Failure To Use BCC Data Breaches – How To Make A Claim

By Danielle Griffin. Last Updated 3rd October 2022. What is a failure to use BCC data breaches? In this guide, we will explore how when sending an email to a group of recipients can end in a data breach when the CC field is used rather than the BCC. Eligibility to make a personal data breach claim will be examined also compensation examples of what could be awarded in successful claims. 


Failure to use BCC data breaches claims guide

Two key pieces of legislation govern how personal data is collected and stored in the UK; these are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. All data controllers and processors are bound by the UK GDPR and DPA to protect your personal data. A data controller is usually an organisation or company that will use your personal data whereas processors may work on behalf of the data controller in processing this information. 

To start your claim and find out how one of our No Win No Fee solicitors could help you, get in touch today by:

 Select A Section

  1. What Are Failure To Use BCC Data Breaches?
  2. Blind Carbon Copy vs Carbon Copy
  3. What Could Cause A BCC Email Data Breach?
  4. Steps To Take To Prevent A BCC Data Breach
  5. What Could You Claim For Failure To Use The BCC Field?
  6. No Win No Fee Claims For Failure To Use BCC Data Breaches

What Are Failure To Use BCC Data Breaches?

A personal data breach is a security incident. It impacts the confidentiality, availability, or integrity of your personal information. For example, your email address is personal data, as it could be used to identify you. Other examples of personal data include your name, postal address, or date of birth.

Blind carbon copy (BCC) is a feature used in emails, and it anonymizes the recipients of a mass email. When you use BCC, you can forward the email to multiple people without their email being exposed.

However, when an organisation fails to use BCC, this can result in a personal data breach, as the email addresses of everyone in receipt of the email are exposed.

Article 82 of the UK GDPR gives you as the data subject the right to claim compensation. However, there are certain criteria:

  • Firstly, you must be able to prove the data controller failed to keep your personal information secure. Failing to comply with data protection laws would need to be proved. 
  • Second, evidence that your personal data was included in the data breach must be presented.
  • Lastly, you must have suffered. This could be either financial loss or a mental health injury

If you believe you’ve suffered due to a failure to use BCC data breaches, contact our advisors for free legal advice.

Failure To Use BCC Data Breaches Statistics

The Information Commissioner’s Office (ICO) is an independent body set up to monitor data protection in the UK. According to their published data security incident trends, there were a total of 79 BCC failure incidents during the 4th financial quarter of 2021/22.

Failure to Use BCC Data Incidents Q4 2021/22 By Sector

Blind Carbon Copy vs Carbon Copy

If you are sending an email to multiple recipients that have no authority to see the personal data of the others you will use the BCC field.

When CC’ed all email recipients can see each other’s email addresses. In some cases, they may also see their name, or the email address contains a data subject’s name. These are all examples of personal data.

BCC’ed email recipients are oblivious to each other. This means that recipients cannot view each other’s names or email addresses. 

Is Not Using BCC A Data Breach?

If you were asking, ‘is not using a BCC a data breach?’, then the answer may be yes. There are some circumstances, such as when sending internal emails where all recipients know each other’s email addresses, when it may not be considered a personal data breach.

Email addresses are protected personal data. Sharing these with unauthorised persons, such as when sending an email with multiple recipients without concealing the email addresses is a data breach.

An accidental data breach at work could occur if the BCC feature was not used when sending an email with multiple recipients if some of those recipients did not work for the company. This could be avoided with appropriate staff training in data protection. We look further into ways to avoid human error data breaches further into this guide.

Call our advisors to discuss failure to use BCC data breaches claims.

What Could Cause A BCC Email Data Breach?

Human error can cause failure to use BCC data breaches. A lack of awareness of the BCC and CC fields, lack of data security training or no data protection policy in place can result in a data breach. As a result of this, organisations should ensure that staff receive adequate training in data protection methods, such as the use of BCC.

