I agree you cannot and should not speculate about data breach details, and I apologise if I implied that you should rate the Epsilon breach according to the likelihood that other data was lost. Yet from the outset it was surely obvious that metadata to do with individuals’ relationships with hotels, banks, airlines and so was also involved.
But I want to concentrate if I may on the definition of PII and the threshold you set yourselves for the seriousness of PII.
I actually struggle to find a consistent formal definition of Personally Identifiable Inforrmation, even in the GLBA. So I assume that PII is more or less the same as the term "Personal Information" which is precisely and consistently defined in jurisdictions like Australia. To wit:
"Personal Information is information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information"
That is, any information at all about me that is associated with my name, is PII. That might be "Steve's shoe size is 9". Or "Steve's email address is swilson@lockstep.com.au". And it includes metadata like the name of a file that includes my email address and links it to a pharmaceutical drug of interest.
If you want to bias the working definition of PII according to a level of certainty that I am actually taking a given drug, versus having a passing interest in it, then you're buying into a complex set of subjective criteria. It is surely better set a low and objective bar and not try to second guess just "how" personal the information is.
You say that NIST's approach regarding email address is "silly" and you make your own judgement that name + email address needs to be augmented by extra info, like SSN, for it to be counted as 'personal'. Isn't this arbitrary? And isn't it the case that some e-mail addresses are clearly more revealing than others? A free cloud email address mickeymouse@cloud.xyz might be anonymous and not PI, whereas corporate addresses like swilson@lockstep.com.au probably indicates my employment. Where do you draw the line? Why draw a line?
Finally I am really surprised that datalossdb thinks that disclosing details to a social networking site in any way alleviates the obligations of companies under privacy principles. LinkedIn and Epsilon are poles apart. I tell my professional life story on LinkedIn for a specific purpose, and LinkedIn has a Privacy Policy that circumscribes what they do with my PI. With Epsilon, few people even knew their details had been exported from the hotels, banks and pharma companies.
As for telephone books, that’s a red herring. Paying for a phone service involves clearly understood conventions about having one’s name, address and number published, and there is the option of silent numbers. So yes, a phone book is absolutely PII, but it’s a collection that is clearly consented.
