PII and Secure Client Communication: Why Your Insurance Depends On It

Professional indemnity insurance is only as strong as your client communication security.

For many firms, PII still feels like a blanket of protection around every piece of advice, every set of accounts, and every transaction.

In reality, that cover is increasingly conditional on how you handle client data day to day, especially when it leaves your systems via email.

Insurers, regulators, and professional bodies are converging on a simple expectation: if information is sensitive enough to protect in your practice, it is sensitive enough to protect in transit.

Firms that still rely on plain email for personal and confidential data are not simply risking a breach - they are risking whether their PII responds when something goes wrong.

Let's explore why PII and secure client communication now go hand in hand, and what “good” looks like in practical terms.

Why PII and Secure Client Communication Now Go Hand In Hand

Professional indemnity insurance is designed to absorb the financial shock of negligence claims and breach of duty - the errors and omissions that can occur even in well-run firms.

What it is not designed to do is underwrite avoidable operational risk, especially when that risk comes from known weaknesses in how sensitive information is shared.

Most PII policies now include clear expectations that firms will:

• Comply with relevant laws and regulations.
• Follow professional codes of conduct.
• Take reasonable precautions to prevent loss.

Communication sits at the intersection of these three.

If your firm routinely sends tax returns, ID documents, transaction details, or legal files over unsecured email, an insurer can legitimately ask: were reasonable precautions in place?

The Regulatory Baseline: Why Plain Email Falls Short

The legal and professional baseline for secure client communication is already high - and moving upwards.

Under the UK GDPR integrity and confidentiality principle, organisations must apply “appropriate technical and organisational measures” to protect personal data in transit and at rest.

Across professions, that principle is reinforced:

• The SRA guidance on confidentiality treats client confidentiality as a core duty, not a nice-to-have.
• The ACCA and ICAEW codes of ethics require members to respect client confidentiality and comply with data protection law.
• The FCA’s Principles for Businesses expect firms to organise and control their affairs with adequate risk management, including how customer data is handled.

None of these frameworks explicitly ban email. But even if a client “consents” to using standard email, that does not remove your obligation to protect their information.

The duty to safeguard data rests with the firm, not with the client’s preferences or convenience.

How Unsecured Communication Jeopardises PII Cover

When a data breach involves client communications, insurers now look closely at how that communication was sent, stored, and controlled.

In claims handling, three questions tend to matter:

• Did the firm comply with applicable data protection requirements?
• Did the firm follow its own policies and professional guidance?
• Did the firm take reasonable steps to reduce foreseeable risk?

If the answer to any of these is “no”, the insurer has options.

They may still pay the claim but increase premiums at renewal.

They may apply policy exclusions for cyber-related incidents if the firm fell below expected security standards.

In more serious cases, they may dispute liability altogether on the basis that key conditions have not been met.

Consider a simple scenario: An advice firm emails unencrypted policy information and ID documents to a client.

The email is misdirected to the wrong recipient or compromised through a hacked mailbox.

The affected client alleges negligence, reports the incident, and seeks redress. The firm turns to its PII - expecting it to respond.

The insurer, in turn, examines whether the firm’s approach to secure client communication was consistent with regulatory expectations and industry best practice.

If it was not, the resulting dispute is no longer just about the breach itself.

It becomes a question of whether the firm upheld its side of the insurance bargain.

What ‘Good’ Looks Like: Practical Steps Firms Can Take

The good news is that aligning PII and secure client communication does not demand a complete technology overhaul.

It demands clarity, consistency, and a small number of well-chosen controls that staff can actually use.

Encrypt Emails That Contain Personal Or Confidential Data

Encryption should now be the default whenever you send personal, financial, or commercially sensitive information.

Tools such as Mailock secure email add end-to-end encryption, recipient authentication, message tracking, and revocation controls to your existing mail platform.

This achieves two important outcomes:

First, it makes interception or misdirection far less damaging because the content is unreadable without the right keys or identity checks.

Second, it demonstrates to regulators and insurers that you have taken active steps to reduce foreseeable communication risk.

Use Client Portals Or Secure Digital Mailboxes For High-Volume Exchange

Where documents are being exchanged regularly, secure portals or digital mailboxes offer a more controlled environment than email.

Clients log in to access their documents, messages, and approvals over an encrypted connection, with clear audit trails.

Firms with a large or complex client base can combine this with secure email, using policy-based rules to route sensitive communications through secure channels automatically.

This also ensures they will have a fallback for clients who prefer to use email or find your portal difficult to interact with.

