Leaders in privacy, compliance & information governance solutions

Welcome. Log in or create an account for AccessPrivacy.com

Real Risk of Significant Harm in case of Email Address Breach

May 19, 2011

The Information and Privacy Commissioner of Alberta, Frank Work, recently released decisions in Best Buy Canada Ltd. and Air Miles Reward Program reflecting his view that, in certain circumstances, a breach involving non-sensitive personal information may necessitate notification to the Commissioner and affected individuals.

The decisions relate to breach incident reports submitted by Best Buy Canada Ltd. and Air Miles Reward Program following a breach by their service provider, Epsilon, in which at least 50 million email addresses were compromised.  

The Personal Information Protection Act in Alberta requires that organizations notify the Commissioner in the case of a breach where there is "a real risk of significant harm" to an individual. The Commissioner concluded that, although the information at issue was non-sensitive in nature (i.e., name, e-mail, and organization membership), the magnitude of the breach and evidence of potential use for malicious purposes (such as email and spear phishing) indicated that there was a real risk of significant harm to individuals.

Share This