Skip to main content
Three colleagues looking at a laptop together in an office, beside a message icon representing secure client communication
8 min

PII and Secure Client Communication: Why Your Insurance Depends On It

Posted by Picture of Huw Thomas Huw Thomas

Professional indemnity insurance is only as strong as your client communication security.

For many firms, professional indemnity insurance still feels like a blanket of protection around every piece of advice, every set of accounts, and every transaction.

In reality, that cover is increasingly conditional on how you handle client data day to day, especially when it leaves your systems via email.

Insurers, regulators, and professional bodies are converging on a simple expectation: if information is sensitive enough to protect in your practice, it is sensitive enough to protect in transit.

Firms that still rely on plain email for personal and confidential data risk more than a breach. They risk whether their PII responds when something goes wrong.

This article explains why PII and secure client communication now go hand in hand, and what good practice looks like in practical terms.

Why PII and Secure Client Communication Now Go Hand In Hand

Professional indemnity insurance is designed to absorb the financial shock of negligence claims and breach of duty - the errors and omissions that can occur even in well-run firms.

It is not designed to underwrite avoidable operational risk, especially when that risk comes from known weaknesses in how sensitive information is shared.

Most PII policies now include clear expectations that firms will:

  • Comply with relevant laws and regulations.
  • Follow professional codes of conduct.
  • Take reasonable precautions to prevent loss.

Communication sits at the intersection of these three.

If your firm routinely sends tax returns, ID documents, transaction details, or legal files over unsecured email, an insurer can legitimately ask whether reasonable precautions were in place.

The Regulatory Baseline: Why Plain Email Falls Short

The legal and professional baseline for secure client communication is already high - and moving upwards.

Under the UK GDPR integrity and confidentiality principle, organisations must apply “appropriate technical and organisational measures” to protect personal data in transit and at rest.

Across professions, that principle is reinforced:

None of these frameworks explicitly ban email. But even if a client “consents” to using standard email, that does not remove your obligation to protect their information.

The duty to safeguard data rests with the firm, not with the client’s preferences or convenience.

How Unsecured Communication Jeopardises PII Cover

When a data breach involves client communications, insurers now look closely at how that communication was sent, stored, and controlled.

In claims handling, three questions tend to matter:

  • Did the firm comply with applicable data protection requirements?
  • Did the firm follow its own policies and professional guidance?
  • Did the firm take reasonable steps to reduce foreseeable risk?

If the answer to any of these is no, the insurer has options.

They may still pay the claim but increase premiums at renewal.

They may apply policy exclusions for cyber-related incidents if the firm fell below expected security standards.

In more serious cases, they may dispute liability altogether on the basis that key conditions have not been met.

Consider a simple scenario: An advice firm emails unencrypted policy information and ID documents to a client.

The email is misdirected to the wrong recipient or compromised through a hacked mailbox.

The affected client alleges negligence, reports the incident, and seeks redress. The firm turns to its PII - expecting it to respond.

The insurer, in turn, examines whether the firm’s approach to secure client communication was consistent with regulatory expectations and what underwriters expect when a breach involves client data.

If it was not, the resulting dispute is no longer just about the breach itself.

It becomes a question of whether the firm upheld its side of the insurance bargain.

"When a breach involves client email, insurers do not only ask what went wrong. They ask whether the firm had reasonable controls in place before the message left the practice."

Paul Holland, Founder and CEO, Beyond Encryption (Mailock)

That is why many firms are now tightening how sensitive information leaves the practice, not only how it is stored inside it.

What ‘Good’ Looks Like: Practical Steps Firms Can Take

The good news is that aligning PII and secure client communication does not demand a complete technology overhaul.

It demands clarity, consistency, and a small number of well-chosen controls that staff can actually use.

Encrypt Emails That Contain Personal Or Confidential Data

Encryption should now be the default whenever you send personal, financial, or commercially sensitive information.

Tools such as Mailock secure email add end-to-end encryption, recipient authentication, message tracking, and revocation controls to your existing mail platform.

This achieves two important outcomes:

First, it makes interception or misdirection far less damaging because the content is unreadable without the right keys or identity checks.

Second, it demonstrates to regulators and insurers that you have taken active steps to reduce foreseeable communication risk.

Use Client Portals Or Secure Digital Mailboxes For High-Volume Exchange

Where documents are being exchanged regularly, secure portals or digital mailboxes offer a more controlled environment than email.

Clients log in to access their documents, messages, and approvals over an encrypted connection, with clear audit trails.

Firms with a large or complex client base can combine this with secure email, using policy-based rules to route sensitive communications through secure channels automatically.

This also means they will have a fallback for clients who prefer to use email or find your portal difficult to interact with.

Replace Attachments With Secure File-Transfer Links

Where a full portal is not in place, secure file-transfer solutions provide a practical middle ground.

Instead of attaching the file to an email, you store it in an encrypted service and send the client a secure link.

If the email is intercepted, the attacker sees a link but cannot access the file without the appropriate login or one-time code.

