White Paper

Preventing Privacy Breach

Why You Need to Block Cc Mass Mailings
 Preventing Privacy Breach
Why You Need to Block Cc Mass Mailings

Introduction

In every company it happens: employees sending out mass email mailings to customers and
contacts by creating one email and entering all the recipients in the Cc: field (or the Bcc: or
To: field). It is something that can happen so easily, yet can also have serious
consequences. Read more about how these undesirable mass mailings can occur, the
damage they can do, and how you can protect your company by preventing these emails
from leaving your network.

How Cc Mass Mailings Occur

This could happen to you: Your new sales rep is eager to get results and fast. He decides to
contact his 200 customers with your latest promotional offer. In order to get the message
across in the minimum amount of time, he creates one email, pastes all the email addresses
in the Cc: field and hits ‘Send’. Now he just needs to wait for the orders to come in.

Your nightmare has begun. A potential privacy breach and damage to your company’s
reputation has been set in motion. Not only has this one email exposed your valuable
customer list and opened you up to 200 potential lawsuits for privacy breach, it has severely
damaged your company’s reputation. If your company is this careless with its customer
information, what does that say about the quality of the services and products you provide?
And you don’t even want to think about what will happen when the recipients hit the ‘Reply
to All’ button and start complaining about your company’s spam practices and asking you to
remove them from the list. A true ‘mail storm’ could erupt with your company as the source.

Some employees might think that they are being smart if they put all the addresses in the
Bcc: field instead of the Cc: field. In that way the recipients will not see the other email
addresses and they will not be able to select ‘Reply to All’. However, listing email addresses
in the Bcc field will get the message detected as spam and will land you on a spam black list
or two. You don’t want to have to find out firsthand how difficult it is to get removed from
these lists, and you don’t even want to think about how many of your emails are being
blocked by spam filtering software until you do get off those lists. Even if you are not
blacklisted, would you want your company to be sending emails to your customers with an
empty To: field, or a To: field with a different recipient? In the best case this is confusing; in
the worst case this email severely damages the professional reputation of your company.

This is a disaster just waiting to happen. You can train employees on email etiquette, you
can include a notice in your Employee Handbook or Email policy that they should not send
one email to many recipients for email mailings (using either the To:, Cc: or Bcc: field), but

Preventing Privacy Breach – Page 1

Why You Need to Block Cc Mass Mailings
the fact remains that every employee using Outlook is just a few clicks away from making
this mistake.

Why are Cc Mass Mailings So Bad?

A Cc mass mailing, where one email is sent to many recipients in the Cc: (or Bcc: or To:)
field, might produce the following unwanted results:

1. Exposes your valuable customer contacts

2. Contacts might end up in competitor’s hands
3. Opens you up to privacy breach claims
4. Damages your company’s reputation
5. Customers might report you to consumer protection agencies
6. When ‘Reply to All’ is used a mail storm could erupt
7. Bcc field is not a good option either since the message will be blocked as spam and
your domain could end up being black listed.

Cases that reached press coverage

Although unauthorized Cc mass mailings occur frequently within companies, most of them
do not reach any exposure in the press. Below are a few cases where the incidents were
covered in the press:

The ‘Brown Daily Herald’ recently reported an unauthorized Cc mass mailing case that
occurred when a worker at a college’s Financial Aid Office sent email messages to hundreds
of students reminding them about which documents they needed to submit for their
application of financial assistance. The problem was that the worker sent only three email
messages and included all the students’ email addresses in the To: and Cc: field. In total
the three email messages exposed 1800 student’s addresses and full names.

A few years ago the UK news site ‘The Register’ reported that a UK photo sharing website
had sent out a welcome email to 1500 of their subscribers with all their email addresses
clearly visible in the To: field. According to ‘The Register’ one of the affected customers
commented that it was such a fundamental breach of simple protocol and Internet security
that they would be closing their account forthwith and passing details of the incident to the
UK Information Commissioner. Apparently the affected photo sharing company responded to
‘The Register’, explaining that a technical error was the root of the problem and that they
had apologized to their customers and assured them that their personal registration
information remained secure.

‘Techdirt’, an online news blog, also covered this story, saying: “Of course, there was no
‘technical’ error. There was the very, very human error of someone putting the addresses in
the wrong box and/or not using a decent mailing list program.”

The next day the story unfolded further since one of the company’s competitors had gotten
their hands on the list (possibly they were one of the 1500 subscribers) and sent the 1500
subscribers an email saying that they would be better off registering with their company

Preventing Privacy Breach – Page 2

Why You Need to Block Cc Mass Mailings
because unlike their competitor, they respected their customers’ privacy and would not
share their personal information with other members.
Potential Cost of Cc Mass Mailings

Luckily most unauthorized mass mailings are not covered in the press. There are still
substantial costs that could arise out of a Cc mass mailing though. Below is an example of
the potential cost of a Cc mass mailing sent out to 200 customers:

Description Calculation Cost

Legal counsel to discuss response 2 hours @ $250 $500
Write apology email 4 hours @ $100 $400
Collect contact information of impacted customers 2 hours @ $60 $120
Send out apology mailing 1 hour @ $60 $60
Check which spam black lists you are listed on 8 hours @ $80 $640
Explain to users why their emails are not getting through 4 hours @ $80 $320
Contact spam black lists to be removed from their list 8 hours @ $80 $640
No. of emails that did not reach customers due to black 200
listing:
Percentage of lost customers due to email not arriving: 2% = 4 customers
Customer value $300 per year
Loss of potential business $1,200
Percentage of customers seeking civil suit 1% = 2 customers
Award per individual $1,000
Total award $2,000
Percentage of lost customers due to privacy breach 1% = 2 customers
Customer value $300 per year
Loss of potential business $600
Total cost for privacy breach and damage to $6,480
reputation

The actual cost and impact can differ from company to company and from situation to
situation, but this example shows you what kind of costs you could be facing due to a Cc
mass mailing.

