Most organizations — including small law offices and accounting firms — routinely need to share confidential information with clients or receive such details from clients. In today’s world, the easiest way to do that is via email. But yet, sharing confidential information via email presents a tremendous risk.
Why Email Poses a Risk
Email is an old technology — developed in the 1970s — and was never designed to be secure. Anyone who can see the network traffic for the network you’re using (such as in a public hotspot, at a hotel, or on an airplane) can easily intercept messages.
Email tends to be a back-and-forth medium, so if an attachment (a PDF, a Word doc, a spreadsheet) happens to contain confidential data, those attachments are vulnerable every time someone sends or receives a message in that thread. Furthermore, if someone gets added to the message thread as a CC or BCC, each new recipient has access to the message’s history and also generates new opportunities for a third party to intercept the messages — and their history.
Email encryption is not standardized and it is difficult to use. Major cloud-based players such as Microsoft 365 and Gmail use encryption for transmitting messages. But even Microsoft 365 gives system administrators the ability to “fine tune” settings. So while you may feel comfortable with the encryption on your end, it’s a leap of faith that both sets of servers are properly using encryption and that they can properly communicate with each other. Plus, you never know what’s going to happen after a message is sent and where it goes — in other words, did the recipient download it and store it on their personal computer?
Your options? Either move to a different mechanism or follow these suggestions.
Good Practices for Sharing Confidential Information:
1. Don’t send confidential information in plain text
Be careful what you disseminate via email. Under no circumstances should you send confidential information such as social security numbers or passwords in plain text in the body of an email message. Sending this type of data in plain text via a spreadsheet or PDF is no better.
2. Encrypt your files
Instead of sending information in plain text, embed the information into the document or spreadsheet that needs to be transmitted and use encryption that’s built into the tool.
Microsoft Office and most PDF creators all include the ability to encrypt documents and require passwords to open files.
If you need to send a tax form, legal documents, mortgage paperwork, account details, health records, or any other sort of confidential (or even sensitive) information, encrypt these files before sending.
3. Password-protect zip files
If you need to send several files at once, you can use a tool such as 7zip to create password-protected zip files containing all of the files you need to send.
4. Share passwords outside of email
Whenever you send files that are password-protected, it’s critical that you don’t send passwords via email.
Instead, use an alternate communication channel such as a phone call or text message to share passwords. We strongly recommend using a secure mechanism with end-to-end encryption such as Signal if at all possible.
Sharing the password via email — even if it is in a separate message — leaves you just as exposed as if you didn’t encrypt the files.
5. Use a secure platform instead
An alternative to encrypting files is to use a web-based file exchange platform such as Microsoft 365 or share passwords directly via a password manager.