From a PII perspective, using secure file transfer helps demonstrate that you have treated email’s weaknesses as a risk to manage, not a default to accept.

Make Secure Behaviour The Default For Staff, Not An Exception

Most real-world incidents still start with human error: the wrong recipient, the wrong attachment, or a rushed reply.

Technology can significantly reduce this risk, but only if it is built into everyday workflows.

That means:

  • Simple policies on when to use secure email, portals, or file-transfer.
  • Security alerts in tools like Mailock to prompt users when content looks sensitive.
  • Short, focused training that explains the client, regulatory, and PII consequences of insecure sending.

The goal is not to turn every adviser or fee earner into a security expert.

Securing Client Communications In Financial Services?

Learn how Mailock supports regulated financial firms that need to protect client information while keeping email practical for everyday use.

Explore Mailock for financial services

It is to make secure choices feel as easy and natural as insecure ones used to be.

Apply Multi-Factor Authentication Wherever Sensitive Data Can Be Accessed

Multi-factor authentication (MFA) is now a baseline control for email accounts, portals, CRM platforms, and secure messaging.

Many cyber insurance and PII underwriters already treat MFA as a minimum expectation for firms handling large volumes of customer data.

From a client’s perspective, it is a reassurance that even if a password is compromised, there are further barriers before their information is exposed.

From a firm’s perspective, it reduces both the likelihood and the impact of account compromise - a key driver of data breaches reported to the ICO.

How To Talk To Your Broker About PII and Secure Client Communication

Your broker is an important partner in aligning PII with secure client communication.

They are also a useful sounding board for what underwriters are actually looking for right now.

When you next review your cover, it is worth discussing:

  • How your firm currently sends and receives sensitive client information.
  • Where secure email, portals, or digital mailboxes are already in use - and where gaps remain.
  • What improvements underwriters would value most when assessing your risk profile, including cyber insurance expectations for law firms where relevant.

Approaching the conversation this way reframes security investments as part of your overall PII strategy, not a disconnected IT spend.

It also provides evidence, in writing, that you have considered communication risk proactively - something that may prove useful if you ever need to rely on the policy.

The Real-World Costs Of Getting This Wrong

When communication security fails, the financial loss is only part of the story.

Clients understandably view confidentiality as fundamental to any professional relationship.

What The Research Shows

An Integris survey of law firm clients found that a significant proportion would consider changing firm if their data was compromised in a breach.

For many practices, the reputational damage and lost future revenue can dwarf the direct incident costs.

On top of that, a serious breach may trigger:

  • Mandatory notification to the ICO and affected clients.
  • Coverage questions or disputes under your PII policy.
  • Tighter terms, exclusions, or higher premiums at renewal.

Regulators have also taken enforcement action where firms failed to protect client data adequately - including a recent ICO fine following a cyber attack on a law firm.

The cost of implementing secure communication - whether through encrypted email, client portals, or digital mailboxes - is modest in comparison.

When viewed through the lens of PII, secure communication is an essential part of risk management, not a discretionary technology upgrade.

"Personal data must be handled in a way that makes sure it is appropriately secure, including when it is being sent or shared."

UK GDPR, Integrity and Confidentiality Principle

 

FAQs

Does Client Consent Make It Acceptable to Use Plain Email?

No. Client consent does not remove your legal and professional duty to protect personal data. You still need to apply appropriate security measures.

Is Encryption Mandatory Under UK GDPR?

Encryption is not named as mandatory, but regulators expect it where appropriate. Sending sensitive personal data over plain email is increasingly hard to defend.

Do PII policies Explicitly Require Secure Email?

Many policies now include cyber-related conditions or reasonable-precaution clauses. Underwriters often expect secure communication as part of meeting those conditions.

Will Secure Client Communication Reduce My Premiums?

Insurers are more likely to view your firm favourably if you can evidence strong controls. At minimum, it can help avoid additional restrictions and pricing pressure after an incident.

Is MFA still Necessary if I Encrypt Documents and Messages?

Yes. MFA protects the accounts and portals that hold encrypted content. It reduces the chance that attackers gain access through stolen or guessed credentials.

 

References

GDPR: Communicating Safely With Clients, ICAEW, 2024

Handling Client Data Responsibly, FCA, 2024

Code Of Ethics And Conduct, ACCA, 2024

Confidentiality Of Client Information, SRA, 2019

Cyber Insurance For Law Firms, Law Society, 2024

Data Breaches: Does Your PII Policy Respond?, Lockton, 2023

Breaches And Bots: Law Firms Face A Trust Crisis, Integris, 2024

Law Firm Fined Following Cyber Attack, ICO, 2025

Reviewed by

Sam Kendall, 02.06.26

This content is for general information only and is not legal advice.

 

Originally posted on 24 11 25
Last updated on July 10, 2026

Posted by:  Huw Thomas

Huw Thomas, Beyond Encryption's Data, Compliance and Operations Manager, plays a crucial role in shaping our information security decisions and procedures across both our products and daily operations.

Return to listing