How to Prevent Cc Mass Mailings

What do you do when this happens to you? And more importantly, how can you prevent this
from happening? If such an event does occur, the best course of action is to immediately
send out an apology to the impacted customers, explaining that this email mailing was
against your company’s policy and that you will maintain stricter measures in order to
prevent this from happening again. But what can you do to prevent this from happening
again? You can include a warning regarding mass mailings in your email policy under the
Don’ts section. You can train your employees on email etiquette and inform them not to
send out mailings without using your mailing list software. Although these are good
solutions, they will never be watertight.

The only way to be sure that this cannot happen to your company is to physically block the
email from leaving your company in the first place. This can be done with email server

Preventing Privacy Breach – Page 3

Why You Need to Block Cc Mass Mailings
software that filters emails before they are sent out from your company and can detect and
block emails with a large number of recipients.

How Policy Patrol can help

Policy Patrol is an email filter product that can scan all email messages before they are sent
out, giving you the opportunity to block these kinds of emails before they can do any
damage. All you need to do in Policy Patrol is configure a rule that will quarantine all
externally sent messages with more than for instance 5 or 10 recipients. Once a message is
caught, Policy Patrol can send an email to an Administrator or Manager allowing them to
verify whether this message should be sent out, or whether it actually breaches the
company policy and must not be allowed out. It is as simple as that, but it will surely save
you some major headaches.

A mass mailing to 200 users as described in the above example could cost your company
over $6,000 and potentially even more depending on the lawsuits and the severity of the
damage of reputation. If your company is in the health or legal industry, this kind of
‘blooper’ could have much higher price tags. Compare this to the cost of Policy Patrol Mail
Server Tools: For a company of 50 users, the cost of Policy Patrol Mail Server Tools is $395,
with an annual maintenance fee of $79.

In addition to preventing unauthorized mass mailings, Policy Patrol Mail Server Tools
includes many more features such as detecting and blocking emails with offensive words,
attachment checking and stripping, reporting, email policy violation monitoring,
compression, email backup and optional anti-virus. Policy Patrol Mail Server Tools is part of
the Policy Patrol Email Suite that offers anti-spam, keyword filtering, attachment blocking,
email disclaimers, email signatures, virus checking, compression and many more email
management features.

References

http://www.theregister.co.uk/2005/10/26/spam_customer_list/
http://www.databreaches.net/?p=2486
http://www.browndailyherald.com/2.12235/e-mail-error-generates-changes-1.1667477
http://www.techdirt.com/articles/20051025/1243206.shtml
http://www.theregister.co.uk/2005/10/25/spymedia_email_mistake/

About Red Earth Software

Red Earth Software is a Microsoft Gold Certified Partner that specializes in the development
of content security solutions that help companies regulate and optimize the use of their
email and Internet systems. Policy Patrol currently filters emails for more than one million
users worldwide and is used by customers in nearly every industry including educational,
non-profit, financial, legal, health care, manufacturing and government. Included among
Red Earth Software clients are large international organizations such as Nissan, Targus,
Canadian Pacific Railway, USA.net, Lotto, Fujitsu Services (Central Government customer),
and Sony of Canada Ltd.

Preventing Privacy Breach – Page 4

Why You Need to Block Cc Mass Mailings
More information

Ö For more information about Policy Patrol or to download a 30-day evaluation version,
please visit http://www.policypatrol.com.

Contacting Red Earth Software

Red Earth Software, Inc. Red Earth Software (UK) Ltd
595 Millich Drive, Ste 210 20 Market Place
Campbell, CA 95008 Kingston-upon-Thames
United States Surrey KT1 1JP
Toll-free: 1-800-921-8215 United Kingdom
Phone: (408) 370 9527 Tel: +44-(0)20-8328 9830
Fax: (408) 608 1958 Fax: +44-(0)20-8711 5771
Sales: sales@redearthsoftware.com Sales: sales@redearthsoftware.co.uk
Support: support@redearthsoftware.com Support: support@redearthsoftware.co.uk

Red Earth Software Ltd

Sonic House, Suite 301
43 Artemidos Avenue
6025 Larnaca
Cyprus
Tel: +357-24 828515
Fax: +357-24-828516
Sales: sales@redearthsoftware.com
Support: support@redearthsoftware.com

Policy Patrol® is a registered trademark of Red Earth Software®. Copyright © 2001- 2009 by Red Earth Software.

Preventing Privacy Breach – Page 5

Why You Need to Block Cc Mass Mailings