How to Encrypt Files as an Attorney: The Guide to ABA Compliance & Data Security

Introduction

Robert, an estate planning lawyer, stared at his screen in horror. He had just hit “Send” on an email containing a high-net-worth client’s complete asset schedule and draft will. The intended recipient was “Smith, John” (the client). The actual recipient, thanks to Outlook’s auto-complete feature, was “Smith, Jonathan”—a local journalist Robert had contacted months ago.

The email couldn’t be recalled. The attachment was a standard Excel file. The damage to attorney-client privilege—and Robert’s career—was instantaneous.

While Robert made a human error, the data breach occurred because the file itself was “naked.” Had that Excel sheet been encrypted with a password sent via a separate channel, the journalist would have received nothing but a locked, useless file.

This isn’t just Robert’s nightmare; it is a pervasive risk in the legal profession. According to the ABA Legal Technology Survey Report (2024), 75% of legal professionals cite security and data privacy as their top concern. Yet, in that same survey, 48% of firms admitted they lack file encryption tools for their attorneys.

Most lawyers are stuck between two extremes: clunky enterprise portals that clients hate using, or risky, unencrypted email attachments sent for the sake of speed.

There is a better middle ground. It’s called File-Level Encryption. It bridges the gap between the “Shadow IT” convenience lawyers crave and the “Bank-Grade” security the ABA demands.

The Ethical Mandate: Why Encryption is Non-Negotiable

For years, many attorneys viewed encryption as an optional “IT problem.” Today, it is an ethical obligation. The shift centers on the “Reasonable Efforts” standard defined by the American Bar Association.

The “Reasonable Efforts” Standard

ABA Model Rule 1.6 deals with the confidentiality of information, but ABA Formal Opinion 477R is the game-changer for digital practice. It explicitly states that while unencrypted email is acceptable for routine correspondence (like scheduling lunch), it is insufficient for sensitive client data.

The Opinion adopts a “fact-specific approach.” If you are handling highly sensitive information—such as medical records, trade secrets, or financial data—standard email security is not enough. As the Opinion notes: “Particularly strong protective measures, like encryption, are warranted in some circumstances.”

The Cost of Negligence

The financial stakes of ignoring this mandate have never been higher. According to the 2024 IBM / Embroker Cost of Data Breach Report, the average cost of a data breach for law firms has hit $5.08 million—a 10% increase from the previous year.

Beyond the dollar amount, the prevalence of these incidents is alarming. The 2023 ABA TechReport revealed that 27% of law firms have reported a security breach, ranging from lost devices to hacker intrusions.

The Duty of Competence

It is no longer an excuse to say, “I’m not a tech person.” The ABA Legal Technology Resource Center emphasizes that the ethical duty of competence now includes technology competence.

If an attorney cannot perform a basic function like encrypting a sensitive file before transmission, they may be falling short of their professional obligations. As industry expert David G. Ries notes, while many attorneys want to avoid encryption, most will eventually need to use it to avoid ethics violations.

The “Gap” in Legal Tech: Disk vs. Email vs. File Encryption

Confusion about terminology often leaves lawyers thinking they are protected when they aren’t. To secure your practice, you must understand the three different “layers” of encryption.

1. Full Disk Encryption (BitLocker/FileVault)

This is the baseline defense. It scrambles the data on your hard drive so that if your laptop is stolen, the thief cannot access the OS without your login.

• The Limitation: It only protects the device, not the data in transit. Once you attach a document to an email and send it, it leaves your encrypted hard drive and travels naked across the internet.
• The Stat: Surprisingly, only 20% of U.S. lawyers utilize full-disk encryption on their devices (ABA TechReport, 2022).

2. Email Encryption (Virtru/Mimecast)

These tools encrypt the “tunnel” through which the email travels. They are effective but often introduce friction.

• The Limitation: They frequently require the recipient (your client) to create an account or log into a portal to view the message. This friction often leads clients to ask, “Can you just send it normally?” prompting lawyers to bypass security protocols.

3. File-Level Encryption (The Missing Link)

This is the focus of modern agile security. File-level encryption locks the specific document (PDF, DOCX, XLSX) itself.

• What it does: The protection travels with the file. Whether the file is on a USB drive, in a Google Drive folder, or sitting in a journalist’s inbox, it remains unreadable without the specific decryption key.
• Why it wins: It allows you to use any transmission method—email, Slack, or cloud storage—securely, because the asset itself is hardened.

Step-by-Step: How to Encrypt Client Files

You don’t need an IT degree to secure your client’s data. Here are the three most common methods, ranging from “risky” to “recommended.”

Method A: The “Old School” Way (Office Password Protection)

You can password-protect a document directly inside Microsoft Word or Excel (File > Info > Protect Document).

• How it works: The recipient needs a password to open the file.
• Why it’s insufficient: While better than nothing, older versions of Office encryption are notoriously weak. Dedicated cracking software can bypass these passwords in minutes. It offers a false sense of security rather than true protection.
• Read more: Password Protection vs. Encryption: What’s the Difference?

Method B: The “Enterprise” Way (Client Portals)

Tools like Clio or MyCase offer secure client portals where you upload files for clients to download.

• How it works: You upload the file to the case management system; the client gets a notification, logs in, and downloads it.
• The Drawback: “Portal Fatigue.” Clients often struggle with logins or ignore notifications. Furthermore, associates in a rush often bypass these steps (engaging in “Shadow IT”) to get a deal done quickly.

