The National Privacy Commission (NPC) highlighted on Monday, Aug. 8, the risks associated with the misuse of the carbon copy “cc” function in email communications.
“We have observed the high number of human errors, specifically the inadvertent use of the cc function, as a cause of security incidents, which have risen in number since 2021,” the privacy body said in a statement.
“Such errors have led to unintended data exposure, potentially compromising the privacy and security of the data subjects involved,” it added.
Below are some of the risks with the use of the “cc” function, according to the NPC:
- The “cc” function displays the email addresses of all recipients to every recipient. This may result in unintentional disclosure of personal information, which may lead to spam, phishing attempts, or targeted attacks.
- Inappropriately using “cc” may give unauthorized persons access to personal and sensitive personal information, confidential information, and restricted information that may be contained in the email body or its attachments, resulting in a breach of confidentiality, data sharing, and other applicable non-disclosure agreements.
- Mishandling personal information by using the “cc” function, under certain circumstances, may be unnecessary or not proportional for the purpose which can be regarded as a violation of the general data privacy principles in the DPA.
In the alternative, the NPC said email users should check if the blind carbon copy “bcc” function is a more appropriate mode of delivery of emails.
To note, the “bcc” function conceals the recipient email addresses from each other, providing an added layer of protection that reduces the risk of accidental data exposure, it said.
Here are some of the best practices that the NPC recommended when using email communications:
- Double-check the recipients of the email and verify whether the emails included in the “cc” function are necessary.
- Use “bcc” appropriately as when making announcements or mass emails to ensure that the intended recipients are hidden from each other.
- Be mindful of the personal and sensitive personal information shared in your emails and its attachments. It is desirable to apply other safeguards such as encryption, password protection, and secure file-sharing platforms in certain instances.
- Train and coach all your employees to practice the best practices in email correspondence.
“Finally, the Commission reminds the government and the private sectors that the failure to implement sufficient data protection measures can be punishable under the Data Privacy Act and pertinent NPC issuances,” it said.
