Retaining email addresses doesn’t necessarily suggest deliberate misuse (or even accidental misuse), however. Unless you’re of the opinion that retaining it after, say, account closure/deactivation, is itself misuse.
I’d take a big issue to an organization storing a social security number or something of that nature, because its leak would represent a significant risk, but email addresses are fairly disposable items that we only voluntarily attach to ourselves to.
I’d take a big issue to an organization storing a social security number or something of that nature, because its leak would represent a significant risk, but email addresses are fairly disposable items that we only voluntarily attach to ourselves to.