The Information Commissioner’s Office (ICO) recently updated their guidance for organisations on email security, in particular when sending bulk communications such as mailshots using the “BCC” facility.
From an information security point of view, if you are able to identify a living person (either directly or indirectly) from an email address, then that email address counts as “personal data” and should be treated as such.
The “CC” facility allows emails to be sent to multiple addresses; all those in the “To” and “CC” fields can see the email addresses in these fields. This is often used to make other people aware of what has been sent and to ensure the main recipient is aware that other people know.
When the “BCC” field is used, recipients can’t see the email addresses of other recipients in that field.
However, the ICO reports that since 2019, they have received nearly 1000 reports of cases where forgetting to use “BCC” or incorrect use of “BCC” has led to accidental disclosure of personal information. Some of which have resulted in the organisations responsible being fined.
The ICO recommends that “if organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merges, or secure data transfer services.”