Let’s say you have got a document with sensitive information in it, and you need to send a copy to your client or to opposing counsel. What is the best way to do that?
Here are a few options.
Not Good: Email, USB Drive
Unless you use encryption, sending an email is basically the same thing as sending a postcard. While there are efforts underway to change this, email remains pretty wide open. This is true and scary: anyone who wants to (not just the NSA) can read your email.
Sure, most of the time you can send a sensitive document through email and nothing will happen. But you are playing Russian Roulette (almost literally, given the recent theft of 1.2 billion email account credentials by a Russian gang). You may be sending documents straight to a criminal without even knowing it.
USB drives aren’t safe, either. A recently-discovered USB exploit means you could be distributing malicious code with your USB drive (or getting it from your clients) without ever knowing. While we don’t know if this exploit is being used, it is probably better to be safe than sorry, especially since better options exist.
Sometimes Okay: Dropbox, Box, Google Drive, OneDrive, Etc.
There are plenty of cloud-based file-sharing services out there, but I am just going to use the most popular — Dropbox — as a proxy for all of them. While I no longer think it makes sense to simply store all your files in Dropbox, I do think Dropbox can be useful for sharing specific files.
You can share files either by sharing with another Dropbox user or by creating a public link to the file. Sharing directly to another user is by far the better option. While public links are not advertised, anyone with the link can access the file(s). Plus, you have to send that link to your client somehow (it is too long and complex to relate by phone), which makes it no better than sending an attachment to an unencrypted email. It is not a good idea to use a public link to share sensitive information.
If you do use Dropbox to share files with clients, don’t leave public links active indefinitely. Have your client tell you when they have the file, and then remove the public link. In fact, it may be best to remove the file from Dropbox entirely, if you share my thoughts on keeping client files in Dropbox.
Better Options: SpiderOak, Viivo
Zero-knowledge, cloud-based file-sharing services like SpiderOak and Viivo offer greater security than Dropbox (et al.) while still allowing you to share files. (I use Viivo with Dropbox to keep my client files and other sensitive information secure.)
Just as with Dropbox, sharing files with other users is more secure than using a public link. Even though the files themselves are more secure with SpiderOak or Viivo, that security does no good if you send a public link via email. If you share files with another user, SpiderOak or Viivo is absolutely superior to Dropbox. If you have to email a link, however, they are no better than email.
Best Options: Encrypted Email, CD/DVD, or a Secure Portal
The best options for sharing files do not require you to grant access to the file in an email.
For now, encrypted email remains clunky, and requires some tech-savvy on both ends. Fortunately, you don’t need to go full encryption to send files more securely. You can just encrypt the attachment. Here are instructions for Microsoft Word for Windows (Word 2013) and Mac (Word 2011). And here are instructions for Adobe Acrobat.
If you opt for encrypting the attachment, use a good password and just call up the recipient to give them the password over the phone. (Don’t leave it on voicemail, though; lots of people get their voicemail by email.)
You can also just burn the file to a CD or DVD and mail it. This is often the best option for large collections of documents, but it is slow if you are trying to share something like a redlined contract. Still, plain old discs are as secure as the mail.
A Secure Portal
Most cloud-based practice management software now includes file sharing, so that you can share files with a contact. When you share a file, the software sends a notice to the recipient. In order to access the file, though, they have to log in, so it is much more secure than a public link from Dropbox or Viivo. Two-factor authentication, where available, ratchets up the security even further.
A portal also allows your client to access the files over time. Despite advances in search technology, people lose emails all the time. If they just have to log into a portal (assuming they can remember their login details), they can access the files you have shared at any time.
The weak link is the inconvenience of having yet another login. If you are just going to share one or two files with someone, an encrypted attachments is probably easiest. If you are going to share a huge set of files, a CD or DVD is probably easiest. If you are going to share lots of files with someone, one at a time, a secure portal is the best option by far.
Worst: an Email Disclaimer
Second, disclaimers do nothing to secure your email, even though an alarming percentage of lawyers who responded to a LexisNexis survey apparently think they do.
This podcast from “digital detectives” Sharon Nelson and John Simek, with Bob Ambrogi, is a very accessible discussion of client file security with those appalling survey results as a backdrop.
Featured image: “senior manager is Giving a lot of work” from Shutterstock.