Email Address: Is It Personally Identifiable Information (PII)? Maybe In Alberta, Canada.

Personally identifiable information, otherwise known as PII, otherwise known as sensitive info.  We know that these must be protected in this day and age, and that data encryption like AlertBoot is one of the better ways to do so.  But what is PII?  Are email addresses PII?  In Canada, it looks like it could be, depending on the situation.

Information and Privacy Commissioner of Alberta, Canada Concludes “Email is PII”

The Information and Privacy Commissioner of Alberta, Frank Work, has recently issued a ruling which seems to indicate that, in sufficient amounts, the loss of email addresses can be considered a data breach that requires organizations to report said breach to individuals.

After considering the massive data breach at Epsilon, Work has concluded that,

…although the information at issue (name, email addresses and organization membership (in the Best Buy case) was relatively minor compared to other data breaches which involve the unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes indicated there was a real risk of significant harm to affected individuals… [, my emphasis]

Alberta PIPA Definition of “Personal Information”

You’ll notice that I said that Commissioner Work “concluded” that email addresses are PII.  Concluded?  How so?  Well, take a look at PIPA’s definition of personal information:

“Personal information” means information about an identifiable individual. [section 1(1)k of Personal Information Protection Act of Alberta]

That’s pretty broad.  In the US, for example, there are specific rules on what is considered PII in the context of a breach.  For example, many states by law only recognize the loss of SSNs as a data breach if and only if names were also lost in the breach (either the full name or the last name and first name’s initial).  I’m not aware of any states that include the loss of email addresses as a breach.

Anyway, coming back to Alberta’s PIPA (and it is Alberta’s PIPA.  PIPA differs from province to province), the broad definition means that someone has to interpret the law, and it falls upon the commissioner to do so.

As Dissent at has noted, the commissioner’s conclusion is significant because

…even (just) name and email addresses in the context of a large breach of this kind indicates a “real risk of significant harm.”

I’m inclined to agree.  I can’t think of any past breaches where the loss of e-mail addresses resulted in an official ruling that it was a data breach (although, in the case of TD Ameritrade, there was a massive settlement to a lawsuit regarding the breach of email addresses belonging to TD’s clients.)

On the other hand, when it come to the question “are email addresses PII?,” it remains unanswered because the above ruling is based on the loss of e-mail address and names.  We’ll need another case to see whether the loss of e-mail addresses only is a data breach in its own right, although the post in the preceding link has an argument that

Of course, companies could be a little proactive and work not to find if that’s the case by using encryption software to protect their data — email addresses inclusive.

Related Articles and Sites:

Comments (0)

Let us know what you think