- Email is the number-one vector for data breaches in professional services — not because of sophisticated attacks, but because of the fundamental insecurity of how attachments work.
- The four core problems: no encryption at rest, uncontrollable forwarding, no access revocation, and attachment size limits that push people toward worse alternatives.
- The right replacement depends on sensitivity: secure portals for client documents, encrypted file rooms for deal-level sharing, expiring links with audit trails for one-off transfers.
- Migration takes two weeks, not two months, if you sequence it correctly.
In 2025, the ICO’s annual breach report found that email remained the most common mechanism through which personal data in professional services was disclosed to unintended recipients. Not ransomware. Not credential stuffing. Email — the tool that every professional services firm has used for thirty years as their default method of sharing documents with clients.
This is not primarily a phishing problem, though phishing is real. The deeper issue is structural: email was not designed to be a secure document transfer mechanism, and it fails at that task in ways that are predictable, consistent, and, for regulated businesses, increasingly indefensible to regulators and insurers.
This article explains why email fails for sensitive files, the specific risk scenarios that result, and the practical alternatives that professional services firms — law firms, accounting practices, financial advisories, consultancies — are using to replace email-based document sharing without disrupting their workflows.
Why email fails for sensitive documents
Email feels secure because it is password-protected and familiar. But consider what actually happens when you attach a confidential client document to an email and press send.
No encryption at rest
The email and its attachment sit in the recipient’s inbox, typically unencrypted, indefinitely. If their email account is compromised — via credential stuffing, phishing, or a provider-side breach — every sensitive document you ever sent them is exposed. You have no control over this after the send.
Uncontrollable forwarding
The moment a file reaches the recipient’s inbox, you have no control over where it goes next. It can be forwarded to a personal address, to a third party, to a competitor. It can be downloaded to an unmanaged device. You will never know, because there is no audit trail once an email leaves your server.
No access revocation
Sent email cannot be unsent. A document emailed to the wrong address is in the wrong hands permanently. Even if you catch the error immediately, the recipient has the file — you cannot revoke their access to it. For documents containing personal data, this failure alone can trigger a mandatory GDPR breach notification.
Attachment size limits push people to worse options
When files exceed email attachment limits — typically 20–25 MB — people reach for consumer tools: WeTransfer, Google Drive with a shared link, Dropbox, WhatsApp. These are often less secure than email, not more. The workaround creates a second channel that is entirely outside any firm policy or audit trail.
These are not theoretical risks. They are the failure modes that appear in real breach reports, real ICO investigations, and real professional indemnity claims. They are also the reasons that regulators across the legal, financial services, and accounting sectors are increasingly including client document security in their supervisory expectations — and why cyber insurers are beginning to ask specifically how you share sensitive files with clients before they will renew your policy.
The risk scenarios that are actually happening
To make this concrete, here are four scenarios that represent the most common email-based document sharing failures in professional services. None of them require a sophisticated attacker. All of them have resulted in real regulatory consequences.
An associate at a commercial law firm attaches a client’s due diligence report to an email and begins typing the recipient’s name. Autocomplete selects a different contact with a similar name — a contact from a different matter. The email sends. The document contains the financial position and strategic plans of a corporate client. The associate does not notice until the correct recipient asks why they have not received the document. By the time the error is caught, the wrong recipient has opened the email and downloaded the attachment. This is a personal data breach under GDPR Article 33, with a mandatory 72-hour notification window to the ICO.
A financial advisory firm sends a client’s investment portfolio summary by email. The client forwards it to their accountant. The accountant’s email provider is compromised in a supply-chain attack six months later. The client’s financial data is included in the exfiltrated dataset. The advisory firm had no knowledge of the forward, no way to prevent it, and no audit trail showing it occurred. Their cyber insurer asks specifically whether they sent the document by email or through a secure portal. They sent it by email. The claim is complicated.
An accounting firm’s email system rejects a client’s large tax file because it exceeds the attachment size limit. The client, unable to send it by email, uploads it to their personal Dropbox and sends a sharing link. The file is stored on Dropbox indefinitely with no expiry. The client’s personal Dropbox is not subject to the firm’s data processing agreement. The file contains payroll data for multiple employees of the client’s business. Two years later, during a GDPR compliance review, the firm discovers it has no record of how this data was transmitted, stored, or deleted.
A consultant leaves a management consultancy and retains access to their personal email account, which they used for some client correspondence despite firm policy. The firm has no way to revoke access to the documents that were sent to that address over three years. Eighteen months later, the consultant takes a role at a competitor. The client documents they received by email, stored in a personal archive, are still accessible. The firm has no audit trail of what was sent, to which address, or when.
These scenarios share a common thread: the risk was created at the moment of sending, and there was no mechanism to contain it afterward. Email is a one-way door. Once a document is sent, the sender’s control ends entirely.
What to use instead: matching the alternative to the use case
The right replacement for email-based file sharing depends on the use case, the sensitivity of the document, and the frequency of the sharing relationship. There is no single tool that replaces email for all purposes — but for most professional services firms, three alternatives cover the full range of document sharing needs.
Secure client portal for ongoing client relationships
For any client with whom you have a continuing relationship — an active matter, a retainer, a recurring engagement — a secure client portal is the right infrastructure. Documents are uploaded to a client-specific workspace. The client accesses the portal with MFA. Every upload, download, and view is logged. Documents can be revoked. Access expires when the engagement ends. This replaces email for all document sharing within an ongoing relationship and creates a complete, auditable record of what was shared, when, and with whom. The portal becomes the single source of truth for all documents exchanged — eliminating the parallel reality of email inboxes that no one can fully reconstruct.
