Mihaela Jembei, ICO Director of Regulatory Cyber, said:
“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.”
“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organizations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.”
“This new guidance is part of our commitment to help organizations get email security right. However, where we see negligent behavior that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”
How to prevent data leaks caused by Bcc errors
According to data protection laws, organizations must have appropriate technical and organizational measures in place to protect sensitive data. The ICO advises that, for organizations sharing large quantities of sensitive data and personally identifiable information, additional security measures should be considered.
The ability to share large data sets with multiple individuals, without disclosing email addresses, is key for employees. However, it is all too easy to mistakenly add email addresses into the wrong field when working at speed or juggling multiple tasks at once. Our days have never been busier, after all.
And for this reason, installing additional clunky processes into our already busy days isn’t an option. Data protection measures must empower people to work efficiently, not hinder them.
Zivver integrates seamlessly with Outlook, M365 and Gmail. While employees draft emails, Zivver operates silently in the background of the email client, ready to spot the presence of sensitive data in the body of or attachments of emails. Zivver also identifies “unusual” recipients and alerts users to potential incidents, including misuse of BCC, so employees can take action to correct mistakes before they happen.
Prompts to consider when to share sensitive information, and with who, kickstarts a data security conscious culture. Used by over 8000 organizations worldwide, Zivver is the effortless way to email securely, and avoid the leading causes of data incidents - including risky blind carbon copy errors.