Sharing Confidential Information Via Email

Most organizations -- including small law offices and accounting firms -- routinely need to share confidential information with clients or receive such details from clients. In today’s world, the easiest way to do that is via email. But yet, sharing confidential information via email presents a tremendous risk.

Information Security at FireOak Strategies

Why Email Poses a Risk

Email is an old technology -- developed in the 1970s -- and was never designed to be secure.  Anyone who can see the network traffic for the network you’re using (such as in a public hotspot, at a hotel, or on an airplane) can easily intercept messages.

Email tends to be a back-and-forth medium, so if an attachment (a PDF, a Word doc, a spreadsheet) happens to contain confidential data, those attachments are vulnerable every time someone sends or receives a message in that thread. Furthermore, if someone gets added to the message thread as a CC or BCC, each new recipient has access to the message’s history and also generates new opportunities for a third party to intercept the messages -- and their history.

Email encryption is not standardized and it is difficult to use. Major cloud-based players such as Microsoft 365 and Gmail use encryption for transmitting messages. But even Microsoft 365 gives system administrators the ability to “fine tune” settings. So while you may feel comfortable with the encryption on your end, it’s a leap of faith that both sets of servers are properly using encryption and that they can properly communicate with each other.  

Your options? Either move to a different mechanism for sharing such as faxing -- which often feels like moving backwards in time -- or follow these suggestions.

Good Practices for Sharing Confidential Information:

1

Do not disseminate confidential information via plain text in the body of a message.

2

Instead, embed the information into the document or spreadsheet that needs to be transmitted and use encryption that’s built into the tool. Microsoft Office and most PDF creators all include the ability to encrypt documents and require passwords to open files. If you need to send a tax form, legal documents, mortgage paperwork, account details, health records, or any other sort of confidential (or even sensitive) information, encrypt these files before sending.

3

A related option is to use a tool such as 7zip to create password-protected zip files containing all of the files you need to send/receive.

4

Whenever you send files that are password-protected, it is critical that you do not send passwords via email. You must use an alternate communication channel such as via a phone call or text message to share passwords. Sharing the password via email -- even if it is in a separate message -- leaves you just as exposed as if you didn’t encrypt the files.

5

An alternative to encrypting files is to use a web-based file exchange portal or to share passwords directly via a password manager such as LastPass. Read more about setting up and deploying enterprise-wide password management tools.

Contact the FireOak Strategies team to learn more about sharing confidential information with internal team members or with clients.