Center For Practice Management, Ethics, Security

Three Ways to Securely Share Documents Electronically

You send and receive documents electronically with clients. Many documents. You have considered what is in the document, such as sensitive, privileged, and confidential information, and how to protect it.  What workflows for securely sending/receiving documents balance ease of use for you and your client with adequate security?  You do not necessarily need any new technology, just use what you have effectively.

What Are You Protecting?

When sending, receiving, or sharing documents with clients and other parties consider what information is contained in the document. Confidentiality is paramount.  Does the document contain sensitive data protected by laws or regulations like PII, health, financials, or real estate transactions? How will you ensure the data is protected, sent to the correct person, and only available to the intended parties?

Confidentiality

The NC Rules of Professional Conduct were updated to reflect changes made in the ABA Model Rules for Rule 1.6 (Confidentiality). In Comment 19 of the Rule a list of factors to assess the necessary efforts to protect information are illustrated. These factors help define what reasonable care efforts to protect confidential information entail. They include (but are not limited to):

  • the sensitivity of the information;
  • the likelihood of disclosure if additional safeguards are not employed;
  • the cost of employing additional safeguards;
  • the difficulty of implementing the safeguards;
  • and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

The Comment to the Rule further states: “A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”

Comment 20 to NC RPC 1.6 focuses on transmitting communication with clients, with a focus on taking reasonable precautions to prevent the information from coming into the hands of unintended recipients. While you are not required to use special security methods “if the method of communication affords a reasonable expectation of privacy” the Comment notes that “special circumstances, however, may warrant special precautions”.

Additional considerations from an ethics perspective are outlined in ABA Formal Opinion 477R “Securing Communication of Protected Client Information”.  The Texas Bar Opinion 648 on email encryption provides concrete scenarios to contemplate when determining reasonable steps to secure confidential and sensitive information in electronic transfer of documents and information.

Emailing Documents

It is unlikely and inadvisable to send highly confidential or sensitive information in the body of an email. If you do, the email itself should be encrypted. However, it is more likely that the attachment(s) to the email contain information that requires additional protections. Whether a WordPerfect document, a Word document, or a PDF created with a product like Adobe Acrobat, you can add a password that is required before the document can be opened. While this is not perfect protection, it will thwart most from accessing the contents of the document without the password. You should not email the password to the document, whether in the body of the email with the attachment or a separate email. Instead consider establishing a unique, long, and strong password for documents with the client at the beginning of representation. You can store the passwords in the secure vault of a password management application for safe keeping or keep them in a password protected spreadsheet.

Online Document Storage

Whether your firm uses Dropbox for Business, OneDrive for Business, Google Workspace (f/k/a G-Suite), Box, ShareFile or one of the many others, most online storage systems make it possible to share files and folders with outside parties. Sending an email with multiple attachments is clunky and may create version control issues, as well as making it more difficult for the client to add additional protection if she doesn’t have the paid tools that include password security for documents. Sending a link to a file or folder for the client to access via a login that they create also keeps you out of the business of managing passwords. Most of the online storage products for business have a variety of protections you can set up when sharing files, from read-only, password, expiry dates, authentication and more. In some cases, the most stringent security will require the client to create an account with the platform for free to access the files.

Client Portals

If you use a SaaS (software as a service or cloud based) practice management application or document management system you may have the ability to create a client portal. The client creates a username and password (free) to access not only files you have placed for them in the portal, but they can also upload files. Additionally, depending on the product you are using, you can add invoices that they can pay online, share deadlines and calendars, tasks, and communications. If you have this capability in your practice management application it is well worth exploring, not only as a client service benefit but also to correspond and share information securely.

Conclusion

Securely sharing documents with clients, when faced with all the rules, regulations, and statutes regarding protecting confidence and defined information can be intimidating. However, you likely have all the tools you need to add a layer of protection when sharing documents with your clients.