Yet more CC email data breaches

May 2024

Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening.

The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV.

Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations.

Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure.

Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions:

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.
  • Making sure staff are trained about security measures when sending bulk communications by email
  • Using alternative more secure bulk email solutions.

The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last.

A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy.

The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information.

Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.