The Office of Information and Privacy Commissioner for the province of Alberta issued a decision [PDF] on May 16, regarding the Epsilon breach that affected the customer lists of 150 different companies, including Best Buy and Air Miles. Both companies operate in Canada.
The Personal Information Protection Act, which went into force May 01, 2010, compels companies to notify their customers in the event of a breach. Both companies did so.
Best Buy and Air Miles proactively reported to the Commissioner that they had been notified by their service provider, Epsilon (a large US based third party marketing organization) that it had experienced a data breach in which 50 million or more email addresses were compromised and that its customers as well as customers of other organizations serviced by Epsilon had been affected. Best Buy and Air Miles had also proactively notified their affected members of the breach within a few days of learning about it.
Commissioner Work reviewed the incident reports by Best Buy and Air Miles and concluded that although the information at issue (name, email addresses and organization membership (in the Best Buy case) was relatively minor compared to other data breaches which involve the unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes indicated there was a real risk of significant harm to affected individuals. He noted in his decisions that Best Buy and Air Miles had already notified the affected customers in compliance with section 19.1 of the PIPA Regulation, and therefore did not require the organizations to notify again.
CAUCE congratulates both Best Buy and Air Miles, as well as Information and Privacy Commissioner of Alberta, Frank Work on their actions in this regard.
As always, our advice to consumers remains the same: If you received a notices from any company regarding the Epsilon breach, we suggest you change your email address immediately.