5 min read

How to use BCC securely and compliantly | Guidance from the ICO

The ICO has issued guidance on one of the leading causes of data incidents, the misuse of blind carbon copy (BCC). Warning organizations against the use of BCC, the ICO recommends the use of alternative means when sending emails containing sensitive information.

But when it comes to sharing data with multiple stakeholders, what are organizations to do?

In wake of thousands of incidents caused by the incorrect use of BCC, it is no surprise that the ICO has taken a stance against its use. According to data, failure to use BCC properly is consistently within the top 10 non-cyber related breaches. Incorrect use of BCC accounts for 1000 reports to the ICO since 2019, with the education sector taking the lead as the biggest offender, followed by healthcare, and local government.

Mihaela Jembei, ICO Director of Regulatory Cyber, said:

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.”

“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organizations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.”

“This new guidance is part of our commitment to help organizations get email security right. However, where we see negligent behavior that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

How to prevent data leaks caused by Bcc errors

According to data protection laws, organizations must have appropriate technical and organizational measures in place to protect sensitive data. The ICO advises that, for organizations sharing large quantities of sensitive data and personally identifiable information, additional security measures should be considered.

Fortunately, today, solutions are within reach to prevent all kinds of human errors when emailing sensitive data, including the misuse of BCC. In fact, in 2022, we prevented 18,000 BCC errors - on average 3 BCC errors for 6000 organizations

Here’s how.

The ability to share large data sets with multiple individuals, without disclosing email addresses, is key for employees. However, it is all too easy to mistakenly add email addresses into the wrong field when working at speed or juggling multiple tasks at once. Our days have never been busier, after all.

And for this reason, installing additional clunky processes into our already busy days isn’t an option. Data protection measures must empower people to work efficiently, not hinder them.

Zivver integrates seamlessly with Outlook, M365 and Gmail. While employees draft emails, Zivver operates silently in the background of the email client, ready to spot the presence of sensitive data in the body of or attachments of emails. Zivver also identifies “unusual” recipients and alerts users to potential incidents, including misuse of BCC, so employees can take action to correct mistakes before they happen.

Prompts to consider when to share sensitive information, and with who, kickstarts a data security conscious culture. Used by over 8000 organizations worldwide, Zivver is the effortless way to email securely, and avoid the leading causes of data incidents - including risky blind carbon copy errors.

Learn more about our secure email and file transfer solutions.

First published -
Last updated - 20/09/23
Free demo
Free demo
Free demo

Ready for a deeper dive? So are we.