How to Share Files with Clients


4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

Let’s say you have got a document with sensitive information in it, and you need to send a copy to your client or to opposing counsel. What is the best way to do that?

Here are a few options.

Not Good: Email, USB Drive

Unless you use encryption, sending an email is basically the same thing as sending a postcard. While there are efforts underway to change this, email remains pretty wide open. This is true and scary: anyone who wants to (not just the NSA) can read your email.

Sure, most of the time you can send a sensitive document through email and nothing will happen. But you are playing Russian Roulette (almost literally, given the recent theft of 1.2 billion email account credentials by a Russian gang). You may be sending documents straight to a criminal without even knowing it.

USB drives aren’t safe, either. A recently-discovered USB exploit means you could be distributing malicious code with your USB drive (or getting it from your clients) without ever knowing. While we don’t know if this exploit is being used, it is probably better to be safe than sorry, especially since better options exist.

Sometimes Okay: Dropbox, Box, Google Drive, OneDrive, Etc.

There are plenty of cloud-based file-sharing services out there, but I am just going to use the most popular — Dropbox — as a proxy for all of them. While I no longer think it makes sense to simply store all your files in Dropbox, I do think Dropbox can be useful for sharing specific files.

Related“It’s Time for Lawyers to Re-Think the Cloud”

You can share files either by sharing with another Dropbox user or by creating a public link to the file. Sharing directly to another user is by far the better option. While public links are not advertised, anyone with the link can access the file(s). Plus, you have to send that link to your client somehow (it is too long and complex to relate by phone), which makes it no better than sending an attachment to an unencrypted email. It is not a good idea to use a public link to share sensitive information.

If you do use Dropbox to share files with clients, don’t leave public links active indefinitely. Have your client tell you when they have the file, and then remove the public link. In fact, it may be best to remove the file from Dropbox entirely, if you share my thoughts on keeping client files in Dropbox.

Better Options: SpiderOak, Viivo

Zero-knowledge, cloud-based file-sharing services like SpiderOak and Viivo offer greater security than Dropbox (et al.) while still allowing you to share files. (I use Viivo with Dropbox to keep my client files and other sensitive information secure.)

Just as with Dropbox, sharing files with other users is more secure than using a public link. Even though the files themselves are more secure with SpiderOak or Viivo, that security does no good if you send a public link via email. If you share files with another user, SpiderOak or Viivo is absolutely superior to Dropbox. If you have to email a link, however, they are no better than email.

Best Options: Encrypted Email, CD/DVD, or a Secure Portal

The best options for sharing files do not require you to grant access to the file in an email.

Encrypted Email

For now, encrypted email remains clunky, and requires some tech-savvy on both ends. Fortunately, you don’t need to go full encryption to send files more securely. You can just encrypt the attachment. Here are instructions for Microsoft Word for Windows (Word 2013) and Mac (Word 2011). And here are instructions for Adobe Acrobat.

If you opt for encrypting the attachment, use a good password and just call up the recipient to give them the password over the phone. (Don’t leave it on voicemail, though; lots of people get their voicemail by email.)


You can also just burn the file to a CD or DVD and mail it. This is often the best option for large collections of documents, but it is slow if you are trying to share something like a redlined contract. Still, plain old discs are as secure as the mail.

A Secure Portal

Most cloud-based practice management software now includes file sharing, so that you can share files with a contact. When you share a file, the software sends a notice to the recipient. In order to access the file, though, they have to log in, so it is much more secure than a public link from Dropbox or Viivo. Two-factor authentication, where available, ratchets up the security even further.

A portal also allows your client to access the files over time. Despite advances in search technology, people lose emails all the time. If they just have to log into a portal (assuming they can remember their login details), they can access the files you have shared at any time.

The weak link is the inconvenience of having yet another login. If you are just going to share one or two files with someone, an encrypted attachments is probably easiest. If you are going to share a huge set of files, a CD or DVD is probably easiest. If you are going to share lots of files with someone, one at a time, a secure portal is the best option by far.

Worst: an Email Disclaimer

First, email disclaimers are pretty pointless, period.

Second, disclaimers do nothing to secure your email, even though an alarming percentage of lawyers who responded to a LexisNexis survey apparently think they do.

Learn More

This podcast from “digital detectives” Sharon Nelson and John Simek, with Bob Ambrogi, is a very accessible discussion of client file security with those appalling survey results as a backdrop.

Featured image: “senior manager is Giving a lot of work” from Shutterstock.


Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Megan Hunt Dell

    What confuses me about this whole discussion is that there seems to be a higher standard for virtual mail than snail mail. If I send a letter by regular mail, and it is intercepted by someone who has no business reading it, that’s not considered a breach of my duties (unless I made some mistake – like sending it to the wrong address). Why is it any different for email?

    • The problem is that email is more like sending a postcard, and I think you absolutely would breach your ethical duties if you sent a postcard with your client’s social-security number on it.

      Enclosing a letter in an envelope makes it private. With email, you have to use encryption to do the functional equivalent of putting a letter in an envelope. So far, nobody is making this happen on a system-wide level. It’s up to each sender to decide to use encryption.

      Hopefully this will change. I’d love to see Google, Apple, Yahoo!, Microsoft, etc., get together and figure out a way to lock down the email protocols. Until that happens, though, we’re on our own.

      • Megan Hunt Dell

        That’s an interesting distinction that I haven’t seen made elsewhere before. Thanks!

      • Aaron Street

        Not to quibble with Sam’s analysis, but I think the “standard” for attorneys is the same between digital and physical mail.

