If you're a lawyer, accountant, doctor, financial advisor, or anyone who handles other people's confidential information, you've probably sent sensitive documents by email. Maybe with a password-protected ZIP file. Maybe just... attached.

Let's talk about why most common methods are worse than you think, and what actually works.

The methods, ranked from worst to best

1. Plain email attachments

Email was designed in the 1980s. It was never built for security. Here's what happens when you attach a file to an email:

• The file sits in your outbox, in plain text, on your email provider's servers
• It travels through multiple mail servers, potentially unencrypted between hops
• It lands in the recipient's inbox, again in plain text, on their provider's servers
• Both email providers (yours and theirs) can read it
• It sits in both inboxes indefinitely — if either account is compromised years later, the file is exposed
• The recipient might forward it, and now it's on more servers

For a lunch order? Fine. For a client's tax return or medical records? This is a data breach waiting to happen.

2. Password-protected ZIP files

The classic "I'll send the password in a separate email" approach. Problems:

• Most people send the password by email too — so now both the file and the password are on the same compromised channel
• Standard ZIP encryption (ZipCrypto) is trivially breakable. You need AES-256 ZIP encryption specifically, and most people don't check.
• The file is still sitting unencrypted in sent/received folders after extraction
• Recipients hate it. "What's the password?" is the most common reply.

3. Cloud storage links (Google Drive, Dropbox, OneDrive)

Better than email in some ways — you can revoke access, set expiry dates, and the file isn't duplicated across email servers. But:

• The storage provider has full access to your files
• Google explicitly scans Drive files (for safety features, but still)
• A breach of the provider exposes your files in readable form
• Shared links are sometimes indexed by search engines if permissions aren't set correctly
• The recipient needs an account (for restricted sharing) or anyone with the link can access it

If you're sharing a presentation with a coworker, this is fine. For privileged legal documents? You're trusting Google with your client's data.

4. End-to-end encrypted file transfer

Services that encrypt files in your browser before upload, and include the decryption key only in the share link, solve most of the problems above:

• The server only handles encrypted blobs — a breach exposes nothing readable
• No one between sender and recipient can read the file
• Links can expire and have download limits
• No accounts needed — low friction for recipients
• The share link is the only thing you need to protect

Practical tips for sending confidential files

Regardless of which tool you choose, these habits make a big difference:

1. Use a different channel for the link. Send the file link by email, but text the recipient to let them know it's coming. If someone compromises one channel, they still need the other.
2. Set the shortest reasonable expiry. A contract doesn't need to be downloadable for 30 days. Set it to expire in 24-48 hours.
3. Use download limits. If you're sending to one person, set max downloads to 2 or 3. If the file gets downloaded more than that, something's wrong.
4. Tell the recipient to expect it. This prevents phishing attacks where someone sends a fake "you have a file" email.
5. Don't put sensitive details in the filename. "John_Smith_Tax_Return_2024.pdf" tells an attacker a lot even if they can't open the file. Use something generic.

What about HIPAA, GDPR, and other regulations?

Quick and practical:

• HIPAA (US healthcare) requires that protected health information is encrypted in transit and at rest. End-to-end encryption exceeds both requirements.
• GDPR (EU data protection) requires "appropriate technical measures." Encryption is explicitly mentioned as one. E2E encryption is the strongest measure available for file transfers.
• SOC 2 and similar frameworks recommend encryption for data in transit and at rest. Again, E2E exceeds this.

Note: using an encrypted tool doesn't automatically make you compliant. But it removes one of the biggest risk areas — files being readable by third parties in transit and at rest.