‘Cause of security incidents’: NPC lists risks when using ‘cc’ function in emails

August 11, 2023 - 11:24 AM
A photo that showed apps on a phone (Photo by Torsten Dettlaff via Pexels)

The National Privacy Commission (NPC) listed a number of risks for the constant use of “cc” or “carbon copy” in email messages.

NPC on August 7 announced that it observed the “inadvertent use” of the cc function in emails caused a number of security incidents, posing risks to the users.

“We have observed the high number of human errors, specifically the inadvertent use of the cc function, as a cause of security incidents, which have risen in number since 2021,” the commission said.

“Such errors have led to unintended data exposure, potentially compromising the privacy and security of the data subjects involved,” it added.

The “cc” field in email platforms is normally used to indicate that the message is also sent to other recipients other than the primary address.

Some people consider it a form of etiquette to loop in selected people in an email exchange.

NPC, however, said that this practice or habit can also be dangerous to both the sender and the recipient.

  • The “cc” function displays the email addresses of all recipients to every recipient. This may result in unintentional disclosure of personal information, which may lead to spam, phishing attempts, or targeted attacks.
  • Inappropriately using “cc” may give unauthorized persons access to personal and sensitive personal information, confidential information, and restricted information that may be contained in the email body or its attachments, resulting in a breach of confidentiality, data sharing, and other applicable non-disclosure agreements.
  • Mishandling personal information by using the “cc” function, under certain circumstances, may be unnecessary or not proportional to the purpose which can be regarded as a violation of the general data privacy principles in the DPA.

NPC advised the use of the “blind carbon copy” or “bcc” as an alternative in delivering emails.

“In the alternative, the Commission encourages checking if the blind carbon copy “bcc” function is a more appropriate mode of delivery of emails. To note, the ‘bcc’ function conceals the recipient email addresses from each other, providing an added layer of protection that reduces the risk of accidental data exposure,” the commission said.

Safe and secure ‘cc’ use

NPC recommended the following best practices to ensure safety and security in email communications:

  • Double-check the recipients of the email and verify whether the emails included in the “cc” function are necessary.
  • Use “bcc” appropriately as when making announcements or mass emails to ensure that the intended recipients are hidden from each other.
  • Be mindful of the personal and sensitive personal information shared in your emails and its attachments. It is desirable to apply other safeguards such as encryption, password protection and secure file-sharing platforms in certain instances.
  • Train and coach all your employees to practice the best practices in email correspondence.

NPC also enjoined the national government and private sectors to implement data protection measures in compliance of the Data Privacy Act of 2012.

“Finally, the Commission reminds the Government and the Private Sectors that the failure to implement sufficient data protection measures can be punishable under the DPA and pertinent NPC issuances,” it said.