        I see the issue this way: If you knew that random people regularly had access to your US Mail between when you dropped it off and when it was in the recipient’s mailbox, and you knew that it was really easy for anyone to open your sent envelopes, read the materials, and re-seal the envelopes without you or the recipient knowing, you probably would have a duty to stop sending confidential client information by mail.

        Right now, there is very little evidence that the US Postal Service has many security holes in its system and there are few, if any, cases of people snooping US Mail without getting caught (we’ll separate out questions of the FBI/CIA/NSA from this discussion, since they involve a different set of issues). Because US Mail is seen as being very safe and secure, you don’t have an obligation to take additional precaution when sending confidential client information. If we knew it wasn’t secure, you probably would have additional duties.

        In the case of digital messages (email and file sharing), we know for a fact that there are many snoops online, that their tools work really well and don’t leave a trace. We know that unencrypted, consumer-grade email and file sharing services often have weak security protocols (Sam notes that many of these are improving over time). But the fact remains that we know an unencrypted email between two consumer-grade email accounts, over a public wifi line, is totally ripe for any random stranger with a bad motive to steal your information without you even noticing. Because of that, even though the “standard” remains the same, you are obligated to take more precaution than the default settings of most tools currently enforce.

        • Spot on. Put my way, if email ever becomes more like a letter than a postcard, you can treat it more like US Mail.

        • Robert Arthur

          Regular email uses encryption. The use of SSL for transport has been standard for several years, and it is difficult to find an email provider that does not either require it or make it default. If you use a web client, I think all of the major webmail providers use https. The use of encryption on the transport layer makes it very unlikely that someone sniffing a wifi net will find anything readable.

          • HTTPS is browser-based encryption that uses SSL/TLS to secure the connection between your browser and the mail server. Also, it is only within the last year or so that HTTPS became common. Yahoo! only started supporting HTTPS after a major security breach at the beginning of 2013. Smaller providers rarely require SSL/TLS to access email with Outlook, Apple Mail, etc.

            But yes, HTTPS would shield your email from wi-fi snoopers.

            However, HTTPS does not encrypt your mail en route to its destination. Most email is transmitted from the sending server to the receiving server without encryption, or encrypted only part of the way. Snooping your email as it moves through an unencrypted mail server is reportedly about as easy as snooping unsecured wi-fi sessions.

            • Robert Arthur

              I just think the “email is like a postcard” thing is overblown. It would take a dedicated hacking effort and some luck to intercept a specific email in the transport protocol. It’s definitely not as easy as someone sitting in a coffee shop and sniffing packets with Aircrack. Besides the NSA, I’m unaware of any instance of email being intercepted in transport. Sure, email servers and clients can be penetrated, but that is a general computer security problem, not anything specific to email. Use strong passwords, SSL/TLS, and always use HTTPS, and that eliminates the vast majority of exploits.

              Besides, it is still far more likely for someone to steal your laptop when you are in the bathroom at a coffee shop. Or break into your office and steal your files. Every see how fast someone can bump a lock?

              And depending where you live, US Mail get stolen more often than you think. Some of my clients regularly get letters stolen out of their mailboxes, to get identity data they can sell. A letter with a law firm letterhead is low hanging fruit, in an environment like that.

              • Intercepting a specific email is difficult, yes. What’s not difficult is intercepting all email passing through a regular mail server. (And judging by the search results for “email server hacked,” it definitely happens.)

                (By the way, email = postcard is obviously not a perfect analogy, but if sending a letter through the US Mail were as insecure as email, lawyers would need personal couriers to hand-deliver all their correspondence.)

                • Robert Arthur

                  But that makes my point, Sam. The email transport protocol is not like a postcard at all, because individual emails are not easily intercepted. They aren’t visible to just anyone who happens to look, like a postcard. Email is like email; the postal service comparison is misleading.

                  Sure, email servers get “hacked,” just like any other type of server. But that’s a general computer security problem, not specific to email. Those search results are all reporting standard exploits and vulnerabilities that all internet-facing machines face. Don’t run your own email or file server unless you have a full-time IT staff that is very good. Internet-facing machines are under constant attack. Outsource your email server to a qualified company with appropriate certifications. That’s a perfectly reasonable security arrangement.

                  • I don’t think it makes your point at all.

              • I’m just going to leave this quote from Google’s Transparency Report right here:

                Many email providers don’t encrypt messages while they’re in transit. When you send or receive emails with one of these providers, these messages are as open to snoopers as a postcard in the mail.

                (Emphasis mine.)

  • Paul McGuire

    What about the use of various E-mail Encryption services as opposed to encrypting individual attachments? For example, if you want to be able to send a client questions that you know will receive sensitive information in the answer this information could be in the body of the e-mail itself and not just an encrypted file if you use a proper service. I’ve found that the service called Enlocked is easy enough to use and works well to encrypt data in transit.

    • Email encryption is absolutely the best way to go, if you can make it work for you and your clients.

  • Don Robinson

    If confidentiality is the top priority, why not hand delivery? I use it for letters of credit.

    • If confidentiality is critical, give it to the client yourself, yeah. If you aren’t handing off the Coke formula, though, encrypted email attachments work just fine.

  • Tony

    It’s be nice to see a post comparing practice management solutions’ client portals. (I know each solution has its own post, but one combined and specifically geared toward portals would be ideal.)

  • Judith

    I use FTP running on my website. That’s 100% under my control, and I can encrypt as necessary. I have found it to be useful. But I do have clients who don’t want to deal with that, and insist on email. For them, I tend to encrypt the payload on the email. I have at least one client who insists on getting things sent by email in the clear (because apparently the in-house team can’t deal with encryption, or even passwords). For them, I just rely on the standard email disclaimer.