Incorrectly copying people into emails could get you fined under new ICO guidelines

Organizations across the UK could face fines for inadvertently copying people into email chains under new guidelines published by the country’s data regulator.

The Information Commissioner’s Office (ICO) has advised businesses to “use alternatives” to the blind carbon copy (BCC) function when sending bulk emails that contain potentially sensitive information.

The warning from the regulator coincides with the publication of new guidance detailing how organizations can improve data protection practices relating to email communications.

Best practice advice from the ICO suggests that organizations using “large amounts of data” should consider using alternative means to the BCC function to prevent exposure of personal information.

The guidance also recommends improving training regimes for staff to cultivate a stronger understanding of data protection regulations and their application in email communications.

Mihaela Jembei, ICO director of regulatory cyber, said the new guidelines will provide organizations with a clear-cut framework for best practices, and warned that those found to be operating negligently could be reprimanded.

“This new guidance is part of our commitment to help organizations get email security right,” she said.

“However, where we see negligent behavior that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”

Responding to recent data breaches

The new guidance comes in direct response to a slew of data breaches related to email communications, which the regulator described as a “catalog of business blunders”.

An investigation into the issue from the ICO found that incorrect use of the BCC function is frequently in the top 10 of non-cyber-related breaches, with nearly 1,000 incidents reported since 2019.

“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year,” Jembei said. “These breaches can cause real harm, especially where sensitive personal information is involved.

“While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers."

Failures were found to be a recurring theme across a range of industries, with organizations in the education sector, healthcare, local government, and retail among the most frequently reported for email-related issues.

The regulator has taken a tougher stance on email-linked data breaches in recent years. In 2022 the Tavistock and Portman NHS Trust was fined £78,400 for exposing the email addresses of over 1,700 gender identity patients.

More recently, it reprimanded two Northern Ireland-based organizations for wrongly disclosing people’s information in an email chain. The ICO also issued a reprimand to NHS Highland in March after data belonging to people accessing HIV services was exposed.

The regulator described the incident as a “serious breach of trust” that put users of the service at risk.