The Email Privacy Illusion: Part 3 of 3
What Healthcare Figured Out About Confidential Communication That Law Has Not
In March 2018, a family law attorney in Columbus, Ohio, discovered that her client’s estranged husband had been reading every email she sent for eleven months. The husband had guessed his wife’s Gmail password, set up automatic forwarding to a separate account, and monitored every communication between attorney and client in real time. Settlement strategy. Custody evaluations. Financial disclosures. Eleven months of privileged communications, delivered to the opposing party before the ink dried on each reply.
The attorney had done nothing wrong by the standards most lawyers apply. She used her firm’s business email. She included the standard confidentiality disclaimer. She followed every practice that most state bars consider adequate.
None of it mattered. The privileged communications lived in the client’s Gmail inbox, sitting on Google’s servers, accessible to anyone with the password. The attorney controlled her side of the channel. She controlled nothing about the other end.
Now consider a different scenario. When was the last time your doctor emailed you test results? If your healthcare provider follows HIPAA, the answer is never. You receive a notification: “You have a new message. Log in to view.” The actual content stays on a secure server. You authenticate to access it. The sensitive information never traverses the open internet, never lands in a Gmail inbox, and never sits in a mailbox that an estranged spouse can access with a guessed password.
Healthcare solved this problem years ago. The legal profession, despite having analogous confidentiality obligations under Model Rule 1.6, has not.
It’s time we did.
The solution to email’s fundamental insecurity is to stop sending sensitive content through email altogether. Send notifications that direct clients to a secure portal where the actual communication resides. The message stays under your control, on servers you select, with access you can audit and revoke. The client authenticates to view it. No third party ever touches the content.
This is Part 3 of a three-part series on email privacy. In Part 1, “The Email Privacy Illusion: Why Your Free Email Account Is the Biggest Risk to Your Bar License,” I examined how free email providers systematically process every message attorneys send and receive. In Part 2, I addressed the subtler exposure that persists even when your email is secure but your client’s is not. This installment presents the solution that healthcare adopted under regulatory pressure and the legal profession can adopt voluntarily, before a judge mandates it.
While working on a healthcare project a few years ago, I earned my HIPAA Master’s certification. The training covered the HITECH Act’s detailed technology requirements for patient confidentiality: encryption standards, access controls, audit trails, and breach notification protocols. Halfway through the coursework, a question kept nagging at me: Why hasn’t law implemented the same security protocols for privilege?
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement “reasonable and appropriate” administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). The HITECH Act, signed into law in February 2009, strengthened these requirements and extended direct liability to business associates. The penalty structure leaves no room for ambiguity: four tiers of civil monetary penalties ranging from $100 per violation for unknowing breaches to $50,000 per violation for willful neglect, with annual caps reaching $1.5 million per provision.
Faced with those consequences, the healthcare industry built patient portals. The architecture is simple. Sensitive information resides on a secure server controlled by the provider. Patients receive an email or text notification that a message is available. They log in using credentials that authenticate their identity. The actual content never leaves the secure environment.
This design addresses both transmission and storage security simultaneously. The notification email contains no sensitive content, so interception reveals nothing useful. The portal uses encryption for data in transit and at rest. Access controls restrict who can view specific content. Audit logs record who accessed what and when. If an attacker compromises a patient’s email account, all they see is a notification that a message exists. That is all.
The legal profession faces analogous confidentiality obligations under Model Rule 1.6. We lack HIPAA’s specific technical requirements and its penalty structure, but our ethical duties are no less serious. As I documented in “Your AI Tool Doesn’t Keep Secrets,” platform terms of service function as disclosure agreements that most users never read. A patient portal eliminates the third-party platform from the equation entirely.
The Ethics Framework
ABA Formal Opinion 477R established that “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” The opinion identified factors attorneys must weigh: the sensitivity of the information, the likelihood of disclosure absent additional safeguards, the cost of implementing those safeguards, and the difficulty of doing so.
Client portals satisfy every factor in that analysis. Sensitivity? The portal exists precisely for high-sensitivity matters. Likelihood of disclosure? Standard email routes content through servers controlled by entities with no duty to protect privilege, as I detailed in “The Backdoor to Your Client’s Inbox.” Cost? Practice management platforms with integrated portals start at $39 per user per month. Difficulty? If a dermatology practice in Peoria can deploy a patient portal, a 14-attorney litigation firm in Charlotte can deploy a client portal.
