Call the Feds – Blumenthal Requests DOJ Investigation of Epsilon Breach

Connecticut senator, Richard Blumenthal, is calling for a federal investigation of the Epsilon data breach.  On April 1^st, Epsilon disclosed a security breach which compromised names and email addresses belonging to customers of numerous major U.S. companies that outsource their marketing to Epsilon.

In an April 6^th letter to U.S. Attorney General Eric Holder (AG Holder), Blumenthal urged that the U.S. Department of Justice (DOJ) investigate the incident for potential civil or criminal liability on the part of Epsilon.  Blumenthal expressed his concerns that Epsilon has not disclosed the exact circumstances of the security breach, the full nature of the information compromised, nor the identity of the affected individuals.  Blumenthal further believes that all affected individuals should be notified by Epsilon and provided with complimentary “financial data security services” and insurance to protect individuals from the financial consequences of identity theft. 

Requiring Epsilon to provide individual notifications and identity theft protection may be entirely appropriate considering the potential repercussions of this breach.  Although Epsilon originally indicated that the breach only compromised names and email addresses, recent reports suggest that the breach may implicate a form of medical information.  The companies that used Epsilon’s marketing services include at least one prominent drug manufacturer whose client list contained the drug websites to which its customers subscribed.  Thus, anyone who views the compromised information could potentially identify the types of drugs a particular affected individual was taking. 

Furthermore, even if the majority of the compromised information consists only of names and email addresses, identity thieves could use that information to send affected individuals targeted phishing emails seeking account or other financial information.  Considering that the breach exposed the names of major companies with which affected individuals had a prior business relationship, any resulting phishing emails could be easily masked as legitimate account inquires.

While we have seen state attorneys general showing more and more interest in breach investigations, Blumenthal’s letter to AG Holder is one step toward more active federal involvement in the wake of high-profile breaches.  With large, national breaches becoming an unfortunately-common occurrence, the DOJ has the size and resources necessary to fully investigate such incidents.  If and when AG Holder decides to launch a federal investigation, we will certainly be watching to see what additional information AG Holder requires from Epsilon and whether Epsilon will be subject to any penalties/fines.  Any action on the part of the DOJ could provide interesting insight into how the federal government will handle incidents like the Epsilon breach, especially now that the Obama Administration has proposed a national U.S. data breach law.