Attorney sent financial documents via email-is this a security issue?
April 4, 2024 5:04 PM   Subscribe

A relative is using an attorney to help straighten out an identity theft issue. To prove that a loan was obtained fraudulently, the attorney had to submit a bunch of documents including tax returns, bank statements, brokerage statements, etc. I have now learned that the attorney sent these documents as attachments via email rather than using a secure portal. My understanding, based on various IT folks I have spoken to over the years, is that this is a huge no-no security wise. Is that so? How concerned should we be?
posted by Larry David Syndrome to Computers & Internet (14 answers total) 2 users marked this as a favorite
 
Normally when things are sent via email, they are password protected. The password is usually very obvious (like the zip code of the person's home address) but at least it is not totally in the clear. I would be concerned.
posted by metahawk at 5:07 PM on April 4, 2024 [1 favorite]


Response by poster: Not to threadsit, but added info: attorney also emailed the scanned documents to my relative and the relative was able to view the documents without entering a password, so I don't think they were even password protected.
posted by Larry David Syndrome at 5:11 PM on April 4, 2024


Best answer: Historically this was a big concern.

Any server on the internet 'in between' the sender and receiver could read your messages.

However nowadays almost all emails are encrypted in transit between sender and receiver. Google reports 97-99% of inbound and email is encrypted in transit (with a technology called TLS, which is also what keeps secure websites secure).

It is still best practice to either (a) upload sensitive info via a secure website or other channel; or (b) encrypt your emails end-to-end, with a technology like PGP.

However I wouldn't categorise sending sensitive info over email as a "huge no-no" nowadays. I assume you're not at risk of targeted attack by hackers or a state.

There is not much point in password-protecting attachments unless you only ever share the password over another channel such as telephone.

I can understand you being worried given a relative is dealing with identity theft.
posted by Klipspringer at 5:24 PM on April 4, 2024 [20 favorites]


Our policy is zip the files and send by email, password via WhatsApp or another channel. My insurance uses a password based on certain set of numbers from our ID plus the policy number rather than generating a password.

Did you check if your relative asked for the documents to be emailed to them? I have had people complain about passwords/zip where outside of work stuff, I’ve sent them files directly by email without a worry.
posted by dorothyisunderwood at 5:33 PM on April 4, 2024 [1 favorite]


While it may not be ideal, it is certainly not unusual among lawyers and law firms.
posted by lookoutbelow at 5:51 PM on April 4, 2024 [8 favorites]


I would still consider sending sensitive personally identifying info over email to be a big no-no, but I also see people who should know better doing stuff like this all the time. Probably nothing bad (well nothing worse) will happen.
posted by mskyle at 5:52 PM on April 4, 2024 [1 favorite]


It's not a great idea but I also wouldn't lose sleep over it. If I anticipated more such documents being sent I'd ask about finding a more secure way to transmit them next time. But I'd expect that solution to be "email with a password," not a secure portal, most likely.
posted by Stacey at 6:01 PM on April 4, 2024 [1 favorite]


There is not much point in password-protecting attachments unless you only ever share the password over another channel such as telephone.

Typo-in-the-email-address protection, as well as "rando looking at someone else's files" protection.

I would file this under "not a good general practice, but in any given individual case, unlikely to cause problems."
posted by praemunire at 6:11 PM on April 4, 2024 [3 favorites]


Response by poster: Armed with Klipspringer's info about TLS encryption, I was able to talk the relative through viewing the "raw email" in an attempt to determine the encryption level, and after the IP address of the (sender? email server?) it says "received TLS version ....bippity blah cypher bippity blah" . So we may be OK. Thanks to all who responded!
posted by Larry David Syndrome at 6:17 PM on April 4, 2024 [5 favorites]


I’m afraid you’re looking in the wrong place for the security problem. People intercepting the data in transit has never been a real problem to speak of (there was a brief era when WiFi was first becoming popular) but simply having the unencrypted files sitting online in people’s mailboxes — particularly people who work for companies with email retention policies — means that if someone’s account gets hacked, your documents are sitting there waiting for them.

Those documents should’ve been encrypted before they got anywhere near a mail program, and as others have said the password should’ve been sent via a different method. As long as those were done you can rest easy.
posted by Tell Me No Lies at 8:27 PM on April 4, 2024 [5 favorites]


Seconding Tell Me No Lies. The bigger risk is a hack of the law firm's network, or the recipient's computer. Part of the safety of email is the enormous amount of traffic on the internet.

Be sure that the password your computer uses to log into your ISP is strong.
posted by SemiSalt at 4:58 AM on April 5, 2024 [1 favorite]


Just as a recent anecdotal example, I was the executor for an estate recently, which necessitated working with a couple of lawyers as well as a tax specialist, plus a bunch of banks and agencies. One of the lawyers and also the tax preparer used systems where you had to log in to download or upload files. One bank would send password protected PDFs (which were easy to defeat for convenience). Every other lawyer, bank, and all agencies would simply send things as email attachments. Actually, now that I think about it, so did the court itself.

So whatever "best practices" actually are, sending things as regular attachments is still very common and apparently low-risk.
posted by Dip Flash at 6:40 AM on April 5, 2024 [1 favorite]


I'm a lawyer and send and receive confidential documents by email all day long and so do hundreds of other lawyers that I interact with. Large corporate clients demand audits of our IT system to assure themselves of security, which is common in the industry, but, other than that, they're good with email transmission. That is all to say that this is pretty normal, whether it is a good idea or not.
posted by Mid at 7:26 AM on April 5, 2024 [4 favorites]


I deal frequently with lawyers and it's absolutely normal to share documents via email or, when there are large or lots of documents, via services such as Dropbox. I'm not suggesting either of these is particularly secure, but it is definitely normal.
posted by dg at 11:06 PM on April 7, 2024


« Older Hilux to Hyrax?   |   Help me find a specific kind of compact VESA mount Newer »

You are not logged in, either login or create an account to post comments