Model Rule 1.6(c) requires “reasonable efforts” to prevent unauthorized access to client information. What constitutes reasonable effort evolves as technology evolves. When ABA Formal Opinion 99-413 approved unencrypted email in 1999, affordable alternatives barely existed. Opinion 477R reversed that presumption in 2017 because the landscape had changed. The availability of affordable, proven portal solutions shifts the analysis again. For matters involving material risk, the question is becoming harder to answer: Is standard email still a reasonable effort when portal-based communication costs less than your monthly bar dues?
Client portals also provide documentation that supports privilege claims under challenge. As I explained in “The Conversation That Saves Privilege,” the engagement-level conversation about communication security creates the foundation for privilege protection. Portal access logs build on that foundation by demonstrating that communications occurred only through authenticated, encrypted channels. If opposing counsel argues privilege waiver based on insecure communication, those logs are your evidence.
Model Rule 1.1, Comment 8, requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Using a portal demonstrates technological competence. Not knowing portals exist demonstrates the opposite.
The Strongest Case Against Mandatory Portals
The most credible objection to portal-based communication comes not from the skeptics who say clients won’t use them, but from the attorneys who correctly observe that the ethical rules require proportionality, not perfection.
This argument has real force. Model Rule 1.6 demands “reasonable efforts,” not maximum security. Comment 18 to Rule 1.6 explicitly states that the reasonableness standard does not require “special security measures if the method of communication affords a reasonable expectation of privacy.” A routine scheduling email about a deposition date does not carry the same risk as a criminal defense strategy memorandum. Requiring portal-based communication for every client interaction would impose friction that reduces access to legal services without a proportional security benefit.
That proportionality argument is valid. It is also the strongest version of a position that becomes indefensible when applied to the matters that actually create exposure.
The Columbus attorney’s compromised family law communications were not routine scheduling emails. They were custody strategies. Settlement numbers. Financial disclosures. The categories of matters where standard email creates unacceptable risk are not edge cases; they are the matters that define most legal practices: criminal defense, contested family law, employment disputes, M&A transactions, and any representation where an adversary has both motive and means to access the other side’s communications.
The question is not whether every email requires portal-level security. The question is whether you have the capability deployed and a policy for when to use it. eDiscovery taught us this lesson already: when a technology measure is feasible, practical, and not cost-prohibitive, courts stop treating it as optional. As I documented in “Two Disruptions, One Profession,” the legal industry can adopt proven technology voluntarily or wait for a judge to mandate it. The voluntary path is always cheaper.
Addressing the Remaining Objections
“Clients won’t use a portal. They want email.” Clients use patient portals for healthcare communications despite the additional friction because providers require it. When you explain the security benefits in concrete terms, most clients understand. Frame it as protection, not inconvenience: “I want to make sure our communications stay privileged. This portal ensures that only you can access my advice.” The initial setup takes five minutes. Subsequent access becomes routine. As I noted in “The Email Disclaimer Delusion,” disclaimers provide the illusion of protection. Portals provide the reality.
“Portals are too expensive.” Practice management platforms with integrated client portals range from approximately $39 to $89 per user per month, depending on the platform and feature tier. Clio’s plans that include client portal access start at its mid-tier pricing. MyCase includes portal functionality beginning at $39 per user per month on its basic plan. PracticePanther starts at $49 per user per month. These costs cover far more than secure messaging; they include matter management, billing, document storage, and calendaring. Even standalone secure messaging solutions cost less than most state bar annual dues. Compare that to the cost of a single privilege waiver, a malpractice claim, or a disciplinary proceeding.
“My clients aren’t tech-savvy.” Patient portals serve elderly patients managing chronic conditions who navigate authentication workflows multiple times per month. The interface requirements are minimal: click a link, enter credentials, read a message. If your client can check email, your client can use a portal.
The Solution Landscape
Practice management platforms represent the most comprehensive option. Clio, MyCase, PracticePanther, and similar systems include client portals integrated with matter management, document storage, and billing. If you already use one of these platforms, check whether your current subscription tier includes portal access. If it does, you may be paying for a security tool you have never activated.
