Skip to main content
FeaturesTemplatesPricingBlogToolsAbout
Book a DemoGet Early Access
Client Intake

Secure Client Communication: Email, Portals, and Privilege

Insecure communication risks client confidentiality and privilege. Learn how to protect attorney-client communications through email, portals, and best practices.

ModernLawOfficeMarch 15, 202611 min read

A client emails you sensitive financial records from their personal Gmail account. You reply with legal advice from your firm's email. The client forwards your advice to their spouse, who's also involved in the matter. Their spouse's employer monitors company email, and your legal advice is now sitting on a corporate server.

Was that communication privileged? Is it still? And what's your obligation to prevent this from happening in the first place?

These questions aren't hypothetical. They arise every day in solo and small firm practices where client communication happens through whatever channel is most convenient — personal email, text messages, even social media direct messages. And "most convenient" is often the least secure.

Why This Matters More Than You Think

Attorney-client privilege is the foundation of the legal profession's value proposition. Clients share sensitive information with their attorneys because they trust it will be protected. That trust is both ethical obligation and business necessity.

But privilege and confidentiality are only as strong as the communication channels they travel through. The ABA's Model Rules of Professional Conduct require attorneys to make "reasonable efforts" to prevent unauthorised disclosure of client information. What constitutes "reasonable efforts" in 2026 is different from what it was in 2010, and the bar keeps rising.

The ethical duty isn't just about preventing hackers. It's about understanding the technology you use to communicate with clients and making informed decisions about its security implications.

The Email Problem

Email is the default communication channel for most law firms. It's also, in its standard form, one of the least secure.

How Standard Email Works

When you send a standard email, it travels from your email server to the recipient's email server, potentially through several intermediary servers. At each hop, the message can be intercepted, logged, or stored. Standard email protocols (SMTP) transmit messages in plain text by default.

Most modern email providers encrypt messages in transit using TLS (Transport Layer Security), which prevents interception between servers. But TLS isn't universal, and it only protects the message while it's moving. Once it arrives at the recipient's email server, it sits there in whatever state that server maintains — which you don't control.

The Practical Risks

Client-side risks: Your client checks their email on a shared family computer, a work device monitored by their employer, or a phone without a passcode. The security of your communication is limited by the weakest link, and the weakest link is almost always the client's device and habits.

Server-side risks: Free email services scan message content for advertising and other purposes. While major providers have strong security practices, a client's personal email account is not an environment you control or can verify.

Forwarding and sharing: Clients forward emails. They share them with family members, business partners, or other advisors. Each forwarding action potentially broadens the audience beyond what you intended and may waive privilege.

Persistence: Emails persist indefinitely unless actively deleted. Old messages containing sensitive legal advice sit in inboxes, trash folders, and backup systems for years.

What the Ethics Rules Say About Email

The ABA issued Formal Opinion 477R in 2017, addressing an attorney's obligations when communicating electronically. The key takeaway: unencrypted email is generally acceptable for routine communications, but attorneys must assess the sensitivity of the information and use enhanced security measures when the nature of the communication warrants it.

Factors to consider:

  • The sensitivity of the information being communicated
  • The likelihood of disclosure if additional safeguards are not used
  • The cost and difficulty of implementing additional safeguards
  • The extent to which the communication method is already protected by confidentiality protections (like a secure client portal)
  • The client's instructions and circumstances

In practice, this means unencrypted email is probably fine for scheduling a meeting or confirming a court date. It's probably not fine for sending a client's Social Security number, financial records, or detailed legal strategy in a high-stakes matter.

Tip

The standard you're being held to is "reasonable efforts," not "perfect security." You don't need military-grade encryption for every email. You do need to think about what you're sending and whether the channel matches the sensitivity of the content.

Secure Communication Options

Encrypted Email

Email encryption ensures that only the intended recipient can read the message. There are several approaches:

End-to-end encryption (E2EE): Services like ProtonMail provide encryption where only the sender and recipient can decrypt the message. The email provider itself cannot read it. This is the strongest form of email security.

S/MIME and PGP: These are encryption standards that work with existing email providers. They require both parties to exchange encryption keys, which creates a setup burden that makes them impractical for client communication in most law practices.

Portal-based encryption: Some services (including features in Microsoft 365 and Google Workspace) let you send encrypted emails that the recipient accesses through a secure web portal rather than in their email client. The message never sits unencrypted in the recipient's inbox.

For most solo and small firms, portal-based encryption or an encrypted email service is the most practical option. True end-to-end encryption with standard email clients requires technical sophistication that most clients don't have.

Client Portals

A client portal is a secure, web-based environment where you and your client can exchange messages, documents, and case updates. Unlike email, a portal:

  • Keeps all communications within a controlled environment
  • Requires authentication (login) to access
  • Logs all access and activity
  • Doesn't leave messages sitting in an email inbox
  • Can enforce document-level permissions
  • Creates a clear record of what was shared and when

Most practice management platforms include a client portal feature. Standalone portal solutions also exist. The key is that the portal provides a contained, authenticated environment for sensitive communications.

