Securing emails: using Bcc over Cc

In today’s digital age, it should come as no surprise that many data breaches stem from the improper use of email. Email is one of the most common methods of communication due to its ease and convenience. However, this ubiquity also means that simple mistakes can have significant repercussions.

One common mistake is using Cc instead of Bcc for large bulk emails. For day-to-day emails involving communication between a few team members who are already aware of each other, using Cc is generally acceptable. However, significant problems can arise when you start bulk emailing people who do not know each other.

It’s important to note that it’s not always “just an email address” being exposed in these situations. Consider the case of a clinical trial studying a particular health issue or a bulk email to students who have recently used university-provided counselling services. Sending an email to all participants and using Cc instead of Bcc will reveal the sensitive information of everyone in the email thread. An example of this is shown in this article written by the ICO, where 166 people’s HIV status was breached due to the use of Cc instead of Bcc.

For more on the importance of using Bcc over Cc, you can refer to this article from the ICO, which includes advice and case studies on relevant breaches: ICO Guidance on Email Security. Additionally, you can learn about how to use Bcc and how to mitigate any mistakes here: Preventing Email Data Breaches.

The use of Bcc should be encouraged as much as possible. Unless you’re certain that all recipients are aware of each other and need to communicate with everyone in the email chain, Bcc should be the standard practice.