Encrypted email services such as Proton Mail and Tuta provide end-to-end encryption but require both parties to use compatible systems for full protection. When sending to non-users, these services transmit password-protected messages that function similarly to a portal: the recipient receives a notification and authenticates to view the content. The limitation is that the attorney must communicate the password through a separate channel, and the recipient experience lacks the integration of a true portal. I examined the broader encryption gap in Part 2 of this series.
Password-protected document sharing through services like ShareFile (now owned by Progress Software) or secure file-sharing features in cloud storage platforms can approximate portal functionality for document-heavy practices. Generate a secure link, require authentication to access, and maintain audit logs. This approach works for transactional practices but lacks the messaging workflow that litigation and advisory practices need. As I detailed in “17 Subprocessors Deep,” any third-party service you introduce into the communication chain carries its own data-handling practices that require evaluation.
Where This Matters Most
Criminal defense stands at the top of the priority list. Communications about defense strategy, witness information, and plea negotiations carry Sixth Amendment implications that compound the Model Rule 1.6 obligations. Implement portal-based communication from the first client contact. When the client is in custody and communicating through facility systems that corrections officials monitor by default, a portal may be the only channel that provides genuine confidentiality.
Employment law, particularly plaintiff-side, demands immediate adoption. Clients contemplating claims against current employers cannot safely use work email, which the employer likely monitors. Personal email still carries the risks I documented in Parts 1 and 2. A portal provides a channel the employer cannot access. As I covered in “Every Phone in the Room: Part 1,” location and communication data create exposure that extends well beyond the email itself.
Family law is where the Columbus scenario plays out repeatedly. Contested divorces involve adversaries who know the other party’s passwords, have physical access to shared devices, and have direct motive to intercept communications. Portal-based communication eliminates the most common vector for this compromise.
Corporate and M&A transactions involve material nonpublic information where securities law implications compound the confidentiality concerns. For significant transactions, portal-based communication should cover all substantive discussions, extending to client personnel who receive deal communications. The insider trading exposure from a compromised email account during a pending acquisition is not hypothetical; it is the scenario that keeps general counsel awake at 2 AM.
Estate planning creates a different temporal risk. Communications with the testator may become relevant in subsequent litigation between beneficiaries years or decades after the representation ends. Portal-based communication with comprehensive access logs provides contemporaneous documentation that the attorney treated communications with appropriate confidentiality, evidence that becomes critical when the testator is no longer available to testify.
Monday Morning: What to Do This Week
Today: Audit your current practice management tools. If you use Clio, MyCase, PracticePanther, or a comparable platform, check whether your subscription includes client portal functionality. If it does, enable it. You may already be paying for the solution and not using it.
This week: Develop a portal use policy. Categorize your matters by sensitivity: routine communications can continue through standard email; matters involving defense strategy, financial disclosures, contested custody, material nonpublic information, or any adversary with motive and means to intercept require the portal. Document this policy. A documented, consistently applied approach is defensible. An ad hoc approach is not. I covered the importance of documented security protocols in “The Six-Week Silence.”
Before your next client intake: Update your engagement letter. Include language explaining that you may require portal-based communication for sensitive matters. Obtain informed consent to this approach at the outset. As I outlined in “The Conversation That Saves Privilege,” the five-minute briefing at engagement protects you more than any technology investment. The technology fixes the channel. The conversation protects the relationship.
Within 30 days: Create client onboarding materials with clear portal access instructions. Train every staff member who communicates with clients on when and how to use the portal. Start with new matters. Transitioning existing clients to a new system can feel awkward. Begin with new representations and extend to existing sensitive matters as your team develops fluency.
Enable two-factor authentication on the portal itself. I covered why this step is non-negotiable in “Your Password Is the Weakest Link.” A portal protected by a weak password replaces one vulnerability with another.
Borrowing From Those Who Got It Right
Healthcare providers did not adopt patient portals because they are technology enthusiasts. They adopted them because HIPAA and the HITECH Act imposed penalties severe enough to make the cost of noncompliance exceed the cost of compliance. The industry found solutions that work because the alternative was financial ruin.
The legal profession has not faced comparable regulatory pressure. Our ethical rules require “reasonable efforts,” but they do not mandate specific technologies. Disciplinary enforcement has been sporadic. The result is a profession that is decades behind healthcare in protecting the very communications that define its professional obligation.
Richard Feynman, in his 1974 Caltech commencement address, described what he called “cargo cult science”: the practice of following the superficial forms of a discipline while missing its fundamental substance. Email disclaimers. Confidentiality notices. Signature blocks warning that privileged material may be enclosed. These are the cargo cult rituals of legal communication security. They look like protection. They provide none.
