Failure to use Blind Carbon Copy (BCC) correctly in emails is a common administrative error that can have serious consequences.
Forgetting to add email addresses to the BCC field can expose large numbers of email addresses leading to an increased risk of being compromised, receiving unwanted spam messages, or being targeted by phishing attacks.
Worse still, BCC breaches can have serious consequences, particularly when sensitive personal information is involved or where people’s association with a sensitive subject is revealed.
In one example, NHS Highland emailed 37 people likely to be accessing HIV services, inadvertently using CC (carbon copy) instead of BCC (blind carbon copy). The error meant recipients of the email could see the personal email addresses of other people receiving the email, with one person confirming they recognised four other individuals, one of whom was a previous sexual partner.
When you use the 'BCC' field in an email, the recipients cannot see each other's email addresses. This may be suitable when the information being shared is not sensitive, and there's minimal risk. However, if your email might disclose sensitive details about the recipients, it's crucial to consider more secure methods that avoid the risk of inadvertently using the ‘To’ or ‘CC’ fields.
Here are some recommended practices:
- Use mail merge to send bulk email messages: When sending emails to multiple recipients that contain or relate to sensitive or special category data.
- Implement Send Delays: Consider setting a delay before emails are sent to provide a window for error correction.
- Clear your Outlook Auto-Complete cache: Consider clearing your Auto-Complete cache every couple of months to remove older, infrequently used email addresses.
- Sensitive information: When sending emails containing sensitive information, always double-check the recipient list and consider whether email is the most secure method for sharing that information.
- Avoid attachments: where possible provide access to files using Microsoft 365.
If a data breach occurs, it is vital that our Information Governance team is informed as soon as possible so we can work with you to reduce the impact on individuals. Find out how to report a data breach.