The Hidden Risk of Emailing Sensitive Documents

A client emails you a signed NDA. Simple enough. But that PDF now exists on your email server, their email server, your email provider's backup infrastructure, possibly a spam filter's scanning server, and in both of your local email caches. That's at least 6 copies of a privileged document — and neither of you controls most of them.

This isn't a theoretical risk. It's how email works. And for organizations handling sensitive documents — law firms, healthcare providers, defense contractors, financial advisors — it's a compliance problem hiding in every inbox.

How Many Copies Does One Email Create?

Think about the lifecycle of a single email attachment. When you send a file, it passes through the sender's outbox, the sender's email server, one or more relay servers, the recipient's email server, and finally the recipient's inbox. On both sides, backup systems create additional copies. Email archiving tools — often mandated by retention policies — store yet another. Any email scanning or data loss prevention (DLP) tools along the way may cache the file for inspection. And every device that syncs the inbox (laptop, phone, tablet) creates a local copy.

For a single attachment sent to two people, you can easily reach 10 to 15 copies. None of them encrypted at rest by default. Most retained for years under backup policies that neither party controls. The sender has no visibility into how many copies exist, where they are, or when they'll be deleted. Neither does the recipient.

The Compliance Exposure

This isn't just a security concern — it's a compliance problem across multiple frameworks:

• HIPAA: Protected health information in email attachments creates exposure points at every server hop. Most email providers are not covered entities or business associates, meaning every copy of that attachment may exist outside the compliance boundary.
• CMMC/DFARS: Controlled Unclassified Information (CUI) sent via standard email may violate handling requirements. FedRAMP-moderate email is required for CUI, but most organizations default to standard commercial email without thinking twice.
• Attorney-Client Privilege: Courts have found that inadequate security measures can waive privilege. Emailing privileged documents through unsecured channels is increasingly scrutinized, and the proliferation of uncontrolled copies makes it harder to argue reasonable precautions were taken.
• SOC 2: Email transfers of sensitive data create audit trail gaps. You can't prove chain of custody for an email attachment — you can prove you sent it, but you can't prove who accessed it, how many copies were made, or whether it was forwarded.

"But We Use Encrypted Email"

This is the most common objection, and it deserves a closer look. TLS in transit is now standard for most email providers, but it only protects the connection between servers — not the data at rest. Once the email lands on any server, the attachment sits unencrypted.

S/MIME and PGP offer true end-to-end encryption and are theoretically secure. In practice, almost nobody uses them. The key management is impractical — it requires both parties to set up and exchange certificates or keys before communicating, which breaks down the moment you need to receive a file from a new client or partner.

Microsoft 365 Message Encryption and Google Confidential Mode add a layer of protection, but they also add friction for recipients and still store data on provider infrastructure. Your "encrypted" attachment still exists on Microsoft's or Google's servers, subject to their retention policies and their compliance posture — not yours.

None of these solutions solve the fundamental problem: the file exists in too many places you don't control.

What Secure Document Transfer Looks Like

The alternative is straightforward: a dedicated upload portal where the client clicks a link, uploads the file, and it's immediately encrypted at rest on your infrastructure. No email server copies. No relay copies. No backup sprawl across systems you don't own.

The link expires after a set window. Every upload is logged with a full chain of custody — who uploaded what, when, from where. Malware scanning happens before the file enters your system. The file exists in exactly one place: your server, under your control, with your encryption keys.

This is the problem we built Fortis to solve — a self-hosted, encrypted document transfer portal that replaces email attachments with something auditable and secure.

The Practical Steps

Regardless of what tool you use, here's what organizations should do now:

• Audit your current document intake processes — how do clients and partners send you sensitive files today?
• Identify which document types carry compliance requirements (CUI, PHI, PII, privileged materials)
• Stop accepting sensitive documents via email — provide a secure alternative
• Ensure your transfer method encrypts at rest, logs transfers, and runs on infrastructure you control
• Review your email retention and backup policies — you may be storing sensitive attachments longer than you think

Email wasn't designed for secure document transfer. It was designed for messages. Treating it as a file transfer protocol for sensitive data is a risk that compounds with every attachment. The fix isn't better email — it's a purpose-built alternative.

If your organization still receives sensitive documents by email, let's fix that.