Warning

A client portal only works if clients actually use it. The biggest failure mode is setting up a portal that clients ignore because checking email is easier. Make the portal easy to access (mobile-friendly, simple login), and explain to clients why you're using it: "This portal keeps our communications confidential and creates a secure record of everything we discuss."

Secure Messaging Apps

Some attorneys use encrypted messaging apps like Signal for client communication. Signal provides end-to-end encryption by default and is widely regarded as one of the most secure messaging platforms available.

The advantages are real: strong encryption, widespread availability, and clients already know how to use messaging apps. But there are concerns:

  • Message retention is controlled by the client, not the attorney
  • Disappearing messages may conflict with record-keeping obligations
  • Professional boundaries can blur when you're communicating on the same platform clients use for personal conversations
  • Some jurisdictions have specific requirements about maintaining records of client communications

If you use a messaging app for client communication, ensure you can retain records of the communications as required by your jurisdiction's record-keeping rules.

Phone Calls and Video Conferences

Traditional phone calls remain one of the more secure communication methods — they're not stored on servers, they're difficult to intercept at scale, and they leave no digital trail (unless recorded). For highly sensitive discussions, a phone call may be more appropriate than any digital channel.

Video conferencing platforms vary in their security. Look for platforms that offer end-to-end encryption for meetings. At minimum, use platforms that require meeting passwords or waiting rooms to prevent uninvited access.

Protecting Privilege in Digital Communications

Security is one concern. Privilege is another — and they're related but distinct.

The Third-Party Problem

Attorney-client privilege can be waived when a third party is present during or has access to the communication. In the digital context, this creates several risks:

Shared devices: If your client reads your legal advice on a computer shared with their spouse, and the spouse accesses those emails, privilege may be waived for those communications.

Work email: If your client communicates with you from their work email address, their employer may have the right to access those communications. Courts have reached different conclusions on this, but the risk is real.

Cloud storage: If your client stores your emails or documents in a cloud service shared with others, the shared access may waive privilege.

CC and forwarding: When a client CCs or forwards your advice to someone who isn't covered by the privilege (not a co-client, not an agent of the client for purposes of seeking legal advice), the privilege may be waived for that communication.

Best Practices for Preserving Privilege

Include a confidentiality notice. Every email should include a standard confidentiality footer stating that the message is privileged and confidential and that unintended recipients should delete it. This notice doesn't guarantee privilege protection, but it demonstrates intent and can support a privilege claim.

Advise clients about their email environment. At the start of representation, discuss communication security with your client. Ask whether they use a work email address, share devices, or have other circumstances that could compromise confidentiality. This conversation is part of your duty of competence.

Use a dedicated communication channel. If possible, have clients use a personal (non-work) email address for legal communications, or use a client portal that keeps communications out of their regular email entirely.

Document your security choices. If a client insists on communicating via unencrypted email despite your recommendation to use a more secure channel, document that instruction. An engagement letter provision addressing communication methods and client acknowledgment of risks protects you if a confidentiality issue arises later.

Building a Communication Security Policy

Every law firm — even a solo practice — should have a written communication security policy. It doesn't need to be elaborate. It needs to cover:

1. Default Communication Channels

Define what channels you use for different types of communication:

  • Routine scheduling and logistics: standard email acceptable
  • Case strategy and legal advice: encrypted email or client portal
  • Document exchange: client portal with access controls
  • Urgent matters: phone call, followed by written confirmation through secure channel

2. Client Onboarding Communication

At the start of every engagement, discuss communication preferences and security with the client. Include in your engagement letter:

  • What communication channels you'll use
  • What the client should and shouldn't do with your communications (don't forward legal advice, don't use work email)
  • The client's preferred communication method and acknowledgment of any risks

3. Staff Training

If you have staff, they need to understand the communication security policy. A paralegal who emails sensitive documents to a client's work address can create the same privilege and confidentiality problems as if you'd done it yourself.

4. Incident Response

What happens if a communication is sent to the wrong person? Or if you learn that a client's email has been compromised? Have a basic plan:

  • Immediately notify the client
  • Assess what information was exposed
  • Determine whether any privilege claims need to be asserted
  • Document the incident and your response
  • Consider whether reporting obligations apply (some jurisdictions require notification of data breaches)

A Practical Starting Point

If you're currently using standard email for all client communication and want to improve:

  1. This week: Add a confidentiality notice to your email signature if you don't have one.
  2. This month: Discuss communication security in your next new client onboarding. Add a communication preferences section to your engagement letter.
  3. This quarter: Evaluate client portal options. Most practice management platforms include one. The setup is typically straightforward.
  4. Ongoing: Assess each communication's sensitivity before sending. Routine messages can go via email. Sensitive documents and legal strategy should go through a more secure channel.

The goal isn't to make communication difficult or to create barriers between you and your clients. The goal is to match the security of the channel to the sensitivity of the content — and to make sure your clients understand why you're doing it.

Your clients trust you with their most sensitive information. The way you handle that information — including how you transmit it — is part of the service you provide. Getting communication security right isn't just an ethical obligation. It's a demonstration of the professionalism and care that your clients are paying for.

Early Access

Join the Waitlist

Be first to access ModernLawOffice when we launch — built for solo attorneys and small firms.