Attorney-Client Privilege in Digital Intake: What Every Law Firm Must Know

When a prospective client emails you a photo of their police report, texts you details about their divorce, or uploads medical records to a shared Dropbox link — is that communication privileged? Are you taking reasonable steps to protect it? And what happens if opposing counsel argues you weren't?

Attorney-client privilege is the bedrock of legal practice. But the way clients communicate and share documents has changed dramatically — and most firms' intake processes haven't kept up. If your onboarding involves email attachments, consumer-grade cloud storage, or unencrypted file transfers, you may be creating privilege risks without realizing it.

When Does Privilege Attach During Intake?

A common misconception is that attorney-client privilege only applies once a retainer is signed. In fact, privilege can attach the moment a prospective client communicates with you for the purpose of seeking legal advice — even during a free consultation, even before you agree to take the case.

This means every intake form submission, every document upload, every text message about a legal matter, and every email with case details is potentially privileged. The question isn't whether privilege exists — it's whether your firm is taking "reasonable steps" to protect it.

The "Reasonable Steps" Standard

ABA Model Rule 1.6 requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." ABA Formal Opinion 477R (2017) specifically addresses electronic communications:

"A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access."

The key word is "reasonable." What's reasonable in 2026 is different from what was reasonable in 2015. With encryption, secure portals, and compliance-ready platforms widely available and affordable, "we just use email" is increasingly difficult to defend as reasonable.

Common Intake Practices That Create Risk

Here are the most common ways law firms inadvertently compromise privilege during intake:

1. Unencrypted Email Attachments

When a client emails you their tax returns, medical records, or police reports, those documents traverse multiple servers, often without encryption. They sit in email inboxes that may be accessible to non-lawyer staff, IT providers, or — in the case of a breach — bad actors.

Worse, many firms use shared inboxes (info@yourfirm.com) for intake. Those emails are visible to everyone with access, including staff who may not have a need to know.

2. Consumer Cloud Storage (Dropbox, Google Drive)

Sharing a Dropbox link with a client for document uploads might seem convenient. But consumer cloud storage isn't designed for legal compliance. Who else has access to that shared folder? Is the data encrypted at rest? What happens when the link is forwarded? Can you prove chain of custody?

3. Text Messages on Personal Phones

Texting is increasingly how clients communicate — and that's fine. But when case details and documents are exchanged via personal SMS, there's no encryption, no retention policy, no audit trail, and no way to ensure the messages aren't backed up to a cloud service the client shares with a spouse (relevant in family law) or employer.

4. Paper Intake Forms in Waiting Rooms

Yes, paper creates risk too. Intake forms left on clipboards in public waiting areas, faxes sitting in shared machines, or documents stored in unlocked file cabinets all represent potential privilege breaches. The bar doesn't care if the disclosure was digital or physical — only whether you took reasonable steps to prevent it.

What "Reasonable" Looks Like in 2026

Based on current ethics opinions, case law, and bar guidance, reasonable steps for digital intake include:

• Encryption in transit and at rest. TLS 1.3 for data in transit. AES-256 for data at rest. This is table stakes — any platform you use should provide both.
• Access controls. Only authorized personnel should be able to view client documents. Role-based access with audit logging.
• Secure document collection. A dedicated client portal with unique access tokens — not shared links or email attachments.
• Data retention policies. Automated deletion of documents after syncing to your PMS. Configurable retention periods with legal hold capability.
• Multi-tenancy isolation. If you use a cloud platform, your data must be completely isolated from other firms' data at the database level — not just the application level.
• Audit trails. Detailed logs of who accessed what document, when, and from where. Critical for demonstrating compliance during a privilege challenge.

State-Specific Considerations

While the ABA Model Rules provide a framework, privilege rules vary by state. Some key variations:

• California: Business & Professions Code §6068(e) imposes a broader duty of confidentiality than the ABA Model Rules. California Ethics Opinion 2010-179 specifically addresses cloud computing.
• New York: NY Ethics Opinion 842 (2010) and 1020 (2014) address cloud storage and virtual law offices. Requires affirmative steps to ensure confidentiality.
• Florida: Bar Opinion 12-3 (2013) permits cloud storage but requires "reasonable care" including encryption and vendor due diligence.
• Texas: Ethics Opinion 648 (2015) allows cloud storage with reasonable precautions, including understanding the provider's security measures.

Regardless of your state, the trend is clear: bars expect attorneys to understand the technology they use to handle client data, and to make informed decisions about security.

The HIPAA Intersection

If your practice handles medical records — personal injury, medical malpractice, workers' compensation, disability, or even some family law cases — you may also have HIPAA obligations. HIPAA requires specific technical safeguards for Protected Health Information (PHI) that go beyond general privilege requirements:

• Business Associate Agreements (BAAs) with any technology vendor handling PHI
• Minimum necessary standard — limit access to the minimum PHI needed
• Breach notification procedures
• Physical, administrative, and technical safeguards

CaseHug provides HIPAA-ready infrastructure with BAAs available on Practice and Firm plans, AES-256 encryption, and role-based access controls designed for healthcare data.

What to Ask Your Intake Platform Provider

If you're evaluating intake software, here are the questions that matter:

1. How is data encrypted? You need AES-256 at rest and TLS 1.2+ in transit. Anything less isn't adequate.
2. Where is data stored? Know the data center locations, certifications (SOC 2, ISO 27001), and jurisdiction.
3. How is multi-tenancy handled? Row-level security (RLS) at the database level is the gold standard. Application-level isolation is not sufficient.
4. Will you sign a BAA? If you handle any medical records, this is mandatory.
5. What's the data retention policy? You need configurable retention with legal hold capability. Automatic deletion after sync.
6. Can you provide audit logs? You need to prove who accessed what, when. Not a nice-to-have — a compliance requirement.

The Bottom Line

Attorney-client privilege doesn't disappear when communications go digital. But protecting it requires intentional choices about how you collect, store, and transmit client information during intake.

The good news is that compliance-ready tools are now affordable and easy to implement. A purpose-built intake platformwith encryption, access controls, audit logging, and configurable retention isn't just a technology upgrade — it's a risk management strategy.

Because the worst time to discover your intake process has a privilege problem is when opposing counsel is arguing for disclosure.

Disclaimer:This article is for informational purposes only and does not constitute legal advice. Consult your state bar's ethics hotline or a legal ethics attorney for guidance specific to your practice and jurisdiction.