Encrypted file room for deal-level collaboration
For transactions, due diligence, and M&A processes involving multiple parties and large document volumes, an encrypted virtual data room provides deal-level permissions, watermarking, time-limited access, and NDA-gated entry. This is distinct from a client portal because it is deal-scoped rather than relationship-scoped: multiple parties can access it with different permission levels, and it is designed to close when the deal completes. For law firms and financial advisories managing complex transactions, this replaces the ad hoc combination of email chains and consumer file-sharing links that typically characterise document distribution in deal processes.
Expiring secure link for one-off transfers
For one-time document transfers with parties who are not clients and for whom a full portal relationship is disproportionate, a secure expiring link is appropriate. The document is uploaded to a secure server, a time-limited link is generated (expiring in 24–72 hours), and the link is sent by email. The recipient accesses the document through the secure server, not as an email attachment. Access is logged. When the link expires, access is revoked regardless of whether the recipient has downloaded the file. This is meaningfully more secure than an attachment and takes no more time to send.
The practical principle is: the more sensitive the document and the more ongoing the relationship, the further along this spectrum you should operate. Passports, financial statements, legal correspondence, and signed agreements should never travel as email attachments for any relationship that has a portal alternative available. The expiring link is a floor, not a ceiling.
The migration: how to make the switch in two weeks
The most common objection to moving away from email-based file sharing is “clients are used to it.” This objection is both true and overstated. Clients are used to it because it is what their advisers have offered. When advisers offer something better — a portal where they can see all their documents in one place, that does not fill their inbox, that they can access at midnight before a meeting — the majority prefer it within two weeks of using it.
The firms that have made this transition successfully have followed a consistent sequence.
Identify your highest-sensitivity document types first
Start with the documents that create the most risk if sent by email: identity documents, financial statements, legal agreements, medical or HR records. These are the documents you should stop emailing immediately. Making a short list of these types — typically five to eight categories — gives you a clear trigger: any document in this list goes through the portal, not email, without exception.
Set up the portal for active clients before communicating the change
Before telling clients anything has changed, configure portal access for your ten most active clients. Populate each workspace with documents you would typically send them. When you send the portal invitation, it arrives alongside content — not as an empty system asking them to change their habits for nothing. An invitation that says “your documents are waiting for you here” converts significantly better than one that says “please use this instead of email in future.”
Frame the change as a security upgrade for the client
The communication to clients should lead with their benefit, not your operational preference. “We have moved to a secure document portal so your sensitive files are protected by end-to-end encryption and multi-factor authentication — rather than sitting as attachments in an email inbox” is accurate and persuasive. Clients in professional services relationships understand and appreciate that their sensitive information should be held securely. The majority will not resist this framing.
Set a date after which email attachments of sensitive documents stop
Give active clients a two-week window from invitation to transition. After that date, if a client sends a sensitive document by email, the response is: “Thank you — for the security of your information, could you please upload this to your portal? Here is the link.” This is not aggressive. Most clients will do it without friction. The few who object usually come around within one or two gentle redirections. Maintaining a parallel email channel indefinitely prevents the transition from completing.
Update your engagement letter and privacy notice
Once the portal is live, update your standard engagement letter to describe how documents will be exchanged — referencing the portal rather than email. Update your privacy notice to reflect that client documents are stored in a secure encrypted portal rather than transmitted by email. These changes are brief but they matter: they formalise the new process, set client expectations from the outset of a new matter, and demonstrate to regulators that secure document handling is a deliberate policy, not an accidental practice.
What about clients who simply will not use a portal? There are always a small number of clients — typically older, less technically comfortable, or simply habitual — who will resist moving to a portal. For these clients, the pragmatic approach is to accept that email will continue for non-sensitive communications, and to use the expiring secure link option for any document that carries real risk if intercepted or forwarded. This is not the ideal, but it is materially better than attaching a passport copy to an email. Do not let the edge case prevent the majority transition.
The regulatory and insurance angle
Beyond the operational benefits, the move away from email-based file sharing has direct implications for your regulatory standing and your insurance position. Both are increasingly scrutinising how professional services firms handle client document transfer.
The ICO’s guidance on email security for organisations handling personal data explicitly states that personal data should not be transmitted via unencrypted email where more secure alternatives are available. For firms that handle large volumes of personal data — every law firm and accounting practice qualifies — continuing to send sensitive documents as unencrypted email attachments when portal alternatives exist is increasingly difficult to justify as a reasonable technical measure under GDPR Article 32.
On the insurance side, cyber underwriters conducting pre-renewal assessments are now asking specific questions about how client files are shared. Firms that can demonstrate they use encrypted portals rather than email attachments for sensitive documents are presenting materially lower risk profiles — and some underwriters are beginning to price this difference. A firm that suffers a breach through an email attachment, where a portal was available and not used, will face harder questions about whether they took reasonable precautions.
The practical conclusion is that email-based file sharing for sensitive documents is no longer a neutral choice. It is a risk posture — one that is becoming harder to defend to regulators, harder to justify to clients who understand data security, and more expensive to insure. The tools to do better are available, they are not expensive, and the migration is achievable in a fortnight. The question is no longer whether to make the change, but when.
Secure file sharing built into your client workflow
HubSecure gives professional services firms a secure client portal with end-to-end encrypted file sharing, expiring links, full audit trails, and MFA — so sensitive documents never need to travel as email attachments again.
Reserve your founding seat