The tools to replace ritual with substance exist today. They cost less than a single billable hour per month. They have been tested across an industry that processes more sensitive personal information than law does.
That attorney in Columbus learned the hard way that controlling your side of the email channel means nothing if you cannot control the other side. Eleven months of privileged communications, forwarded to the opposing party, because the sensitive content sat in an inbox instead of a portal.
Your clients trust you with their most sensitive matters. That trust carries obligations that extend beyond legal strategy to how you communicate that strategy. Healthcare figured this out years ago.
The question is not whether client portals are the future of legal communication security. The question is whether you will adopt them before or after someone reads your client’s privileged messages from the other end of the inbox.
[The opening scenario is a composite based on documented patterns of spousal email interception in family law proceedings. Identifying details have been constructed to illustrate risks that appear repeatedly in reported cases and ethics opinions.]
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
Connect: LinkedIn | X | Bluesky
References
1. ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8 (Technology Competence, 2012 amendments).
2. ABA Model Rules of Professional Conduct, Rule 1.6(c) and Comments 18-19 (Reasonable Efforts to Prevent Unauthorized Disclosure).
3. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 22, 2017).
4. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 99-413, “Protecting the Confidentiality of Unencrypted E-Mail” (1999) (superseded by Opinion 477R).
5. Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq.
6. Health Information Technology for Economic and Clinical Health Act (HITECH), 42 U.S.C. § 17931 et seq. (signed February 2009 as part of the American Recovery and Reinvestment Act).
7. 45 C.F.R. § 164.312 (HIPAA Security Rule Technical Safeguards).
8. HHS Office for Civil Rights, HITECH Act Enforcement Interim Final Rule (establishing four-tier civil monetary penalty structure; maximum $1.5 million per provision per calendar year for willful neglect).
9. Clio, Pricing Plans, clio.com/pricing (client portal available at Essentials tier and above; as of February 2026).
10. MyCase, Pricing Plans, mycase.com/pricing (client portal available at Basic tier, $39/user/month billed annually; as of February 2026).
11. PracticePanther, Pricing Plans, practicepanther.com/pricing (starting at $49/user/month billed annually; as of February 2026).
12. Proton Mail, proton.me (end-to-end encrypted email; password-protected messages to non-users).
13. Tuta (formerly Tutanota), tuta.com (end-to-end encrypted email; rebranded November 2023).
14. ShareFile, sharefile.com (acquired by Progress Software Corporation for $875 million, September 2024; formerly a Citrix/Cloud Software Group business unit).
15. Feynman, Richard P., “Cargo Cult Science,” Caltech Commencement Address (1974); reprinted in Surely You’re Joking, Mr. Feynman! (W.W. Norton, 1985).
16. Morris, JD. “The Email Privacy Illusion: Part 1 of 3: Why Your Free Email Account Is the Biggest Risk to Your Bar License,” Morris Legal Technology Blog.
17. Morris, JD. “The Email Privacy Illusion: Part 2 of 3,” Morris Legal Technology Blog.
18. Morris, JD. “The Email Disclaimer Delusion: Why Your Signature Block Won’t Save Your Privilege,” Morris Legal Technology Blog.
19. Morris, JD. “Your AI Tool Doesn’t Keep Secrets: What Platform Terms of Service Mean for Attorney-Client Privilege,” Morris Legal Technology Blog.
20. Morris, JD. “The Conversation That Saves Privilege: A Client Briefing Framework,” Morris Legal Technology Blog.
21. Morris, JD. “Your Password Is the Weakest Link in Your Security Chain,” Morris Legal Technology Blog.
22. Morris, JD. “The Backdoor to Your Client’s Inbox: Section 702, Salt Typhoon, and the Privilege You’ve Already Lost,” Morris Legal Technology Blog.
23. Morris, JD. “Two Disruptions, One Profession,” Morris Legal Technology Blog.
24. Morris, JD. “The Six-Week Silence: Breach Disclosure,” Morris Legal Technology Blog.
25. Morris, JD. “17 Subprocessors Deep,” Morris Legal Technology Blog.
26. Morris, JD. “Every Phone in the Room: Part 1: Geofence Warrants,” Morris Legal Technology Blog.
