senator or Representative. Tell them to give the
IRS more resources to fight such fraud. 

More charity auction tips

A few weeks ago, I wrote
about my experience overbidding
at my daughters’ school auction. I lamented the
auctioneer’s spotter egging me on. A number of you offered up stories of
similar experiences.

My favorite piece of
advice came from Jesse Reding of Gresham. Reding says she’s helped organize dozens
of fundraising auctions, including the annual Classic Wines Auction, which this
year raised $3.4 million
for charities.

“As a huge advocate for
volunteering – and knowing what these spotters do because I’ve been one – the
soundest advice I can give is: help out by volunteering,” Reding said. “It
allows you to be there, be part of the action, have fun and to engage with your
friends. It’s a lot harder to spend money.”

— Brent Hunsberger is an Investment Adviser Representative in Portland. For important disclosures and information about Brent, visit ORne.ws/aboutbrent. Reach him by email or leave a message at 503-683-3098.

Article source: http://www.oregonlive.com/finance/index.ssf/2014/05/oregon_investigating_complaint.html

Technorati Tags: ,

Tags: ,

Leave a Reply