Method C: The “Agile” Way (sekura.app)

This method uses AES-256 encryption—the military and banking standard—but wraps it in a drag-and-drop interface.

Here is the workflow:

1. Select Your File: Drag your sensitive document (Discovery, Settlement Agreement, Will) into the sekura.app window. You don’t need to upload it to a cloud; the encryption happens locally on your machine.
2. Set a Strong Password: Create a unique passphrase for this specific file or batch of files.
3. Encrypt: Click the button. In seconds, your file is converted into a locked .skr or secure archive file.
4. Share the File: You can now attach this locked file to a standard email, upload it to Dropbox, or send it via Slack. Even if the email is intercepted, the file is unreadable.
5. Share the Key: Send the password to the client via a different channel (like SMS, Signal, or a phone call).

This meets the “strong protective measures” suggestion of ABA Opinion 477R without requiring your client to install new software.

3 Scenarios: When You MUST Encrypt

To understand why file-level encryption is critical, let’s look at three real-world scenarios where “standard” security measures fail.

Scenario 1: The “Shadow IT” Settlement

The Context: Michael, a senior associate, found the firm’s secure portal too slow for a large divorce settlement PDF. To meet a 5:00 PM deadline, he uploaded the unencrypted file to his personal Google Drive to share a link with opposing counsel. The Breach: Michael’s personal Gmail account lacked two-factor authentication and was compromised in a credential stuffing attack. Hackers accessed his Drive, found the settlement, and leaked the details to a local blog. The Fix: Had Michael used sekura.app to encrypt the PDF before uploading it to Google Drive, the hackers would have stolen a useless blob of encrypted data. The client’s privacy would have remained intact despite the account compromise.

• Read more: The Risks of Shadow IT in Legal Firms

Scenario 2: The Coffee Shop Discovery Drop

The Context: Sarah, a criminal defense attorney, was reviewing witness lists at a coffee shop. She stepped away to grab her order, and her laptop was snatched. The Breach: Sarah had a login password, but she hadn’t enabled full-disk encryption. The thief pulled the hard drive and accessed the “Witness List.docx.” The exposure of witness identities triggered a mandatory breach notification to the state bar. The Fix: Individual file encryption adds a second layer of defense. Even if the thief bypasses the OS login, the specific files containing sensitive data remain locked.

Scenario 3: The Auto-Complete Fail

The Context: We return to Robert from our introduction, who emailed the estate plan to the journalist instead of the client. The Breach: The journalist opened the attachment immediately, viewing the client’s total net worth. This constituted a breach of attorney-client privilege and led to a malpractice lawsuit. The Fix: If the file had been encrypted, the journalist would have double-clicked the attachment and been prompted for a password. Since Robert would have sent the password to the real client via SMS, the journalist could never have opened the file. The breach would be contained.

Best Practices for Key Management

Encryption is only as secure as the password (key) used to lock it. For attorneys, managing these keys is a matter of process.

Out-of-Band Authentication

Never send the locked file and the password in the same email. If a hacker has access to your sent folder, they will have both the lock and the key.

• The Rule: Email the file. Text the password. This is known as “Out-of-Band” authentication. It requires a hacker to compromise two separate communication channels simultaneously to access the data.
• Read more: How to Send Secure Emails

Firm-Wide Recovery

A common fear among partners is, “What if an associate encrypts a file and then leaves the firm or forgets the password?”

• The Solution: Use encryption tools that support firm-wide recovery keys or master passwords. This ensures that the firm retains ownership of the data, not just the individual attorney.

Audit Trails

In the event of a bar investigation or a malpractice claim, you need proof of “reasonable efforts.” Using a dedicated encryption tool creates a log of when a file was encrypted. Being able to demonstrate to a disciplinary board that you applied AES-256 encryption to a file is a strong defense against claims of negligence.

FAQ: Common Attorney Questions

Does the ABA require me to encrypt all client emails? No. ABA Formal Opinion 477R does not mandate encryption for every single communication. It requires a fact-specific analysis. Routine correspondence generally does not require encryption. However, highly sensitive information—such as tax returns, health records, or trade secrets—requires stronger protection, which usually means encryption.

Is password-protecting a Word document enough? Generally, no. The built-in password protection in older versions of Microsoft Office is considered weak security and can be easily cracked. For true compliance and security, you should use tools that utilize the AES-256 standard.

Can I use Dropbox or Google Drive to share files? You can, but with caution. Standard consumer accounts may not be compliant if they lack a Business Associate Agreement (BAA) or proper configuration. However, if you encrypt the file locally using a tool like sekura.app before you upload it to the cloud, the file is secure regardless of the platform’s security settings.

What is the difference between Redaction and Encryption? Redaction is the process of visually obscuring text within a document (blacking it out) so it cannot be read. Encryption locks the entire file digitally so it cannot be opened at all without a key. You often need both: redact specific lines for court filings, but encrypt the entire file for secure transmission to clients.

Conclusion

The legal profession is evolving. The days when data security could be delegated entirely to an IT department are over. Today, the duty of technology competence rests on every attorney’s shoulders.

The good news is that high-level security no longer requires complex infrastructure. You don’t need to be a cybersecurity expert to protect your clients; you just need the right workflow. By adopting file-level encryption, you close the gap between convenience and compliance, protecting your firm from the devastating $5.08 million average cost of a breach.

Don’t let a simple email mistake cost you your license. Start encrypting your sensitive case files with sekura.app today—drag, drop, and secure.