Re: Fwd: [Dataloss] Epsilon Bingo [def. of PII]

["DAIL, WILLARD A" <ADAIL () sunocoinc com>]

I don't think the definition of PII has evolved, I think you are witnessing a business decision based on risk to brand 
reputation. 

In this instance the breach was by a 3rd party service provider, so the primary businesses do more to protect their 
reputations by announcing that someone else breached their customer's data than by having some customers eventually 
think it was their fault.  Had this breach been at any one of the retailers listed you would have probably been 
hard-presses to find any sort of breach notice.

The exception might be the banks.  Spearphising attacks are far more likely to succeed when you recieve a 
correspondence from an institution where you actually have an account, so the banks would likely have a financial 
interest in notification (since they would ultimately have to cover the fraud associated with lost credentials), 
whereas the retailers would not, and so would likely follow the legal definition of PII and not notify.



________________________________________
From: dataloss-discuss-bounces () datalossdb org [dataloss-discuss-bounces () datalossdb org] On Behalf Of Jake Kouns 
[jkouns () opensecurityfoundation org]
Sent: Tuesday, April 05, 2011 10:02 PM
To: dataloss-discuss () datalossdb org
Subject: [Dataloss-discuss] Fwd: [Dataloss] Epsilon Bingo [def. of PII]

Lots of room for a great discussion on this topic...

See below for thoughts on email address being considered PII...

What do others think about it?


---------- Forwarded message ----------
From: Dave Stampley <dstampley () kamberlaw com>
Date: Tue, Apr 5, 2011 at 10:06 PM
Subject: Re: [Dataloss] Epsilon Bingo [def. of PII]
To: Jake Kouns <jkouns () opensecurityfoundation org>


Dear Mr. Kouns,

Regarding whether email addresses are PII--in some quarters, email
addresses have been considered PII for some time. Please consider:

“Personally identifiable information” or “personal information” shall
mean individually identifiable information from or about an individual
including, but not limited to: (a) a first and last name;(b) a home or
other physical address, including street name and name of city or
town; (c) an email address or other online contact information, such
as an instant messaging user identifier or a screen name that reveals
an individual’s email address; (d) a telephone number; (e) a Social
Security Number; (f) a persistent identifier, such as a customer
number held in a “cookie” or processor serial number, that is combined
with other available data that identifies an individual; or (g) any
information that is combined with any of (a) through (f) above. In the
Matter of Microsoft Corporation, Federal Trade Commission, File No.
012 3240, Docket No. C-4069, Agreement Containing Consent Order, Aug.
8, 2002, pp. 2-3,
http://www.ftc.gov/os/caselist/0123240/microsoftagree.pdf; accord In
the Matter of Eli Lilly and Company, Assurance of Voluntary Compliance
and Discontinuance, Attorneys General of the States of California,
Connecticut, Idaho, Iowa, Massachu­setts, New Jersey, New York, and
Vermont, p. 7 n.3, July 2002,
http://supplierportal.lilly.com/SiteCollectionDocuments/Multi_State_Order.pdf.

Thanks for the datalossdb.

Regards,
Dave



David A. Stampley | KamberLaw, LLC

100 Wall St., 23rd Fl., New York, NY 10005

tel  212.920.3072    |   fax  212.920.3081



dstampley () kamberlaw com | www.kamberlaw.com

CONFIDENTIALITY AND LIABILITY FOR MISUSE. The information contained in
this communication is the property of KamberLaw, LLC.  It is
confidential, may be attorney work product, attorney-client privileged
or otherwise exempt from disclosure under applicable law, and is
intended only for the use of the addressee(s).  Unauthorized use,
disclosure or copying of this communication or any part thereof is
strictly prohibited.  If you have received this communication in
error, please notify KamberLaw, LLC immediately by return e-mail and
destroy this communication and all copies thereof, including all
attachments.  Pursuant to requirements related to practice before the
U.S. Internal Revenue Service, any tax advice contained in this
communication (including any attachments) is not intended to be used,
and cannot be used, for purposes of (i) avoiding penalties imposed
under the U.S. Internal Revenue Code or (ii) promoting, marketing or
recommending to another person any tax-related matter.

On 4/5/11 9:27 PM, Jake Kouns wrote:

http://datalossdb.org/incident_highlights/52-epsilon-bingo

By now, everyone has probably read about a company named Epsilon. In
fact, most people likely have second hand involvement, receiving one
or more emails from companies you do business with warning you to be
very careful after a recent incident. Most of these companies have
used a similar form letter explaining the concerns and that you should
be "cautious of phishing e-mails, where the sender tries to trick the
recipient into disclosing confidential or personal information." These
notifications stem from Epsilon, a managed e-mail broadcasting
company, getting compromised and having all of their customer e-mail
addresses copied.

We have received a few emails from people asking us how we could have
missed the Epsilon breach and why it isn't on our site. Well, it
actually is on the site as we do follow incidents such as this,
however, it is listed as a Fringe incident. Why “Fringe”? From what we
can tell so far, the breach (while unacceptable) is contained to Names
and Email Addresses. We do recognize that this information may
increase the risk to customers as targeted spearphishing attempts may
be more successful, however, there is no loss of PII. We have debated
this topic for years and instead of not including them in DataLossDB,
they are now just labeled Fringe. There will be more debate on the
severity of this incident for sure. Some think it is critical and
others merely say that their email address was never meant to be
private anyways. There are good arguments supporting both sides of the
debate.

We will be continuing to add all of the affected organizations as we
learn about them, and you can see the incident here:
http://datalossdb.org/incidents/3540

When Epsilon posted the notice on their site they mentioned: "On March
30th, an incident was detected where a subset of Epsilon clients'
customer data were exposed by an unauthorized entry into Epsilon's
email system."

As on April 4th, they have now have updated the definition of “subset”
to mean "The affected clients are approximately 2 percent of total
clients and are a subset of clients for which Epsilon provides email
services."

As of today, we are aware of a little over 40 companies affected and
more notices are pouring in from users. As to how many users are
impacted that is anyone’s guess. Our guess is A LOT.

If you want to read some of the notices we have received, over a dozen
are on our mailing lists archives:
http://lists.osvdb.org/pipermail/dataloss/2011-April/thread.html

For those that want to play along, we have decided to make some
Epsilon Bingo Cards. If you are able to fill up a whole card and prove
it with the notices we might have to give you a prize... that is the
least we could do, right?

As always, please keep sending us any notices that we are missing so
that we may better gauge the scope of this incident and update the
cards.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/