Take care when copying people into emails, information commissioner warns
Companies should only use the Bcc function in some situations, according to the Information Commissioner’s Office.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.The information watchdog has warned businesses to limit their use of Bcc when they send emails.
The function, which allows a sender to send an email to several recipients without revealing who has received it, regularly leads to data breaches, the Information Commissioner’s Office said on Wednesday.
Bcc, which stands for blind carbon copy, can be used in some situations, the ICO said, but should be avoided whenever sending sensitive personal information.
It said that it is common for senders trying to Bcc others into an email to accidentally use the Cc field, which does not protect their email addresses from being seen by all recipients.
“You may use this to copy in someone discretely or send a bulk email with a large mailing list,” the ICO said in new guidance.
“However, forgetting to use Bcc frequently leads to the accidental disclosure of all the recipients’ email addresses.”
It added: “You might use Bcc with other measures if the personal information you’re sharing isn’t sensitive and there’s little risk.
“For example, if you have general information, such as an internal newsletter, and you wish to avoid ‘Reply all’ responses.”
The ICO said incorrect use of Bcc is consistently one of the top-10 non-cyber breaches that it deals with. Nearly 1,000 such cases have been reported since 2019.
The education sector performs the worst here, followed by the health sector, local government, retail and the charity sector.
Mihaela Jembei, ICO director of regulatory cyber, said: “Failure to use Bcc correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.
“While Bcc can be a useful function, it’s not enough on its own to properly protect people’s personal information.
“We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers.
“If organisations are sending any sensitive personal information electronically, they should use alternatives to Bcc, such as bulk email services, mail merge, or secure data transfer services.
“This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”