The National Privacy Commission (NPC), the country’s data privacy watchdog, reminds the public of the risks that come with the misuse of the carbon copy (cc) function in email communications.

“We have observed a high number of human errors, specifically the inadvertent use of the ‘cc’ function, as a cause of security incidents, which have risen in number since 2021,” the country’s privacy watchdog said in a media advisory. “Such errors have led to unintended data exposure, potentially compromising the privacy and security of the data subjects involved.”

Most company correspondences extensively employ the “cc” function, especially within collaborative environments. However, forwarding emails to external parties without reviewing the email thread may expose these email addresses, potentially leading to security incidents.

NPC launches online registration portal for data processing
NPC releases changes in data processing for loan transactions

Breach of confidentiality

NPC highlighted the risks that come with the use of the “cc” function:

• The “cc” function displays the email addresses of all recipients to every recipient. This may result in unintentional disclosure of personal information, which may lead to spam, phishing attempts, or targeted attacks.

• Inappropriately using “cc” may give unauthorized persons access to personal and sensitive personal information, confidential information, and restricted information that may be contained in the email body or its attachments, resulting in a breach of confidentiality, data sharing, and other applicable non-disclosure agreements.

• Mishandling personal information by using the “cc” function, under certain circumstances, may be unnecessary or not proportional to the purpose which can be regarded as a violation of the general data privacy principles in the DPA.

As an alternative, the Commission recommends considering the blind carbon copy “bcc” function as a more suitable mode of email delivery. The “bcc” function conceals recipient email addresses from each other, adding an extra layer of protection that reduces the risk of accidental data exposure.

Compliance with Data Privacy Act of 2012

Here are some of the best practices that the NPC recommends when using email communications:

• Double-check the recipients of the email and verify whether the emails included in the “cc” function are necessary.

• Use “bcc” appropriately when making announcements or mass emails to ensure that the intended recipients are hidden from each other.

• Be mindful of the personal and sensitive personal information shared in your emails and their attachments. It is desirable to apply other safeguards such as encryption, password protection, and secure file-sharing platforms in certain instances.

• Train and coach all your employees to practice the best practices in email correspondence. 

The NPC reminds both the government and private sectors that failure to implement sufficient data protection measures can result in penalties under the Data Privacy Act of 2012 or Republic Act 10173, along with relevant NPC directives.