Another cause of failure to use BCC data breaches could be a malfunction or error in the email or on the device.

If you would like to learn more about data breach compensation claims, contact our advisors. 

Steps To Take To Prevent A BCC Data Breach

Staff should be trained in data protection. Training in the principles of the UK GDPR is key to being compliant with data protection laws.

They should receive training in the difference between CC and BCC. If they do not frequently send mass emails, there could be prompts reminding them to BCC external emails. 

In addition, staff could be trained to check who is included in the CC group before sending emails. They could also be trained to check auto-suggestions to ensure that the email is being sent to the correct person. 

To learn more about failure to use BCC data breaches, contact our advisors.  

What Could You Claim For Failure To Use The BCC Field?

If you meet the eligibility criteria for claiming data breach compensation, and your case is successful you might be interested in what you could claim. Your claim could come with two heads, covering material damages and non-material damages. 

You can claim one head or both heads. Until the Court of Appeal ruling in 2015 in Vidal-Hall and Others v. Google Inc. (2015), you were only able to claim for non-material damages alongside material damages. However, this case set a precedent, and now, you are allowed to claim for your psychological injury without claiming for any financial harm. 

Material damages 

Perhaps you experienced financial loss due to the leak of your email address? If so, you can recover any losses under material damages. You must provide proof of loss to claim. Bank statements, for example, could act as evidence. 

Non-material damages

You can claim for any emotional distress you experienced as a result of the personal data breach. Your psychological damage will be valued in the same way as personal injury compensation. You can get an idea of what you could receive by using the 2022 edition of the Judicial College Guidelines (JCG).

This document contains injuries listed alongside their potential compensation brackets. It is used by legal professionals to help assign value to injuries, including mental harm, such as post-traumatic stress disorder (PTSD). 

Injury Potential Compensation Notes
Severe PTSD (a) £59,860 – £100,670 Symptoms cause a permanent inability to function at pre-trauma levels.
Moderately severe PTSD (b) £23,150 – £59,860 Symptoms result in significant disability for the foreseeable future, however, there is some recovery with professional help.
Moderate PTSD (c) £8,180 – £23,150 A recovery has largely taken place, however, some symptoms may persist.
Less severe PTSD (d) £3,950 – £8,180 Virtually a full recovery, however, there may be minor symptoms persisting beyond 1-2 years.
Severe mental injury (a) £54,830 – £115,730 An inability to cope with life and personal relationships. The prognosis is very poor.
Moderately severe mental injury (b) £19,070 – £54,830 Significant problems in life and with relationships, but there’s an optimistic prognosis.
Moderate mental injury (c) £5,860 – £19,070 Improvements in ability to cope with life and relationships and a good prognosis, however there was a moderate level of mental harm.
Less severe mental injury (d) £1,540 – £5,860 A period of disability occurs that impacts the claimant’s daily activities and ability to sleep.

The figures above are guideline amounts, not guarantees. Our advisors can provide a free estimate of what you could receive following a personal data breach when you get in touch today.

No Win No Fee Claims For Failure To Use BCC Data Breaches

Making a personal data breach claim can be daunting, but the guidance of a legal professional can make it seem less complex. Our solicitors provide their services under a No Win No Fee arrangement called a Conditional Fee Agreement (CFA)

You won’t be asked for an upfront solicitors fee under a CFA, and you won’t be asked to pay ongoing fees either. If your claim is successful, however, a success fee will be taken from your award. This is a small percentage of your compensation, capped at 25%. Unsuccessful claimants, however, will not have to pay a success fee. 

If you’ve been harmed due to a failure to use BCC data breaches, contact our advisors today. If your claim is found to be valid, they can put you in touch with one of our personal data breach solicitors.

To get in touch: 

Learn More About Failure To Use BCC Data Breaches

To learn more about personal data breaches, we recommend:

The following links might be helpful:

Thank you for reading our guide on failure to use BCC data breaches. For more information, get in touch.