That's cool and all but it doesnt negate negligence. It only limits scope, which is good. They should always have done both. A company that protects Bitcoin should be able to protect email addresses.