Replace Attachments With Secure File-Transfer Links

Where a full portal is not in place, secure file-transfer solutions provide a practical middle ground.

Instead of attaching the file to an email, you store it in an encrypted service and send the client a secure link.

If the email is intercepted, the attacker sees a link but cannot access the file without the appropriate login or one-time code.

From a PII perspective, this shows that you have not simply accepted email’s weaknesses as inevitable.

Make Secure Behaviour The Default For Staff, Not An Exception

Most real-world incidents still start with human error: the wrong recipient, the wrong attachment, or a rushed reply.

Technology can significantly reduce this risk, but only if it is built into everyday workflows.

That means:

• Simple policies on when to use secure email, portals, or file-transfer.
• Security alerts in tools like Mailock to prompt users when content looks sensitive.
• Short, focused training that explains “why this matters” in terms of clients, regulators, and PII.

The goal is not to turn every adviser or fee earner into a security expert.

It is to make secure choices feel as easy and natural as insecure ones used to be.

Apply Multi-Factor Authentication Wherever Sensitive Data Can Be Accessed

Multi-factor authentication (MFA) is now a baseline control for email accounts, portals, CRM platforms, and secure messaging.

Many cyber insurance and PII underwriters already treat MFA as a minimum expectation for firms handling large volumes of customer data.

From a client’s perspective, it is a reassurance that even if a password is compromised, there are further barriers before their information is exposed.

From a firm’s perspective, it reduces both the likelihood and the impact of account compromise - a key driver of data breaches reported to the ICO.

How To Talk To Your Broker About PII and Secure Client Communication

Your broker is an important partner in aligning PII with secure client communication.

They are also a useful sounding board for what underwriters are actually looking for right now.

When you next review your cover, it is worth discussing:

• How your firm currently sends and receives sensitive client information.
• Where secure email, portals, or digital mailboxes are already in use - and where gaps remain.
• What improvements underwriters would value most when assessing your risk profile.

Approaching the conversation this way reframes security investments as part of your overall PII strategy, not a disconnected IT spend.

It also provides evidence, in writing, that you have considered communication risk proactively - something that may prove useful if you ever need to rely on the policy.

The Real-World Costs Of Getting This Wrong

When communication security fails, the financial loss is only part of the story.

Clients understandably view confidentiality as fundamental to any professional relationship.

Survey work in the legal sector shows that a significant proportion of clients would consider changing firm if their data was compromised in a breach.

For many practices, the reputational damage and lost future revenue can dwarf the direct incident costs.

On top of that, a serious breach may trigger:

• Mandatory notification to the ICO and affected clients.
• Coverage questions or disputes under your PII policy.
• Tighter terms, exclusions, or higher premiums at renewal.

The cost of implementing secure communication - whether through encrypted email, client portals, or digital mailboxes - is modest in comparison.

When viewed through the lens of PII, it looks less like a discretionary technology upgrade and more like an essential part of risk management.

"For most firms, email remains the single biggest exposure point for client data. Closing that gap is one of the most tangible ways to protect both customers and your PII position."

Paul Holland, CEO, Beyond Encryption

FAQs

Does Client Consent Make It Acceptable to Use Plain Email?

No. Client consent does not remove your legal and professional duty to protect personal data. You still need to apply appropriate security measures.

Is Encryption Mandatory Under UK GDPR?

Encryption is not named as mandatory, but regulators expect it where appropriate. Sending sensitive personal data over plain email is increasingly hard to defend.

Do PII Policies Explicitly Require Secure Email?

Many policies now include cyber-related conditions or reasonable-precaution clauses. Underwriters often expect secure communication as part of meeting those conditions.

Will Secure Client Communication Reduce My Premiums?

Insurers are more likely to view your firm favourably if you can evidence strong controls. At minimum, it can help avoid additional restrictions and pricing pressure after an incident.

Is MFA Still Necessary If I Encrypt Documents and Messages?

Yes. MFA protects the accounts and portals that hold encrypted content. It reduces the chance that attackers gain access through stolen or guessed credentials.

References

GDPR: Communicating Safely With Clients, ICAEW, 2024

Handling Client Data Responsibly, FCA, 2024

Code Of Ethics And Conduct, ACCA, 2024

Confidentiality Of Client Information, SRA, 2019

Cyber Insurance For Law Firms, Law Society, 2024

Data Breaches: Does Your PII Policy Respond?, Lockton, 2023

Breaches And Bots: Law Firms Face A Trust Crisis, Integris, 2024

Law Firm Fined Following Cyber Attack, ICO, 2025

Reviewed by

Sam Kendall, 20.11.25