Skip to content

Failure to BCC: This one email mistake could cost you millions!

The Sydney Morning Herald recently ran a story on one company’s million-dollar e-mail mishap. Their big blunder? They loaded 300 customer email addresses into the CC: field instead of the BCC: field, and it’s cost them dearly. Find out what the big deal is with BCC!

Here’s one universal truth about group emails and mass mailouts – we hate receiving them, but we love sending them! Why? Essentially, because we’re busy – 125 emails in our inbox every day grade busy – and when we get the chance to knock out several hundred birds with one stone – we do it!

But in the post mandatory data breach reporting world we now live in thanks to the introduction of the Notifiable Data Breaches Scheme and the GDPR (amongst others), we need to be more careful than ever before about how, who and when we use those handy CC: and BCC: functions!

But first, a history lesson!

Before we go any further, let’s just recap on what the CC: and BCC: functions are actually intended for!

Remember seeing people use those receipt books where they would literally remove and replace a leaf of carbon paper between the pages as they wrote out receipts? Those duplicates were the “carbon copies” and in typed business documentation, the term CC: followed by other recipients’ names, was used to indicate who else had receive carbon copies of the same document.

BCC or “blind carbon copy” thus refers to the practise of concealing the names of any additional recipients of a document.

With the later advent of email, CC: and BCC: were adopted for use in the email address fields with CC: used to copy a recipient or group of recipients in on an identical message, and BCC: to do the same but with the recipients’ names/address concealed from one another.

What’s wrong with using CC: ?

Nothing essentially – if you are emailing a subset of people who are known to each other, who come under a broader confidentiality or business arrangement (i.e. they work for the same company, are business partners, etc.) or are involved directly in a project or work task relating to the email.

Where CC: goes awry is when whole lists of emails of people unknown to each other, and possibly only loosely or perhaps not even related to the matter detailed in the email, are entered into the CC: field as recipients. This is a problem because an individual’s personal or business email address is actually considered Personally Identifiable Information (PII) and therefore subject to certain protections.

What is PII?

Personally, identifiable information (PII) is any information that can be used to uniquely identify, contact or locate an individual, or that can be used with other sources to uniquely identify a person.

All data has a value and the going price for PII is high, especially on the dark web where PII is routinely traded as currency for illegal activities.
It’s for this reason that unauthorised disclosure of PII is considered a breach under the Notifiable Data Breach Scheme in Australia.

CC: and BCC: in the data breach stats!

The Office of the Australian Information Commissioner releases a quarterly report on data breaches reported under the NDB Scheme, which also sets out the types and impacts of the data breaches experienced. Typically, we see that in Australia, “human error” tends to routinely account for around 35% of reported data breaches.

Of those data breaches attributed to human error, however, 85% involved private information being sent to the wrong email recipient or senders failing to use the BCC: feature instead of CC:

Alarmingly, the most recent report tells us that failure to use BCC: when sending emails impacted an average of 601 individuals per data breach. That’s more than any business would want to contact to notify to say their email practices had caused a notifiable data breach!

So, what’s best practice? Teach your team when to use CC: vs BCC:

TO: Reserve the To: field for the direct recipient(s) of your email.
All members who appear in this line can see each other’s information. It is assumed that either these individuals know each other, or that a reasonable connection can be drawn between them to justify sharing their email addresses.

CC: Use the CC: field to include any secondary recipients who may not be directly addressed in the email but still need to be across or “copied”  on the content. Each person listed in the CC: and To: sections can see each other’s contact information.

BCC: The BCC: field is for tertiary recipients to be “blind copied” on the message.  BCC will keep the details of those recipients in this field hidden from the rest of the recipients. Anyone who is entered into the BCC: field will be able to see who is in the To: and CC: sections without being visible to anyone (except the sender).

BCC: is definitely the way to go when sending out mass mailouts, notices or marketing materials, emailing groups of contacts who do not know each other, and when emailing people whose contact details you have a duty to protect!

For a quick overview and guide to BCC, check our Microsoft’s handy guide to The Ins and Outs of BCC: here.

How to prevent your employees from making a costly CC:/BCC: mistake

The difficulty in preventing a BCC blunder is that it will most likely result from simple human error. What that means is that the only way to combat this risk is through user education and training within your business. But the great news is, even sharing this blog with your team is a great start!

There are, however, a few business process and technical steps you can take to minimise your risk.

Firstly, ensure business checks and approval processes are in place before the sending out of any mass mailouts.

Secondly, there are data loss prevention tools you can implement in your security stack that will at least prompt users with a warning or notification that emailing certain documents to recipients outside your organisation is prohibited or not advised.

Thirdly, if you are needing to send regular mass mailouts, get some martech advice on an appropriate email marketing tool to suit your needs that will keep your data protected and your business compliant!

Finally, the company at the centre of the BCC: story featured above found themselves in hot water because they did not have a data breach response process they could produce when questioned by investigating authorities. So, coming up with a pre- and post-incident data breach response plan should be a top priority.

Essential elements of a data breach response plan

A robust data breach response plan should be documented, understood by your team, and include at a minimum:

  • The process for how known or suspected data breaches will be detected and the alert raised
  • The process for containing and assessing any breach or incident
  • Accountability and reporting timelines and requirements
  • The process and guidelines for notifying affected persons
  • The process for review and implementing future preventative measures

This is by no means a comprehensive guide. Organisations should engage the help of their Managed Services Provider and seek legal advice to build out an actionable data breach response plan.

For helpful hints and tips on how to prepare a response plan, see our Data Breach Response Planning 101 guide here .