The NPC has identified a significant increase in security incidents since 2021, primarily due to human errors associated with misusing the "cc" feature in emails. This misuse jeopardizes the privacy and security of email recipients.
Utilizing the "cc" function inappropriately can lead to accidental disclosure of personal information, potential spam, phishing attempts, and even targeted attacks. It may also result in unauthorized access to sensitive and confidential data within the email body or attachments.
Mistreating personal information by incorrectly using the "cc" function might sometimes be considered unnecessary or disproportionate, potentially violating general data privacy principles per the Data Privacy Act (DPA).
The Commission suggests using the blind carbon copy (bcc) feature as a more secure alternative to "cc." It further underscores several email best practices, including reviewing email recipients, using "bcc" for bulk emails, safeguarding sensitive content, and regularly training staff on these measures.
The Government and Private Sectors should recognize that neglecting to follow data protection protocols can result in penalties under the DPA and specific NPC directives.
NPC warns email 'cc' misuse risks data breach
Increased incidents linked to 'cc' errors since 2021 prompt call for better email practices; BCC feature and training highlighted as preventative measures
At a glance
The National Privacy Commission (NPC) has recently brought attention to the dangers of misusing the carbon copy (cc) feature in email communications.
Since 2021, the NPC has noted a rise in security incidents tied to human errors related to the "cc" function. Such errors often lead to unintentional data exposure, compromising the privacy and security of those involved.
Key risks associated with the "cc" function include:
• The "cc" function displays the email addresses of all recipients to every recipient. This may result in unintentional disclosure of personal information, leading to spam, phishing attempts, or targeted attacks.
• Inappropriately using "cc" may give unauthorized persons access to personal and sensitive personal information, confidential information, and restricted information that may be contained in the email body or its attachments, resulting in a breach of confidentiality, data sharing, and other applicable non-disclosure agreements.
• Mishandling personal information by using the "cc" function, under certain circumstances, may be unnecessary or not proportional to the purpose, which can be regarded as a violation of the general data privacy principles in the DPA.
As a safer alternative, the NPC suggests considering the blind carbon copy (bcc) feature, which hides recipient email addresses from one another, thus minimizing the risk of accidental data exposure.
The Commission further recommends several best practices for email communication:
1. Thoroughly review email recipients and ensure those listed under "cc" are necessary.
2. For mass emails or announcements, use "bcc" to keep recipient addresses concealed.
3. Be cautious of the sensitive information contained in emails and attachments. Employ additional protective measures like encryption, password protection, or secure file-sharing platforms.
4. Regularly train employees to adopt these recommended email practices.
The NPC emphasizes that both Government and Private Sectors should be aware that non-compliance with data protection protocols may result in penalties as per the DPA and relevant NPC directives.
For additional information and resources on data privacy, the public is encouraged to visit the NPC's official website at www.privacy.gov.ph.